init.rc revision 0aee64f614d5eae0e50f5e24a1c790dd172b663f 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_score_adj -1000
16
17    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18    write /sys/fs/selinux/checkreqprot 0
19
20    # Set the security context for the init process.
21    # This should occur before anything else (e.g. ueventd) is started.
22    setcon u:r:init:s0
23
24    # Set the security context of /adb_keys if present.
25    restorecon /adb_keys
26
27    start ueventd
28
29# create mountpoints
30    mkdir /mnt 0775 root system
31
32on init
33
34sysclktz 0
35
36loglevel 3
37
38# Backward compatibility
39    symlink /system/etc /etc
40    symlink /sys/kernel/debug /d
41
42# Right now vendor lives on the same filesystem as system,
43# but someday that may change.
44    symlink /system/vendor /vendor
45
46# Create cgroup mount point for cpu accounting
47    mkdir /acct
48    mount cgroup none /acct cpuacct
49    mkdir /acct/uid
50
51# Create cgroup mount point for memory
52    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
53    mkdir /sys/fs/cgroup/memory 0750 root system
54    mount cgroup none /sys/fs/cgroup/memory memory
55    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
56    chown root system /sys/fs/cgroup/memory/tasks
57    chmod 0660 /sys/fs/cgroup/memory/tasks
58    mkdir /sys/fs/cgroup/memory/sw 0750 root system
59    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
60    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
61    chown root system /sys/fs/cgroup/memory/sw/tasks
62    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
63
64    mkdir /system
65    mkdir /data 0771 system system
66    mkdir /cache 0770 system cache
67    mkdir /config 0500 root root
68
69    # See storage config details at http://source.android.com/tech/storage/
70    mkdir /mnt/shell 0700 shell shell
71    mkdir /mnt/media_rw 0700 media_rw media_rw
72    mkdir /storage 0751 root sdcard_r
73
74    # Directory for putting things only root should see.
75    mkdir /mnt/secure 0700 root root
76
77    # Directory for staging bindmounts
78    mkdir /mnt/secure/staging 0700 root root
79
80    # Directory-target for where the secure container
81    # imagefile directory will be bind-mounted
82    mkdir /mnt/secure/asec  0700 root root
83
84    # Secure container public mount points.
85    mkdir /mnt/asec  0700 root system
86    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
87
88    # Filesystem image public mount points.
89    mkdir /mnt/obb 0700 root system
90    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
91
92    # memory control cgroup
93    mkdir /dev/memcg 0700 root system
94    mount cgroup none /dev/memcg memory
95
96    write /proc/sys/kernel/panic_on_oops 1
97    write /proc/sys/kernel/hung_task_timeout_secs 0
98    write /proc/cpu/alignment 4
99    write /proc/sys/kernel/sched_latency_ns 10000000
100    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
101    write /proc/sys/kernel/sched_compat_yield 1
102    write /proc/sys/kernel/sched_child_runs_first 0
103    write /proc/sys/kernel/randomize_va_space 2
104    write /proc/sys/kernel/kptr_restrict 2
105    write /proc/sys/kernel/dmesg_restrict 1
106    write /proc/sys/vm/mmap_min_addr 32768
107    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
108    write /proc/sys/net/unix/max_dgram_qlen 300
109    write /proc/sys/kernel/sched_rt_runtime_us 950000
110    write /proc/sys/kernel/sched_rt_period_us 1000000
111
112# Create cgroup mount points for process groups
113    mkdir /dev/cpuctl
114    mount cgroup none /dev/cpuctl cpu
115    chown system system /dev/cpuctl
116    chown system system /dev/cpuctl/tasks
117    chmod 0660 /dev/cpuctl/tasks
118    write /dev/cpuctl/cpu.shares 1024
119    write /dev/cpuctl/cpu.rt_runtime_us 950000
120    write /dev/cpuctl/cpu.rt_period_us 1000000
121
122    mkdir /dev/cpuctl/apps
123    chown system system /dev/cpuctl/apps/tasks
124    chmod 0666 /dev/cpuctl/apps/tasks
125    write /dev/cpuctl/apps/cpu.shares 1024
126    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
127    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
128
129    mkdir /dev/cpuctl/apps/bg_non_interactive
130    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
131    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
132    # 5.0 %
133    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
134    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
135    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
136
137# qtaguid will limit access to specific data based on group memberships.
