init.rc revision e945d7ee9e15909c803b4f18e5b72c99ad8b7e60
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9 10on early-init 11 # Set init and its forked children's oom_adj. 12 write /proc/1/oom_adj -16 13 14 start ueventd 15 16# create mountpoints 17 mkdir /mnt 0775 root system 18 19on init 20 21sysclktz 0 22 23loglevel 3 24 25# setup the global environment 26 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 27 export LD_LIBRARY_PATH /vendor/lib:/system/lib 28 export ANDROID_BOOTLOGO 1 29 export ANDROID_ROOT /system 30 export ANDROID_ASSETS /system/app 31 export ANDROID_DATA /data 32 export ASEC_MOUNTPOINT /mnt/asec 33 export LOOP_MOUNTPOINT /mnt/obb 34 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 35 36# Backward compatibility 37 symlink /system/etc /etc 38 symlink /sys/kernel/debug /d 39 40# Right now vendor lives on the same filesystem as system, 41# but someday that may change. 42 symlink /system/vendor /vendor 43 44# Create cgroup mount point for cpu accounting 45 mkdir /acct 46 mount cgroup none /acct cpuacct 47 mkdir /acct/uid 48 49 mkdir /system 50 mkdir /data 0771 system system 51 mkdir /cache 0770 system cache 52 mkdir /config 0500 root root 53 54 # Directory for putting things only root should see. 55 mkdir /mnt/secure 0700 root root 56 57 # Directory for staging bindmounts 58 mkdir /mnt/secure/staging 0700 root root 59 60 # Directory-target for where the secure container 61 # imagefile directory will be bind-mounted 62 mkdir /mnt/secure/asec 0700 root root 63 64 # Secure container public mount points. 65 mkdir /mnt/asec 0700 root system 66 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 67 68 # Filesystem image public mount points. 69 mkdir /mnt/obb 0700 root system 70 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 71 72 write /proc/sys/kernel/panic_on_oops 1 73 write /proc/sys/kernel/hung_task_timeout_secs 0 74 write /proc/cpu/alignment 4 75 write /proc/sys/kernel/sched_latency_ns 10000000 76 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 77 write /proc/sys/kernel/sched_compat_yield 1 78 write /proc/sys/kernel/sched_child_runs_first 0 79 write /proc/sys/kernel/randomize_va_space 2 80 write /proc/sys/kernel/kptr_restrict 2 81 write /proc/sys/kernel/dmesg_restrict 1 82 write /proc/sys/vm/mmap_min_addr 32768 83 write /proc/sys/kernel/sched_rt_runtime_us 950000 84 write /proc/sys/kernel/sched_rt_period_us 1000000 85 86# Create cgroup mount points for process groups 87 mkdir /dev/cpuctl 88 mount cgroup none /dev/cpuctl cpu 89 chown system system /dev/cpuctl 90 chown system system /dev/cpuctl/tasks 91 chmod 0660 /dev/cpuctl/tasks 92 write /dev/cpuctl/cpu.shares 1024 93 write /dev/cpuctl/cpu.rt_runtime_us 950000 94 write /dev/cpuctl/cpu.rt_period_us 1000000 95 96 mkdir /dev/cpuctl/foreground 97 chown system system /dev/cpuctl/foreground/tasks 98 chmod 0666 /dev/cpuctl/foreground/tasks 99 write /dev/cpuctl/foreground/cpu.shares 1024 100 write /dev/cpuctl/foreground/cpu.rt_runtime_us 0 101 write /dev/cpuctl/foreground/cpu.rt_period_us 1000000 102 103 mkdir /dev/cpuctl/bg_non_interactive 104 chown system system /dev/cpuctl/bg_non_interactive/tasks 105 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 106 # 5.0 % 107 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 108 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 0 109 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 110 111 mkdir /dev/cpuctl/audio_app 112 chown system system /dev/cpuctl/audio_app/tasks 113 chmod 0660 /dev/cpuctl/audio_app/tasks 114 write /dev/cpuctl/audio_app/cpu.shares 10 115 write /dev/cpuctl/audio_app/cpu.rt_runtime_us 50000 116 write /dev/cpuctl/audio_app/cpu.rt_period_us 1000000 117 118 mkdir /dev/cpuctl/audio_sys 119 chown system system /dev/cpuctl/audio_sys/tasks 120 chmod 0660 /dev/cpuctl/audio_sys/tasks 121 write /dev/cpuctl/audio_sys/cpu.shares 10 122 write /dev/cpuctl/audio_sys/cpu.rt_runtime_us 50000 123 write /dev/cpuctl/audio_sys/cpu.rt_period_us 1000000 124 125# Allow everybody to read the xt_qtaguid resource tracking misc dev. 126# This is needed by any process that uses socket tagging. 