init.rc revision 13d5bb4badf59e22d9d983d104596da3ec4f2753
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_score_adj -1000 15 16 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 17 write /sys/fs/selinux/checkreqprot 0 18 19 # Set the security context for the init process. 20 # This should occur before anything else (e.g. ueventd) is started. 21 setcon u:r:init:s0 22 23 # Set the security context of /adb_keys if present. 24 restorecon /adb_keys 25 26 start ueventd 27 28# create mountpoints 29 mkdir /mnt 0775 root system 30 31on init 32 33sysclktz 0 34 35loglevel 3 36 37# Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41# Right now vendor lives on the same filesystem as system, 42# but someday that may change. 43 symlink /system/vendor /vendor 44 45# Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50# Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 # memory control cgroup 92 mkdir /dev/memcg 0700 root system 93 mount cgroup none /dev/memcg memory 94 95 write /proc/sys/kernel/panic_on_oops 1 96 write /proc/sys/kernel/hung_task_timeout_secs 0 97 write /proc/cpu/alignment 4 98 write /proc/sys/kernel/sched_latency_ns 10000000 99 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 100 write /proc/sys/kernel/sched_compat_yield 1 101 write /proc/sys/kernel/sched_child_runs_first 0 102 write /proc/sys/kernel/randomize_va_space 2 103 write /proc/sys/kernel/kptr_restrict 2 104 write /proc/sys/kernel/dmesg_restrict 1 105 write /proc/sys/vm/mmap_min_addr 32768 106 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 107 write /proc/sys/kernel/sched_rt_runtime_us 950000 108 write /proc/sys/kernel/sched_rt_period_us 1000000 109 110# Create cgroup mount points for process groups 111 mkdir /dev/cpuctl 112 mount cgroup none /dev/cpuctl cpu 113 chown system system /dev/cpuctl 114 chown system system /dev/cpuctl/tasks 115 chmod 0660 /dev/cpuctl/tasks 116 write /dev/cpuctl/cpu.shares 1024 117 write /dev/cpuctl/cpu.rt_runtime_us 950000 118 write /dev/cpuctl/cpu.rt_period_us 1000000 119 120 mkdir /dev/cpuctl/apps 121 chown system system /dev/cpuctl/apps/tasks 122 chmod 0666 /dev/cpuctl/apps/tasks 123 write /dev/cpuctl/apps/cpu.shares 1024 124 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 125 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 126 127 mkdir /dev/cpuctl/apps/bg_non_interactive 128 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 129 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 130 # 5.0 % 131 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 132 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 133 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 134 135# qtaguid will limit access to specific data based on group memberships. 136# net_bw_acct grants impersonation of socket owners. 137# net_bw_stats grants access to other apps' detailed tagged-socket stats. 138 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 139 chown root net_bw_stats /proc/net/xt_qtaguid/stats 140 141# Allow everybody to read the xt_qtaguid resource tracking misc dev. 142# This is needed by any process that uses socket tagging. 143 chmod 0644 /dev/xt_qtaguid 144 145# Create location for fs_mgr to store abbreviated output from filesystem 146# checker programs. 147 mkdir /dev/fscklogs 0770 root system 148 149# pstore/ramoops previous console log 150 mount pstore pstore /sys/fs/pstore 151 chown system log /sys/fs/pstore/console-ramoops 152 chmod 0440 /sys/fs/pstore/console-ramoops 153 154on post-fs 155 # once everything is setup, no need to modify / 156 mount rootfs rootfs / ro remount 157 # mount shared so changes propagate into child namespaces 158 mount rootfs rootfs / shared rec 159 160 # We chown/chmod /cache again so because mount is run as root + defaults 161 chown system cache /cache 162 chmod 0770 /cache 163 # We restorecon /cache in case the cache partition has been reset. 