init.rc revision cb83dc33f5cde8a76bad147cd7f28ceccea248b2
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ASEC_MOUNTPOINT /mnt/asec 38 export LOOP_MOUNTPOINT /mnt/obb 39 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 40 41# Backward compatibility 42 symlink /system/etc /etc 43 symlink /sys/kernel/debug /d 44 45# Right now vendor lives on the same filesystem as system, 46# but someday that may change. 47 symlink /system/vendor /vendor 48 49# Create cgroup mount point for cpu accounting 50 mkdir /acct 51 mount cgroup none /acct cpuacct 52 mkdir /acct/uid 53 54 mkdir /system 55 mkdir /data 0771 system system 56 mkdir /cache 0770 system cache 57 mkdir /config 0500 root root 58 59 # Directory for putting things only root should see. 60 mkdir /mnt/secure 0700 root root 61 62 # Directory for staging bindmounts 63 mkdir /mnt/secure/staging 0700 root root 64 65 # Directory-target for where the secure container 66 # imagefile directory will be bind-mounted 67 mkdir /mnt/secure/asec 0700 root root 68 69 # Secure container public mount points. 70 mkdir /mnt/asec 0700 root system 71 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 72 73 # Filesystem image public mount points. 74 mkdir /mnt/obb 0700 root system 75 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 76 77 write /proc/sys/kernel/panic_on_oops 1 78 write /proc/sys/kernel/hung_task_timeout_secs 0 79 write /proc/cpu/alignment 4 80 write /proc/sys/kernel/sched_latency_ns 10000000 81 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 82 write /proc/sys/kernel/sched_compat_yield 1 83 write /proc/sys/kernel/sched_child_runs_first 0 84 write /proc/sys/kernel/randomize_va_space 2 85 write /proc/sys/kernel/kptr_restrict 2 86 write /proc/sys/kernel/dmesg_restrict 1 87 write /proc/sys/vm/mmap_min_addr 32768 88 write /proc/sys/kernel/sched_rt_runtime_us 950000 89 write /proc/sys/kernel/sched_rt_period_us 1000000 90 91# Create cgroup mount points for process groups 92 mkdir /dev/cpuctl 93 mount cgroup none /dev/cpuctl cpu 94 chown system system /dev/cpuctl 95 chown system system /dev/cpuctl/tasks 96 chmod 0660 /dev/cpuctl/tasks 97 write /dev/cpuctl/cpu.shares 1024 98 write /dev/cpuctl/cpu.rt_runtime_us 950000 99 write /dev/cpuctl/cpu.rt_period_us 1000000 100 101 mkdir /dev/cpuctl/apps 102 chown system system /dev/cpuctl/apps/tasks 103 chmod 0666 /dev/cpuctl/apps/tasks 104 write /dev/cpuctl/apps/cpu.shares 1024 105 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 106 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps/bg_non_interactive 109 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 110 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 111 # 5.0 % 112 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 113 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 114 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 115 116# Allow everybody to read the xt_qtaguid resource tracking misc dev. 117# This is needed by any process that uses socket tagging. 118 chmod 0644 /dev/xt_qtaguid 119 120on fs 121# mount mtd partitions 122 # Mount /system rw first to give the filesystem a chance to save a checkpoint 123 mount yaffs2 mtd@system /system 124 mount yaffs2 mtd@system /system ro remount 125 mount yaffs2 mtd@userdata /data nosuid nodev 126 mount yaffs2 mtd@cache /cache nosuid nodev 127 128on post-fs 129 # once everything is setup, no need to modify / 130 mount rootfs rootfs / ro remount 131 132 # We chown/chmod /cache again so because mount is run as root + defaults 133 chown system cache /cache 134 chmod 0770 /cache 135 # We restorecon /cache in case the cache partition has been reset. 136 restorecon /cache 137 138 # This may have been created by the recovery system with odd permissions 139 chown system cache /cache/recovery 140 chmod 0770 /cache/recovery 141 # This may have been created by the recovery system with the wrong context. 142 restorecon /cache/recovery 143 144 #change permissions on vmallocinfo so we can grab it from bugreports 145 chown root log /proc/vmallocinfo 146 chmod 0440 /proc/vmallocinfo 147 148 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 149 chown root system /proc/kmsg 150 chmod 0440 /proc/kmsg 151 chown root system /proc/sysrq-trigger 152 chmod 0220 /proc/sysrq-trigger 153 chown system log /proc/last_kmsg 154 chmod 0440 /proc/last_kmsg 155 156 # create the lost+found directories, so as to enforce our permissions 157 mkdir /cache/lost+found 0770 root root 158 159on post-fs-data 160 # We chown/chmod /data again so because mount is run as root + defaults 161 chown system system /data 162 chmod 0771 /data 163 # We restorecon /data in case the userdata partition has been reset. 164 restorecon /data 165 166 # Create dump dir and collect dumps. 167 # Do this before we mount cache so eventually we can use cache for 168 # storing dumps on platforms which do not have a dedicated dump partition. 