138#   net_bw_acct grants impersonation of socket owners.
139#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
140    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
141    chown root net_bw_stats /proc/net/xt_qtaguid/stats
142
143# Allow everybody to read the xt_qtaguid resource tracking misc dev.
144# This is needed by any process that uses socket tagging.
145    chmod 0644 /dev/xt_qtaguid
146
147# Create location for fs_mgr to store abbreviated output from filesystem
148# checker programs.
149    mkdir /dev/fscklogs 0770 root system
150
151# pstore/ramoops previous console log
152    mount pstore pstore /sys/fs/pstore
153    chown system log /sys/fs/pstore/console-ramoops
154    chmod 0440 /sys/fs/pstore/console-ramoops
155
156on post-fs
157    # once everything is setup, no need to modify /
158    mount rootfs rootfs / ro remount
159    # mount shared so changes propagate into child namespaces
160    mount rootfs rootfs / shared rec
161
162    # We chown/chmod /cache again so because mount is run as root + defaults
163    chown system cache /cache
164    chmod 0770 /cache
165    # We restorecon /cache in case the cache partition has been reset.
166    restorecon /cache
167
168    # This may have been created by the recovery system with odd permissions
169    chown system cache /cache/recovery
170    chmod 0770 /cache/recovery
171    # This may have been created by the recovery system with the wrong context.
172    restorecon /cache/recovery
173
174    #change permissions on vmallocinfo so we can grab it from bugreports
175    chown root log /proc/vmallocinfo
176    chmod 0440 /proc/vmallocinfo
177
178    chown root log /proc/slabinfo
179    chmod 0440 /proc/slabinfo
180
181    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
182    chown root system /proc/kmsg
183    chmod 0440 /proc/kmsg
184    chown root system /proc/sysrq-trigger
185    chmod 0220 /proc/sysrq-trigger
186    chown system log /proc/last_kmsg
187    chmod 0440 /proc/last_kmsg
188
189    # make the selinux kernel policy world-readable
190    chmod 0444 /sys/fs/selinux/policy
191
192    # create the lost+found directories, so as to enforce our permissions
193    mkdir /cache/lost+found 0770 root root
194
195on post-fs-data
196    # We chown/chmod /data again so because mount is run as root + defaults
197    chown system system /data
198    chmod 0771 /data
199    # We restorecon /data in case the userdata partition has been reset.
200    restorecon /data
201
202    # Avoid predictable entropy pool. Carry over entropy from previous boot.
203    copy /data/system/entropy.dat /dev/urandom
204
205    # Create dump dir and collect dumps.
206    # Do this before we mount cache so eventually we can use cache for
207    # storing dumps on platforms which do not have a dedicated dump partition.
208    mkdir /data/dontpanic 0750 root log
209
210    # Collect apanic data, free resources and re-arm trigger
211    copy /proc/apanic_console /data/dontpanic/apanic_console
212    chown root log /data/dontpanic/apanic_console
213    chmod 0640 /data/dontpanic/apanic_console
214
215    copy /proc/apanic_threads /data/dontpanic/apanic_threads
216    chown root log /data/dontpanic/apanic_threads
217    chmod 0640 /data/dontpanic/apanic_threads
218
219    write /proc/apanic_console 1
220
221    # create basic filesystem structure
222    mkdir /data/misc 01771 system misc
223    mkdir /data/misc/adb 02750 system shell
224    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
225    mkdir /data/misc/bluetooth 0770 system system
226    mkdir /data/misc/keystore 0700 keystore keystore
227    mkdir /data/misc/keychain 0771 system system
228    mkdir /data/misc/radio 0770 system radio
229    mkdir /data/misc/sms 0770 system radio
230    mkdir /data/misc/zoneinfo 0775 system system
231    mkdir /data/misc/vpn 0770 system vpn
232    mkdir /data/misc/systemkeys 0700 system system
233    mkdir /data/misc/wifi 0770 wifi wifi
234    mkdir /data/misc/wifi/sockets 0770 wifi wifi
235    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
236    mkdir /data/misc/dhcp 0770 dhcp dhcp
237    # give system access to wpa_supplicant.conf for backup and restore
238    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
239    mkdir /data/local 0751 root root
240    mkdir /data/misc/media 0700 media media
241
242    # For security reasons, /data/local/tmp should always be empty.