127 chmod 0644 /dev/xt_qtaguid 128 129on fs 130# mount mtd partitions 131 # Mount /system rw first to give the filesystem a chance to save a checkpoint 132 mount yaffs2 mtd@system /system 133 mount yaffs2 mtd@system /system ro remount 134 mount yaffs2 mtd@userdata /data nosuid nodev 135 mount yaffs2 mtd@cache /cache nosuid nodev 136 137on post-fs 138 # once everything is setup, no need to modify / 139 mount rootfs rootfs / ro remount 140 141 # We chown/chmod /cache again so because mount is run as root + defaults 142 chown system cache /cache 143 chmod 0770 /cache 144 145 # This may have been created by the recovery system with odd permissions 146 chown system cache /cache/recovery 147 chmod 0770 /cache/recovery 148 149 #change permissions on vmallocinfo so we can grab it from bugreports 150 chown root log /proc/vmallocinfo 151 chmod 0440 /proc/vmallocinfo 152 153 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 154 chown root system /proc/kmsg 155 chmod 0440 /proc/kmsg 156 chown root system /proc/sysrq-trigger 157 chmod 0220 /proc/sysrq-trigger 158 159 # create the lost+found directories, so as to enforce our permissions 160 mkdir /cache/lost+found 0770 root root 161 162on post-fs-data 163 # We chown/chmod /data again so because mount is run as root + defaults 164 chown system system /data 165 chmod 0771 /data 166 167 # Create dump dir and collect dumps. 168 # Do this before we mount cache so eventually we can use cache for 169 # storing dumps on platforms which do not have a dedicated dump partition. 170 mkdir /data/dontpanic 0750 root log 171 172 # Collect apanic data, free resources and re-arm trigger 173 copy /proc/apanic_console /data/dontpanic/apanic_console 174 chown root log /data/dontpanic/apanic_console 175 chmod 0640 /data/dontpanic/apanic_console 176 177 copy /proc/apanic_threads /data/dontpanic/apanic_threads 178 chown root log /data/dontpanic/apanic_threads 179 chmod 0640 /data/dontpanic/apanic_threads 180 181 write /proc/apanic_console 1 182 183 # create basic filesystem structure 184 mkdir /data/misc 01771 system misc 185 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 186 mkdir /data/misc/bluetooth 0770 system system 187 mkdir /data/misc/keystore 0700 keystore keystore 188 mkdir /data/misc/keychain 0771 system system 189 mkdir /data/misc/vpn 0770 system vpn 190 mkdir /data/misc/systemkeys 0700 system system 191 # give system access to wpa_supplicant.conf for backup and restore 192 mkdir /data/misc/wifi 0770 wifi wifi 193 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 194 mkdir /data/local 0751 root root 195 196 # For security reasons, /data/local/tmp should always be empty. 197 # Do not place files or directories in /data/local/tmp 198 mkdir /data/local/tmp 0771 shell shell 199 mkdir /data/data 0771 system system 200 mkdir /data/app-private 0771 system system 201 mkdir /data/app 0771 system system 202 mkdir /data/property 0700 root root 203 mkdir /data/ssh 0750 root shell 204 mkdir /data/ssh/empty 0700 root root 205 206 # create dalvik-cache, so as to enforce our permissions 207 mkdir /data/dalvik-cache 0771 system system 208 209 # create resource-cache and double-check the perms 210 mkdir /data/resource-cache 0771 system system 211 chown system system /data/resource-cache 212 chmod 0771 /data/resource-cache 213 214 # create the lost+found directories, so as to enforce our permissions 215 mkdir /data/lost+found 0770 root root 216 217 # create directory for DRM plug-ins - give drm the read/write access to 218 # the following directory. 219 mkdir /data/drm 0770 drm drm 220 221 # If there is no fs-post-data action in the init.<device>.rc file, you 222 # must uncomment this line, otherwise encrypted filesystems 223 # won't work. 224 # Set indication (checked by vold) that we have finished this action 225 #setprop vold.post_fs_data_done 1 226 227on boot 228# basic network init 229 ifup lo 230 hostname localhost 231 domainname localdomain 232 233# set RLIMIT_NICE to allow priorities from 19 to -20 234 setrlimit 13 40 40 235 236# Memory management. Basic kernel parameters, and allow the high 237# level system server to be able to adjust the kernel OOM driver 238# parameters to match how it is managing things. 