init.rc revision 0aee64f614d5eae0e50f5e24a1c790dd172b663f
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29# create mountpoints 30 mkdir /mnt 0775 root system 31 32on init 33 34sysclktz 0 35 36loglevel 3 37 38# Backward compatibility 39 symlink /system/etc /etc 40 symlink /sys/kernel/debug /d 41 42# Right now vendor lives on the same filesystem as system, 43# but someday that may change. 44 symlink /system/vendor /vendor 45 46# Create cgroup mount point for cpu accounting 47 mkdir /acct 48 mount cgroup none /acct cpuacct 49 mkdir /acct/uid 50 51# Create cgroup mount point for memory 52 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 53 mkdir /sys/fs/cgroup/memory 0750 root system 54 mount cgroup none /sys/fs/cgroup/memory memory 55 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 56 chown root system /sys/fs/cgroup/memory/tasks 57 chmod 0660 /sys/fs/cgroup/memory/tasks 58 mkdir /sys/fs/cgroup/memory/sw 0750 root system 59 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 60 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 61 chown root system /sys/fs/cgroup/memory/sw/tasks 62 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 63 64 mkdir /system 65 mkdir /data 0771 system system 66 mkdir /cache 0770 system cache 67 mkdir /config 0500 root root 68 69 # See storage config details at http://source.android.com/tech/storage/ 70 mkdir /mnt/shell 0700 shell shell 71 mkdir /mnt/media_rw 0700 media_rw media_rw 72 mkdir /storage 0751 root sdcard_r 73 74 # Directory for putting things only root should see. 75 mkdir /mnt/secure 0700 root root 76 77 # Directory for staging bindmounts 78 mkdir /mnt/secure/staging 0700 root root 79 80 # Directory-target for where the secure container 81 # imagefile directory will be bind-mounted 82 mkdir /mnt/secure/asec 0700 root root 83 84 # Secure container public mount points. 85 mkdir /mnt/asec 0700 root system 86 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 87 88 # Filesystem image public mount points. 89 mkdir /mnt/obb 0700 root system 90 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 91 92 # memory control cgroup 93 mkdir /dev/memcg 0700 root system 94 mount cgroup none /dev/memcg memory 95 96 write /proc/sys/kernel/panic_on_oops 1 97 write /proc/sys/kernel/hung_task_timeout_secs 0 98 write /proc/cpu/alignment 4 99 write /proc/sys/kernel/sched_latency_ns 10000000 100 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 101 write /proc/sys/kernel/sched_compat_yield 1 102 write /proc/sys/kernel/sched_child_runs_first 0 103 write /proc/sys/kernel/randomize_va_space 2 104 write /proc/sys/kernel/kptr_restrict 2 105 write /proc/sys/kernel/dmesg_restrict 1 106 write /proc/sys/vm/mmap_min_addr 32768 107 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 108 write /proc/sys/net/unix/max_dgram_qlen 300 109 write /proc/sys/kernel/sched_rt_runtime_us 950000 110 write /proc/sys/kernel/sched_rt_period_us 1000000 111 112# Create cgroup mount points for process groups 113 mkdir /dev/cpuctl 114 mount cgroup none /dev/cpuctl cpu 115 chown system system /dev/cpuctl 116 chown system system /dev/cpuctl/tasks 117 chmod 0660 /dev/cpuctl/tasks 118 write /dev/cpuctl/cpu.shares 1024 119 write /dev/cpuctl/cpu.rt_runtime_us 950000 120 write /dev/cpuctl/cpu.rt_period_us 1000000 121 122 mkdir /dev/cpuctl/apps 123 chown system system /dev/cpuctl/apps/tasks 124 chmod 0666 /dev/cpuctl/apps/tasks 125 write /dev/cpuctl/apps/cpu.shares 1024 126 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 127 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 128 129 mkdir /dev/cpuctl/apps/bg_non_interactive 130 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 131 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 132 # 5.0 % 133 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 134 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 135 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 136 137# qtaguid will limit access to specific data based on group memberships. 138# net_bw_acct grants impersonation of socket owners. 139# net_bw_stats grants access to other apps' detailed tagged-socket stats. 