243    # Do not place files or directories in /data/local/tmp
244    mkdir /data/local/tmp 0771 shell shell
245    mkdir /data/data 0771 system system
246    mkdir /data/app-private 0771 system system
247    mkdir /data/app-asec 0700 root root
248    mkdir /data/app-lib 0771 system system
249    mkdir /data/app 0771 system system
250    mkdir /data/property 0700 root root
251    mkdir /data/ssh 0750 root shell
252    mkdir /data/ssh/empty 0700 root root
253
254    # create dalvik-cache, so as to enforce our permissions
255    mkdir /data/dalvik-cache 0771 system system
256
257    # create resource-cache and double-check the perms
258    mkdir /data/resource-cache 0771 system system
259    chown system system /data/resource-cache
260    chmod 0771 /data/resource-cache
261
262    # create the lost+found directories, so as to enforce our permissions
263    mkdir /data/lost+found 0770 root root
264
265    # create directory for DRM plug-ins - give drm the read/write access to
266    # the following directory.
267    mkdir /data/drm 0770 drm drm
268
269    # create directory for MediaDrm plug-ins - give drm the read/write access to
270    # the following directory.
271    mkdir /data/mediadrm 0770 mediadrm mediadrm
272
273    # symlink to bugreport storage location
274    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
275
276    # Separate location for storing security policy files on data
277    mkdir /data/security 0711 system system
278
279    # Reload policy from /data/security if present.
280    setprop selinux.reload_policy 1
281
282    # Set SELinux security contexts on upgrade or policy update.
283    restorecon_recursive /data
284
285    # If there is no fs-post-data action in the init.<device>.rc file, you
286    # must uncomment this line, otherwise encrypted filesystems
287    # won't work.
288    # Set indication (checked by vold) that we have finished this action
289    #setprop vold.post_fs_data_done 1
290
291on boot
292# basic network init
293    ifup lo
294    hostname localhost
295    domainname localdomain
296
297# set RLIMIT_NICE to allow priorities from 19 to -20
298    setrlimit 13 40 40
299
300# Memory management.  Basic kernel parameters, and allow the high
301# level system server to be able to adjust the kernel OOM driver
302# parameters to match how it is managing things.
303    write /proc/sys/vm/overcommit_memory 1
304    write /proc/sys/vm/min_free_order_shift 4
305    chown root system /sys/module/lowmemorykiller/parameters/adj
306    chmod 0220 /sys/module/lowmemorykiller/parameters/adj
307    chown root system /sys/module/lowmemorykiller/parameters/minfree
308    chmod 0220 /sys/module/lowmemorykiller/parameters/minfree
309
310    # Tweak background writeout
311    write /proc/sys/vm/dirty_expire_centisecs 200
312    write /proc/sys/vm/dirty_background_ratio  5
313
314    # Permissions for System Server and daemons.