239 write /proc/sys/vm/overcommit_memory 1 240 write /proc/sys/vm/min_free_order_shift 4 241 chown root system /sys/module/lowmemorykiller/parameters/adj 242 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 243 chown root system /sys/module/lowmemorykiller/parameters/minfree 244 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 245 246 # Tweak background writeout 247 write /proc/sys/vm/dirty_expire_centisecs 200 248 write /proc/sys/vm/dirty_background_ratio 5 249 250 # Permissions for System Server and daemons. 251 chown radio system /sys/android_power/state 252 chown radio system /sys/android_power/request_state 253 chown radio system /sys/android_power/acquire_full_wake_lock 254 chown radio system /sys/android_power/acquire_partial_wake_lock 255 chown radio system /sys/android_power/release_wake_lock 256 chown system system /sys/power/state 257 chown system system /sys/power/wakeup_count 258 chown radio system /sys/power/wake_lock 259 chown radio system /sys/power/wake_unlock 260 chmod 0660 /sys/power/state 261 chmod 0660 /sys/power/wake_lock 262 chmod 0660 /sys/power/wake_unlock 263 264 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 265 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 266 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 267 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 268 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 269 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 270 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 271 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 272 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 273 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 274 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 275 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 276 277 # Assume SMP uses shared cpufreq policy for all CPUs 278 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 279 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 280 281 chown system system /sys/class/timed_output/vibrator/enable 282 chown system system /sys/class/leds/keyboard-backlight/brightness 283 chown system system /sys/class/leds/lcd-backlight/brightness 284 chown system system /sys/class/leds/button-backlight/brightness 285 chown system system /sys/class/leds/jogball-backlight/brightness 286 chown system system /sys/class/leds/red/brightness 287 chown system system /sys/class/leds/green/brightness 288 chown system system /sys/class/leds/blue/brightness 289 chown system system /sys/class/leds/red/device/grpfreq 290 chown system system /sys/class/leds/red/device/grppwm 291 chown system system /sys/class/leds/red/device/blink 292 chown system system /sys/class/leds/red/brightness 293 chown system system /sys/class/leds/green/brightness 294 chown system system /sys/class/leds/blue/brightness 295 chown system system /sys/class/leds/red/device/grpfreq 296 chown system system /sys/class/leds/red/device/grppwm 297 chown system system /sys/class/leds/red/device/blink 298 chown system system /sys/class/timed_output/vibrator/enable 299 chown system system /sys/module/sco/parameters/disable_esco 300 chown system system /sys/kernel/ipv4/tcp_wmem_min 301 chown system system /sys/kernel/ipv4/tcp_wmem_def 302 chown system system /sys/kernel/ipv4/tcp_wmem_max 303 chown system system /sys/kernel/ipv4/tcp_rmem_min 304 chown system system /sys/kernel/ipv4/tcp_rmem_def 305 chown system system /sys/kernel/ipv4/tcp_rmem_max 306 chown root radio /proc/cmdline 307 308# Define TCP buffer sizes for various networks 309# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 310 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 311 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 312 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 313 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 314 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 315 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 316 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 317 318# Set this property so surfaceflinger is not started by system_init 319 setprop system_init.startsurfaceflinger 0 320 321 class_start core 322 class_start main 323 324on nonencrypted 325 class_start late_start 326 327on charger 328 class_start charger 329 330on property:vold.decrypt=trigger_reset_main 331 class_reset main 332 333on property:vold.decrypt=trigger_load_persist_props 334 load_persist_props 335 336on