140 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 141 chown root net_bw_stats /proc/net/xt_qtaguid/stats 142 143# Allow everybody to read the xt_qtaguid resource tracking misc dev. 144# This is needed by any process that uses socket tagging. 145 chmod 0644 /dev/xt_qtaguid 146 147# Create location for fs_mgr to store abbreviated output from filesystem 148# checker programs. 149 mkdir /dev/fscklogs 0770 root system 150 151# pstore/ramoops previous console log 152 mount pstore pstore /sys/fs/pstore 153 chown system log /sys/fs/pstore/console-ramoops 154 chmod 0440 /sys/fs/pstore/console-ramoops 155 156on post-fs 157 # once everything is setup, no need to modify / 158 mount rootfs rootfs / ro remount 159 # mount shared so changes propagate into child namespaces 160 mount rootfs rootfs / shared rec 161 162 # We chown/chmod /cache again so because mount is run as root + defaults 163 chown system cache /cache 164 chmod 0770 /cache 165 # We restorecon /cache in case the cache partition has been reset. 166 restorecon /cache 167 168 # This may have been created by the recovery system with odd permissions 169 chown system cache /cache/recovery 170 chmod 0770 /cache/recovery 171 # This may have been created by the recovery system with the wrong context. 172 restorecon /cache/recovery 173 174 #change permissions on vmallocinfo so we can grab it from bugreports 175 chown root log /proc/vmallocinfo 176 chmod 0440 /proc/vmallocinfo 177 178 chown root log /proc/slabinfo 179 chmod 0440 /proc/slabinfo 180 181 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 182 chown root system /proc/kmsg 183 chmod 0440 /proc/kmsg 184 chown root system /proc/sysrq-trigger 185 chmod 0220 /proc/sysrq-trigger 186 chown system log /proc/last_kmsg 187 chmod 0440 /proc/last_kmsg 188 189 # make the selinux kernel policy world-readable 190 chmod 0444 /sys/fs/selinux/policy 191 192 # create the lost+found directories, so as to enforce our permissions 193 mkdir /cache/lost+found 0770 root root 194 195on post-fs-data 196 # We chown/chmod /data again so because mount is run as root + defaults 197 chown system system /data 198 chmod 0771 /data 199 # We restorecon /data in case the userdata partition has been reset. 200 restorecon /data 201 202 # Avoid predictable entropy pool. Carry over entropy from previous boot. 203 copy /data/system/entropy.dat /dev/urandom 204 205 # Create dump dir and collect dumps. 206 # Do this before we mount cache so eventually we can use cache for 207 # storing dumps on platforms which do not have a dedicated dump partition. 208 mkdir /data/dontpanic 0750 root log 209 210 # Collect apanic data, free resources and re-arm trigger 211 copy /proc/apanic_console /data/dontpanic/apanic_console 212 chown root log /data/dontpanic/apanic_console 213 chmod 0640 /data/dontpanic/apanic_console 214 215 copy /proc/apanic_threads /data/dontpanic/apanic_threads 216 chown root log /data/dontpanic/apanic_threads 217 chmod 0640 /data/dontpanic/apanic_threads 218 219 write /proc/apanic_console 1 220 221 # create basic filesystem structure 222 mkdir /data/misc 01771 system misc 223 mkdir /data/misc/adb 02750 system shell 224 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 225 mkdir /data/misc/bluetooth 0770 system system 226 mkdir /data/misc/keystore 0700 keystore keystore 227 mkdir /data/misc/keychain 0771 system system 228 mkdir /data/misc/radio 0770 system radio 229 mkdir /data/misc/sms 0770 system radio 230 mkdir /data/misc/zoneinfo 0775 system system 231 mkdir /data/misc/vpn 0770 system vpn 232 mkdir /data/misc/systemkeys 0700 system system 233 mkdir /data/misc/wifi 0770 wifi wifi 234 mkdir /data/misc/wifi/sockets 0770 wifi wifi 235 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 236 mkdir /data/misc/dhcp 0770 dhcp dhcp 237 # give system access to wpa_supplicant.conf for backup and restore 238 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 239 mkdir /data/local 0751 root root 240 mkdir /data/misc/media 0700 media media 241 242 # For security reasons, /data/local/tmp should always be empty. 