315    chown radio system /sys/android_power/state
316    chown radio system /sys/android_power/request_state
317    chown radio system /sys/android_power/acquire_full_wake_lock
318    chown radio system /sys/android_power/acquire_partial_wake_lock
319    chown radio system /sys/android_power/release_wake_lock
320    chown system system /sys/power/autosleep
321    chown system system /sys/power/state
322    chown system system /sys/power/wakeup_count
323    chown radio system /sys/power/wake_lock
324    chown radio system /sys/power/wake_unlock
325    chmod 0660 /sys/power/state
326    chmod 0660 /sys/power/wake_lock
327    chmod 0660 /sys/power/wake_unlock
328
329    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
330    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
331    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
332    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
333    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
334    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
335    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
336    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
337    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
338    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
339    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
340    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
341    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
342    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
343    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
344    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
345    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
346    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
347    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
348    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
349    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
350    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
351    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
352
353    # Assume SMP uses shared cpufreq policy for all CPUs
354    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
355    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
356
357    chown system system /sys/class/timed_output/vibrator/enable
358    chown system system /sys/class/leds/keyboard-backlight/brightness
359    chown system system /sys/class/leds/lcd-backlight/brightness
360    chown system system /sys/class/leds/button-backlight/brightness
361    chown system system /sys/class/leds/jogball-backlight/brightness
362    chown system system /sys/class/leds/red/brightness
363    chown system system /sys/class/leds/green/brightness
364    chown system system /sys/class/leds/blue/brightness
365    chown system system /sys/class/leds/red/device/grpfreq
366    chown system system /sys/class/leds/red/device/grppwm
367    chown system system /sys/class/leds/red/device/blink
368    chown system system /sys/class/timed_output/vibrator/enable
369    chown system system /sys/module/sco/parameters/disable_esco
370    chown system system /sys/kernel/ipv4/tcp_wmem_min
371    chown system system /sys/kernel/ipv4/tcp_wmem_def
372    chown system system /sys/kernel/ipv4/tcp_wmem_max
373    chown system system /sys/kernel/ipv4/tcp_rmem_min
374    chown system system /sys/kernel/ipv4/tcp_rmem_def
375    chown system system /sys/kernel/ipv4/tcp_rmem_max
376    chown root radio /proc/cmdline
377
378# Define TCP buffer sizes for various networks
379#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
380    setprop net.tcp.buffersize.default  4096,87380,110208,4096,16384,110208
381    setprop net.tcp.buffersize.wifi     524288,1048576,2097152,262144,524288,1048576
382    setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152
383    setprop net.tcp.buffersize.lte      524288,1048576,2097152,262144,524288,1048576
384    setprop net.tcp.buffersize.umts     58254,349525,1048576,58254,349525,1048576
385    setprop net.tcp.buffersize.hspa     40778,244668,734003,16777,100663,301990
386    setprop net.tcp.buffersize.hsupa    40778,244668,734003,16777,100663,301990
387    setprop net.tcp.buffersize.hsdpa    61167,367002,1101005,8738,52429,262114
388    setprop net.tcp.buffersize.hspap    122334,734003,2202010,32040,192239,576717
389    setprop net.tcp.buffersize.edge     4093,26280,70800,4096,16384,70800
390    setprop net.tcp.buffersize.gprs     4092,8760,48000,4096,8760,48000
391    setprop net.tcp.buffersize.evdo     4094,87380,262144,4096,16384,262144
392
393# Define default initial receive window size in segments.
394    setprop net.tcp.default_init_rwnd 60
395
396    class_start core
397
398on nonencrypted
399    class_start main
400    class_start late_start
401
402on property:vold.decrypt=trigger_default_encryption
403    start defaultcrypto
404
405on property:vold.decrypt=trigger_encryption
406    start surfaceflinger
407    start encrypt
408    class_start main
409
410on charger
411    class_start charger
412
413on property:vold.decrypt=trigger_reset_main
414    class_reset main
415
416on property:vold.decrypt=trigger_load_persist_props
417    load_persist_props
418
419on property:vold.decrypt=trigger_post_fs_data
420    trigger post-fs-data
421
422on property:vold.decrypt=trigger_restart_min_framework
423    class_start main
424
425on property:vold.decrypt=trigger_restart_framework
426    class_start main
427    class_start late_start
428
429on property:vold.decrypt=trigger_shutdown_framework
430    class_reset late_start
431    class_reset main
432
433on property:sys.powerctl=*
434    powerctl ${sys.powerctl}
435
436# system server cannot write to /proc/sys files,
437# and chown/chmod does not work for /proc/sys/ entries.
438# So proxy writes through init.
439on property:sys.sysctl.extra_free_kbytes=*
440    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
441# "tcp_default_init_rwnd" Is too long!
442on property:sys.sysctl.tcp_def_init_rwnd=*
443    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
444
445
446## Daemon processes to be run by init.