property:vold.decrypt=trigger_post_fs_data 337 trigger post-fs-data 338 339on property:vold.decrypt=trigger_restart_min_framework 340 class_start main 341 342on property:vold.decrypt=trigger_restart_framework 343 class_start main 344 class_start late_start 345 346on property:vold.decrypt=trigger_shutdown_framework 347 class_reset late_start 348 class_reset main 349 350## Daemon processes to be run by init. 351## 352service ueventd /sbin/ueventd 353 class core 354 critical 355 356service console /system/bin/sh 357 class core 358 console 359 disabled 360 user shell 361 group log 362 363on property:ro.debuggable=1 364 start console 365 366# Allow writing to the kernel trace log. Enabling tracing still requires root. 367on property:ro.debuggable=1 368 chmod 0222 /sys/kernel/debug/tracing/trace_marker 369 370# adbd is controlled via property triggers in init.<platform>.usb.rc 371service adbd /sbin/adbd 372 class core 373 disabled 374 375# adbd on at boot in emulator 376on property:ro.kernel.qemu=1 377 start adbd 378 379service servicemanager /system/bin/servicemanager 380 class core 381 user system 382 group system 383 critical 384 onrestart restart zygote 385 onrestart restart media 386 onrestart restart surfaceflinger 387 onrestart restart drm 388 389service vold /system/bin/vold 390 class core 391 socket vold stream 0660 root mount 392 ioprio be 2 393 394service netd /system/bin/netd 395 class main 396 socket netd stream 0660 root system 397 socket dnsproxyd stream 0660 root inet 398 socket mdns stream 0660 root system 399 400service debuggerd /system/bin/debuggerd 401 class main 402 403service ril-daemon /system/bin/rild 404 class main 405 socket rild stream 660 root radio 406 socket rild-debug stream 660 radio system 407 user root 408 group radio cache inet misc audio sdcard_rw log 409 410service surfaceflinger /system/bin/surfaceflinger 411 class main 412 user system 413 group graphics 414 onrestart restart zygote 415 416service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 417 class main 418 socket zygote stream 660 root system 419 onrestart write /sys/android_power/request_state wake 420 onrestart write /sys/power/state on 421 onrestart restart media 422 onrestart restart netd 423 424service drm /system/bin/drmserver 425 class main 426 user drm 427 group drm system inet drmrpc 428 429service media /system/bin/mediaserver 430 class main 431 user media 432 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 433 ioprio rt 4 434 435service bootanim /system/bin/bootanimation 436 class main 437 user graphics 438 group graphics 439 disabled 440 oneshot 441 442service dbus /system/bin/dbus-daemon --system --nofork 443 class main 444 socket dbus stream 660 bluetooth bluetooth 445 user bluetooth 446 group bluetooth net_bt_admin 447 448service bluetoothd /system/bin/bluetoothd -n 449 class main 450 socket bluetooth stream 660 bluetooth bluetooth 451 socket dbus_bluetooth stream 660 bluetooth bluetooth 452 # init.rc does not yet support applying capabilities, so run as root and 453 # let bluetoothd drop uid to bluetooth with the right linux capabilities 454 group bluetooth net_bt_admin misc 455 disabled 456 457service installd /system/bin/installd 458 class main 459 socket installd stream 600 system system 460 461service flash_recovery /system/etc/install-recovery.sh 462 class main 463 oneshot 464 465service racoon /system/bin/racoon 466 class main 467 socket racoon stream 600 system system 468 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 469 group vpn net_admin inet 470 disabled 471 oneshot 472 473service mtpd /system/bin/mtpd 474 class main 475 socket mtpd stream 600 system system 476 user vpn 477 group vpn net_admin inet net_raw 478 disabled 479 oneshot 480 481service keystore /system/bin/keystore /data/misc/keystore 482 class main 483 user keystore 484 group keystore drmrpc 485 socket keystore stream 666 486 487service dumpstate /system/bin/dumpstate -s 488 class main 489 socket dumpstate stream 0660 shell log 490 disabled 491 oneshot 492 493service sshd /system/bin/start-ssh 494 class main 495 disabled 496 497service mdnsd /system/bin/mdnsd 498 class main 499 user mdnsr 500 group inet net_raw 501 socket mdnsd stream 0660 mdnsr inet 502 disabled 503 oneshot 504 505