243 # Do not place files or directories in /data/local/tmp 244 mkdir /data/local/tmp 0771 shell shell 245 mkdir /data/data 0771 system system 246 mkdir /data/app-private 0771 system system 247 mkdir /data/app-asec 0700 root root 248 mkdir /data/app-lib 0771 system system 249 mkdir /data/app 0771 system system 250 mkdir /data/property 0700 root root 251 mkdir /data/ssh 0750 root shell 252 mkdir /data/ssh/empty 0700 root root 253 254 # create dalvik-cache, so as to enforce our permissions 255 mkdir /data/dalvik-cache 0771 system system 256 257 # create resource-cache and double-check the perms 258 mkdir /data/resource-cache 0771 system system 259 chown system system /data/resource-cache 260 chmod 0771 /data/resource-cache 261 262 # create the lost+found directories, so as to enforce our permissions 263 mkdir /data/lost+found 0770 root root 264 265 # create directory for DRM plug-ins - give drm the read/write access to 266 # the following directory. 267 mkdir /data/drm 0770 drm drm 268 269 # create directory for MediaDrm plug-ins - give drm the read/write access to 270 # the following directory. 271 mkdir /data/mediadrm 0770 mediadrm mediadrm 272 273 # symlink to bugreport storage location 274 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 275 276 # Separate location for storing security policy files on data 277 mkdir /data/security 0711 system system 278 279 # Reload policy from /data/security if present. 280 setprop selinux.reload_policy 1 281 282 # Set SELinux security contexts on upgrade or policy update. 283 restorecon_recursive /data 284 285 # If there is no fs-post-data action in the init.<device>.rc file, you 286 # must uncomment this line, otherwise encrypted filesystems 287 # won't work. 288 # Set indication (checked by vold) that we have finished this action 289 #setprop vold.post_fs_data_done 1 290 291on boot 292# basic network init 293 ifup lo 294 hostname localhost 295 domainname localdomain 296 297# set RLIMIT_NICE to allow priorities from 19 to -20 298 setrlimit 13 40 40 299 300# Memory management. Basic kernel parameters, and allow the high 301# level system server to be able to adjust the kernel OOM driver 302# parameters to match how it is managing things. 303 write /proc/sys/vm/overcommit_memory 1 304 write /proc/sys/vm/min_free_order_shift 4 305 chown root system /sys/module/lowmemorykiller/parameters/adj 306 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 307 chown root system /sys/module/lowmemorykiller/parameters/minfree 308 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 309 310 # Tweak background writeout 311 write /proc/sys/vm/dirty_expire_centisecs 200 312 write /proc/sys/vm/dirty_background_ratio 5 313 314 # Permissions for System Server and daemons. 315 chown radio system /sys/android_power/state 316 chown radio system /sys/android_power/request_state 317 chown radio system /sys/android_power/acquire_full_wake_lock 318 chown radio system /sys/android_power/acquire_partial_wake_lock 319 chown radio system /sys/android_power/release_wake_lock 320 chown system system /sys/power/autosleep 321 chown system system /sys/power/state 322 chown system system /sys/power/wakeup_count 323 chown radio system /sys/power/wake_lock 324 chown radio system /sys/power/wake_unlock 325 chmod 0660 /sys/power/state 326 chmod 0660 /sys/power/wake_lock 327 chmod 0660 /sys/power/wake_unlock 328 329 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 330 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 331 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 332 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 333 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 334 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 335 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 336 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 338 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 339 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 340 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 341 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 342 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 343 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 344 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 345 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 