447##
448service ueventd /sbin/ueventd
449    class core
450    critical
451    seclabel u:r:ueventd:s0
452
453service logd /system/bin/logd
454    class core
455    socket logd stream 0666 logd logd
456    socket logdr seqpacket 0666 logd logd
457    socket logdw dgram 0222 logd logd
458    seclabel u:r:logd:s0
459
460service healthd /sbin/healthd
461    class core
462    critical
463    seclabel u:r:healthd:s0
464
465service console /system/bin/sh
466    class core
467    console
468    disabled
469    user shell
470    group log
471    seclabel u:r:shell:s0
472
473on property:ro.debuggable=1
474    start console
475
476# adbd is controlled via property triggers in init.<platform>.usb.rc
477service adbd /sbin/adbd --root_seclabel=u:r:su:s0
478    class core
479    socket adbd stream 660 system system
480    disabled
481    seclabel u:r:adbd:s0
482
483# adbd on at boot in emulator
484on property:ro.kernel.qemu=1
485    start adbd
486
487service lmkd /system/bin/lmkd
488    class core
489    critical
490    socket lmkd seqpacket 0660 system system
491
492service servicemanager /system/bin/servicemanager
493    class core
494    user system
495    group system
496    critical
497    onrestart restart healthd
498    onrestart restart zygote
499    onrestart restart media
500    onrestart restart surfaceflinger
501    onrestart restart inputflinger
502    onrestart restart drm
503
504service vold /system/bin/vold
505    class core
506    socket vold stream 0660 root mount
507    ioprio be 2
508
509service netd /system/bin/netd
510    class main
511    socket netd stream 0660 root system
512    socket dnsproxyd stream 0660 root inet
513    socket mdns stream 0660 root system
514
515service debuggerd /system/bin/debuggerd
516    class main
517
518service debuggerd64 /system/bin/debuggerd64
519    class main
520
521service ril-daemon /system/bin/rild
522    class main
523    socket rild stream 660 root radio
524    socket rild-debug stream 660 radio system
525    user root
526    group radio cache inet misc audio log
527
528service surfaceflinger /system/bin/surfaceflinger
529    class main
530    user system
531    group graphics drmrpc
532    onrestart restart zygote
533
534service inputflinger /system/bin/inputflinger
535    class main
536    user system
537    group input
538    onrestart restart zygote
539
540service drm /system/bin/drmserver
541    class main
542    user drm
543    group drm system inet drmrpc
544
545service media /system/bin/mediaserver
546    class main
547    user media
548    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
549    ioprio rt 4
550
551# One shot invocation to deal with encrypted volume.
552service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted
553    disabled
554    oneshot
555    # vold will set vold.decrypt to trigger_restart_framework (default
556    # encryption) or trigger_restart_min_framework (other encryption)
557
558# One shot invocation to encrypt unencrypted volumes
559service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default
560    disabled
561    oneshot
562    # vold will set vold.decrypt to trigger_restart_framework (default
563    # encryption)
564
565service bootanim /system/bin/bootanimation
566    class main
567    user graphics
568    group graphics
569    disabled
570    oneshot
571
572service installd /system/bin/installd
573    class main
574    socket installd stream 600 system system
575
576service flash_recovery /system/bin/install-recovery.sh
577    class main
578    oneshot
579
580service racoon /system/bin/racoon
581    class main
582    socket racoon stream 600 system system
583    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
584    group vpn net_admin inet
585    disabled
586    oneshot
587
588service mtpd /system/bin/mtpd
589    class main
590    socket mtpd stream 600 system system
591    user vpn
592    group vpn net_admin inet net_raw
593    disabled
594    oneshot
595
596service keystore /system/bin/keystore /data/misc/keystore
597    class main
598    user keystore
599    group keystore drmrpc
600
601service dumpstate /system/bin/dumpstate -s
602    class main
603    socket dumpstate stream 0660 shell log
604    disabled
605    oneshot
606
607service sshd /system/bin/start-ssh
608    class main
609    disabled
610
611service mdnsd /system/bin/mdnsd
612    class main
613    user mdnsr
614    group inet net_raw
615    socket mdnsd stream 0660 mdnsr inet
616    disabled
617    oneshot
618
619service pre-recovery /system/bin/uncrypt
620    class main
621    disabled
622    oneshot
623