169 mkdir /data/dontpanic 0750 root log 170 171 # Collect apanic data, free resources and re-arm trigger 172 copy /proc/apanic_console /data/dontpanic/apanic_console 173 chown root log /data/dontpanic/apanic_console 174 chmod 0640 /data/dontpanic/apanic_console 175 176 copy /proc/apanic_threads /data/dontpanic/apanic_threads 177 chown root log /data/dontpanic/apanic_threads 178 chmod 0640 /data/dontpanic/apanic_threads 179 180 write /proc/apanic_console 1 181 182 # create basic filesystem structure 183 mkdir /data/misc 01771 system misc 184 mkdir /data/misc/adb 02750 system shell 185 mkdir /data/misc/bluedroid 0770 bluetooth bluetooth 186 mkdir /data/misc/bluetooth 0770 system system 187 mkdir /data/misc/keystore 0700 keystore keystore 188 mkdir /data/misc/keychain 0771 system system 189 mkdir /data/misc/vpn 0770 system vpn 190 mkdir /data/misc/systemkeys 0700 system system 191 # give system access to wpa_supplicant.conf for backup and restore 192 mkdir /data/misc/wifi 0770 wifi wifi 193 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 194 mkdir /data/local 0751 root root 195 196 # For security reasons, /data/local/tmp should always be empty. 197 # Do not place files or directories in /data/local/tmp 198 mkdir /data/local/tmp 0771 shell shell 199 mkdir /data/data 0771 system system 200 mkdir /data/app-private 0771 system system 201 mkdir /data/app-asec 0700 root root 202 mkdir /data/app 0771 system system 203 mkdir /data/property 0700 root root 204 mkdir /data/ssh 0750 root shell 205 mkdir /data/ssh/empty 0700 root root 206 207 # create dalvik-cache, so as to enforce our permissions 208 mkdir /data/dalvik-cache 0771 system system 209 210 # create resource-cache and double-check the perms 211 mkdir /data/resource-cache 0771 system system 212 chown system system /data/resource-cache 213 chmod 0771 /data/resource-cache 214 215 # create the lost+found directories, so as to enforce our permissions 216 mkdir /data/lost+found 0770 root root 217 218 # create directory for DRM plug-ins - give drm the read/write access to 219 # the following directory. 220 mkdir /data/drm 0770 drm drm 221 222 # If there is no fs-post-data action in the init.<device>.rc file, you 223 # must uncomment this line, otherwise encrypted filesystems 224 # won't work. 225 # Set indication (checked by vold) that we have finished this action 226 #setprop vold.post_fs_data_done 1 227 228on boot 229# basic network init 230 ifup lo 231 hostname localhost 232 domainname localdomain 233 234# set RLIMIT_NICE to allow priorities from 19 to -20 235 setrlimit 13 40 40 236 237# Memory management. Basic kernel parameters, and allow the high 238# level system server to be able to adjust the kernel OOM driver 239# parameters to match how it is managing things. 240 write /proc/sys/vm/overcommit_memory 1 241 write /proc/sys/vm/min_free_order_shift 4 242 chown root system /sys/module/lowmemorykiller/parameters/adj 243 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 244 chown root system /sys/module/lowmemorykiller/parameters/minfree 245 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 246 247 # Tweak background writeout 248 write /proc/sys/vm/dirty_expire_centisecs 200 249 write /proc/sys/vm/dirty_background_ratio 5 250 251 # Permissions for System Server and daemons. 252 chown radio system /sys/android_power/state 253 chown radio system /sys/android_power/request_state 254 chown radio system /sys/android_power/acquire_full_wake_lock 255 chown radio system /sys/android_power/acquire_partial_wake_lock 256 chown radio system /sys/android_power/release_wake_lock 257 chown system system /sys/power/autosleep 258 chown system system /sys/power/state 259 chown system system /sys/power/wakeup_count 260 chown radio system /sys/power/wake_lock 261 chown radio system /sys/power/wake_unlock 262 chmod 0660 /sys/power/state 263 chmod 0660 /sys/power/wake_lock 264 chmod 0660 /sys/power/wake_unlock 265 266 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 267 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 268 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 269 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 270 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 271 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 272 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 273 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 274 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 275 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 276 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 277 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 278 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 279 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 280 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 281 282 # Assume SMP uses shared cpufreq policy for all CPUs 283 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 284 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 285 286 chown system system /sys/class/timed_output/vibrator/enable 287 chown system system /sys/class/leds/keyboard-backlight/brightness 288 chown system system /sys/class/leds/lcd-backlight/brightness 289 chown system system /sys/class/leds/button-backlight/brightness 290 chown system system /sys/class/leds/jogball-backlight/brightness 291 chown system system /sys/class/leds/red/brightness 292 chown system system /sys/class/leds/green/brightness 293 chown system system /sys/class/leds/blue/brightness 294 chown system system /sys/class/leds/red/device/grpfreq 295 chown system system /sys/class/leds/red/device/grppwm 296 chown system system /sys/class/leds/red/device/blink 297 chown system system /sys/class/leds/red/brightness 298 chown system system /sys/class/leds/green/brightness 299 chown system system /sys/class/leds/blue/brightness 300 chown system system /sys/class/leds/red/device/grpfreq 301 chown system system /sys/class/leds/red/device/grppwm 302 chown system system /sys/class/leds/red/device/blink 303 chown system system /sys/class/timed_output/vibrator/enable 304 chown system system /sys/module/sco/parameters/disable_esco 305 chown system system /sys/kernel/ipv4/tcp_wmem_min 306 chown system system /sys/kernel/ipv4/tcp_wmem_def 307 chown system system /sys/kernel/ipv4/tcp_wmem_max 308 chown system system /sys/kernel/ipv4/tcp_rmem_min 309 chown system system /sys/kernel/ipv4/tcp_rmem_def 310 chown system system /sys/kernel/ipv4/tcp_rmem_max 311 chown root radio /proc/cmdline 312 313# Define TCP buffer sizes for various networks 314# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 315 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 316 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 317 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 318 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 319 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 320 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 321 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 322 323# Set this property so surfaceflinger is not started by system_init 324 setprop system_init.startsurfaceflinger 0 325 326 class_start core 327 class_start main 328 329on nonencrypted 330 class_start late_start 331 332on charger 333 class_start charger 334 335on property:vold.decrypt=trigger_reset_main 336 class_reset main 337 338on property:vold.decrypt=trigger_load_persist_props 339 load_persist_props 340 341on property:vold.decrypt=trigger_post_fs_data 342 trigger post-fs-data 343 344on property:vold.decrypt=trigger_restart_min_framework 345 class_start main 346 347on property:vold.decrypt=trigger_restart_framework 348 class_start main 349 class_start late_start 350 351on property:vold.decrypt=trigger_shutdown_framework 352 class_reset late_start 353 class_reset main 354 355## Daemon processes to be run by init. 356## 357service ueventd /sbin/ueventd 358 class core 359 critical 360 seclabel u:r:ueventd:s0 361 362service console /system/bin/sh 363 class core 364 console 365 disabled 366 user shell 367 group log 368 369on property:ro.debuggable=1 370 start console 371 372# adbd is controlled via property triggers in init.<platform>.usb.rc 373service adbd /sbin/adbd 374 class core 375 socket adbd stream 660 system system 376 disabled 377 seclabel u:r:adbd:s0 378 379# adbd on at boot in emulator 380on property:ro.kernel.qemu=1 381 start adbd 382 383service servicemanager /system/bin/servicemanager 384 class core 385 user system 386 group system 387 critical 388 onrestart restart zygote 389 onrestart restart media 390 onrestart restart surfaceflinger 391 onrestart restart drm 392 393service vold /system/bin/vold 394 class core 395 socket vold stream 0660 root mount 396 ioprio be 2 397 398service netd /system/bin/netd 399 class main 400 socket netd stream 0660 root system 401 socket dnsproxyd stream 0660 root inet 402 socket mdns stream 0660 root system 403 404service debuggerd /system/bin/debuggerd 405 class main 406 407service ril-daemon /system/bin/rild 408 class main 409 socket rild stream 660 root radio 410 socket rild-debug stream 660 radio system 411 user root 412 group radio cache inet misc audio sdcard_r sdcard_rw log 413 414service surfaceflinger /system/bin/surfaceflinger 415 class main 416 user system 417 group graphics 418 onrestart restart zygote 419 420service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 421 class main 422 socket zygote stream 660 root system 423 onrestart write /sys/android_power/request_state wake 424 onrestart write /sys/power/state on 425 onrestart restart media 426 onrestart restart netd 427 428service drm /system/bin/drmserver 429 class main 430 user drm 431 group drm system inet drmrpc 432 433service media /system/bin/mediaserver 434 class main 435 user media 436 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 437 ioprio rt 4 438 439service bootanim /system/bin/bootanimation 440 class main 441 user graphics 442 group graphics 443 disabled 444 oneshot 445 446service installd /system/bin/installd 447 class main 448 socket installd stream 600 system system 449 450service flash_recovery /system/etc/install-recovery.sh 451 class main 452 oneshot 453 454service racoon /system/bin/racoon 455 class main 456 socket racoon stream 600 system system 457 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 458 group vpn net_admin inet 459 disabled 460 oneshot 461 462service mtpd /system/bin/mtpd 463 class main 464 socket mtpd stream 600 system system 465 user vpn 466 group vpn net_admin inet net_raw 467 disabled 468 oneshot 469 470service keystore /system/bin/keystore /data/misc/keystore 471 class main 472 user keystore 473 group keystore drmrpc 474 socket keystore stream 666 475 476service dumpstate /system/bin/dumpstate -s 477 class main 478 socket dumpstate stream 0660 shell log 479 disabled 480 oneshot 481 482service sshd /system/bin/start-ssh 483 class main 484 disabled 485 486service mdnsd /system/bin/mdnsd 487 class main 488 user mdnsr 489 group inet net_raw 490 socket mdnsd stream 0660 mdnsr inet 491 disabled 492 oneshot 493