346 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 347 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 348 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 349 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 350 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 351 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 352 353 # Assume SMP uses shared cpufreq policy for all CPUs 354 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 355 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 356 357 chown system system /sys/class/timed_output/vibrator/enable 358 chown system system /sys/class/leds/keyboard-backlight/brightness 359 chown system system /sys/class/leds/lcd-backlight/brightness 360 chown system system /sys/class/leds/button-backlight/brightness 361 chown system system /sys/class/leds/jogball-backlight/brightness 362 chown system system /sys/class/leds/red/brightness 363 chown system system /sys/class/leds/green/brightness 364 chown system system /sys/class/leds/blue/brightness 365 chown system system /sys/class/leds/red/device/grpfreq 366 chown system system /sys/class/leds/red/device/grppwm 367 chown system system /sys/class/leds/red/device/blink 368 chown system system /sys/class/timed_output/vibrator/enable 369 chown system system /sys/module/sco/parameters/disable_esco 370 chown system system /sys/kernel/ipv4/tcp_wmem_min 371 chown system system /sys/kernel/ipv4/tcp_wmem_def 372 chown system system /sys/kernel/ipv4/tcp_wmem_max 373 chown system system /sys/kernel/ipv4/tcp_rmem_min 374 chown system system /sys/kernel/ipv4/tcp_rmem_def 375 chown system system /sys/kernel/ipv4/tcp_rmem_max 376 chown root radio /proc/cmdline 377 378# Define TCP buffer sizes for various networks 379# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 380 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 381 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 382 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 383 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 384 setprop net.tcp.buffersize.umts 58254,349525,1048576,58254,349525,1048576 385 setprop net.tcp.buffersize.hspa 40778,244668,734003,16777,100663,301990 386 setprop net.tcp.buffersize.hsupa 40778,244668,734003,16777,100663,301990 387 setprop net.tcp.buffersize.hsdpa 61167,367002,1101005,8738,52429,262114 388 setprop net.tcp.buffersize.hspap 122334,734003,2202010,32040,192239,576717 389 setprop net.tcp.buffersize.edge 4093,26280,70800,4096,16384,70800 390 setprop net.tcp.buffersize.gprs 4092,8760,48000,4096,8760,48000 391 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 392 393# Define default initial receive window size in segments. 394 setprop net.tcp.default_init_rwnd 60 395 396 class_start core 397 398on nonencrypted 399 class_start main 400 class_start late_start 401 402on property:vold.decrypt=trigger_default_encryption 403 start defaultcrypto 404 405on property:vold.decrypt=trigger_encryption 406 start surfaceflinger 407 start encrypt 408 class_start main 409 410on charger 411 class_start charger 412 413on property:vold.decrypt=trigger_reset_main 414 class_reset main 415 416on property:vold.decrypt=trigger_load_persist_props 417 load_persist_props 418 419on property:vold.decrypt=trigger_post_fs_data 420 trigger post-fs-data 421 422on property:vold.decrypt=trigger_restart_min_framework 423 class_start main 424 425on property:vold.decrypt=trigger_restart_framework 426 class_start main 427 class_start late_start 428 429on property:vold.decrypt=trigger_shutdown_framework 430 class_reset late_start 431 class_reset main 432 433on property:sys.powerctl=* 434 powerctl ${sys.powerctl} 435 436# system server cannot write to /proc/sys files, 437# and chown/chmod does not work for /proc/sys/ entries. 438# So proxy writes through init. 439on property:sys.sysctl.extra_free_kbytes=* 440 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 441# "tcp_default_init_rwnd" Is too long! 442on property:sys.sysctl.tcp_def_init_rwnd=* 443 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 444 445 446## Daemon processes to be run by init. 447## 448service ueventd /sbin/ueventd 449 class core 450 critical 451 seclabel u:r:ueventd:s0 452 453service logd /system/bin/logd 454 class core 455 socket logd stream 0666 logd logd 456 socket logdr seqpacket 0666 logd logd 457 socket logdw dgram 0222 logd logd 458 seclabel u:r:logd:s0 459 460service healthd /sbin/healthd 461 class core 462 critical 463 seclabel u:r:healthd:s0 464 465service console /system/bin/sh 466 class core 467 console 468 disabled 469 user shell 470 group log 471 seclabel u:r:shell:s0 472 473on property:ro.debuggable=1 474 start console 475 476# adbd is controlled via property triggers in init.<platform>.usb.rc 477service adbd /sbin/adbd --root_seclabel=u:r:su:s0 478 class core 479 socket adbd stream 660 system system 480 disabled 481 seclabel u:r:adbd:s0 482 483# adbd on at boot in emulator 484on property:ro.kernel.qemu=1 485 start adbd 486 487service lmkd /system/bin/lmkd 488 class core 489 critical 490 socket lmkd seqpacket 0660 system system 491 492service servicemanager /system/bin/servicemanager 493 class core 494 user system 495 group system 496 critical 497 onrestart restart healthd 498 onrestart restart zygote 499 onrestart restart media 500 onrestart restart surfaceflinger 501 onrestart restart inputflinger 502 onrestart restart drm 503 504service vold /system/bin/vold 505 class core 506 socket vold stream 0660 root mount 507 ioprio be 2 508 509service netd /system/bin/netd 510 class main 511 socket netd stream 0660 root system 512 socket dnsproxyd stream 0660 root inet 513 socket mdns stream 0660 root system 514 515service debuggerd /system/bin/debuggerd 516 class main 517 518service debuggerd64 /system/bin/debuggerd64 519 class main 520 521service ril-daemon /system/bin/rild 522 class main 523 socket rild stream 660 root radio 524 socket rild-debug stream 660 radio system 525 user root 526 group radio cache inet misc audio log 527 528service surfaceflinger /system/bin/surfaceflinger 529 class main 530 user system 531 group graphics drmrpc 532 onrestart restart zygote 533 534service inputflinger /system/bin/inputflinger 535 class main 536 user system 537 group input 538 onrestart restart zygote 539 540service drm /system/bin/drmserver 541 class main 542 user drm 543 group drm system inet drmrpc 544 545service media /system/bin/mediaserver 546 class main 547 user media 548 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 549 ioprio rt 4 550 551# One shot invocation to deal with encrypted volume. 552service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 553 disabled 554 oneshot 555 # vold will set vold.decrypt to trigger_restart_framework (default 556 # encryption) or trigger_restart_min_framework (other encryption) 557 558# One shot invocation to encrypt unencrypted volumes 559service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 560 disabled 561 oneshot 562 # vold will set vold.decrypt to trigger_restart_framework (default 563 # encryption) 564 565service bootanim /system/bin/bootanimation 566 class main 567 user graphics 568 group graphics 569 disabled 570 oneshot 571 572service installd /system/bin/installd 573 class main 574 socket installd stream 600 system system 575 576service flash_recovery /system/bin/install-recovery.sh 577 class main 578 oneshot 579 580service racoon /system/bin/racoon 581 class main 582 socket racoon stream 600 system system 583 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 584 group vpn net_admin inet 585 disabled 586 oneshot 587 588service mtpd /system/bin/mtpd 589 class main 590 socket mtpd stream 600 system system 591 user vpn 592 group vpn net_admin inet net_raw 593 disabled 594 oneshot 595 596service keystore /system/bin/keystore /data/misc/keystore 597 class main 598 user keystore 599 group keystore drmrpc 600 601service dumpstate /system/bin/dumpstate -s 602 class main 603 socket dumpstate stream 0660 shell log 604 disabled 605 oneshot 606 607service sshd /system/bin/start-ssh 608 class main 609 disabled 610 611service mdnsd /system/bin/mdnsd 612 class main 613 user mdnsr 614 group inet net_raw 615 socket mdnsd stream 0660 mdnsr inet 616 disabled 617 oneshot 618 619service pre-recovery /system/bin/uncrypt 620 class main 621 disabled 622 oneshot 623