164 restorecon /cache 165 166 # This may have been created by the recovery system with odd permissions 167 chown system cache /cache/recovery 168 chmod 0770 /cache/recovery 169 # This may have been created by the recovery system with the wrong context. 170 restorecon /cache/recovery 171 172 #change permissions on vmallocinfo so we can grab it from bugreports 173 chown root log /proc/vmallocinfo 174 chmod 0440 /proc/vmallocinfo 175 176 chown root log /proc/slabinfo 177 chmod 0440 /proc/slabinfo 178 179 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 180 chown root system /proc/kmsg 181 chmod 0440 /proc/kmsg 182 chown root system /proc/sysrq-trigger 183 chmod 0220 /proc/sysrq-trigger 184 chown system log /proc/last_kmsg 185 chmod 0440 /proc/last_kmsg 186 187 # create the lost+found directories, so as to enforce our permissions 188 mkdir /cache/lost+found 0770 root root 189 190on post-fs-data 191 # We chown/chmod /data again so because mount is run as root + defaults 192 chown system system /data 193 chmod 0771 /data 194 # We restorecon /data in case the userdata partition has been reset. 195 restorecon /data 196 197 # Avoid predictable entropy pool. Carry over entropy from previous boot. 198 copy /data/system/entropy.dat /dev/urandom 199 200 # Create dump dir and collect dumps. 201 # Do this before we mount cache so eventually we can use cache for 202 # storing dumps on platforms which do not have a dedicated dump partition. 203 mkdir /data/dontpanic 0750 root log 204 205 # Collect apanic data, free resources and re-arm trigger 206 copy /proc/apanic_console /data/dontpanic/apanic_console 207 chown root log /data/dontpanic/apanic_console 208 chmod 0640 /data/dontpanic/apanic_console 209 210 copy /proc/apanic_threads /data/dontpanic/apanic_threads 211 chown root log /data/dontpanic/apanic_threads 212 chmod 0640 /data/dontpanic/apanic_threads 213 214 write /proc/apanic_console 1 215 216 # create basic filesystem structure 217 mkdir /data/misc 01771 system misc 218 mkdir /data/misc/adb 02750 system shell 219 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 220 mkdir /data/misc/bluetooth 0770 system system 221 mkdir /data/misc/keystore 0700 keystore keystore 222 mkdir /data/misc/keychain 0771 system system 223 mkdir /data/misc/radio 0770 system radio 224 mkdir /data/misc/sms 0770 system radio 225 mkdir /data/misc/zoneinfo 0775 system system 226 restorecon_recursive /data/misc/zoneinfo 227 mkdir /data/misc/vpn 0770 system vpn 228 mkdir /data/misc/systemkeys 0700 system system 229 mkdir /data/misc/wifi 0770 wifi wifi 230 mkdir /data/misc/wifi/sockets 0770 wifi wifi 231 restorecon_recursive /data/misc/wifi/sockets 232 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 233 mkdir /data/misc/dhcp 0770 dhcp dhcp 234 # give system access to wpa_supplicant.conf for backup and restore 235 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 236 mkdir /data/local 0751 root root 237 mkdir /data/misc/media 0700 media media 238 restorecon_recursive /data/misc/media 239 240 # Set security context of any pre-existing /data/misc/adb/adb_keys file. 241 restorecon /data/misc/adb 242 restorecon /data/misc/adb/adb_keys 243 244 # For security reasons, /data/local/tmp should always be empty. 245 # Do not place files or directories in /data/local/tmp 246 mkdir /data/local/tmp 0771 shell shell 247 mkdir /data/data 0771 system system 248 mkdir /data/app-private 0771 system system 249 mkdir /data/app-asec 0700 root root 250 mkdir /data/app-lib 0771 system system 251 mkdir /data/app 0771 system system 252 mkdir /data/property 0700 root root 253 mkdir /data/ssh 0750 root shell 254 mkdir /data/ssh/empty 0700 root root 255 256 # create dalvik-cache, so as to enforce our permissions 257 mkdir /data/dalvik-cache 0771 system system 258 259 # create resource-cache and double-check the perms 260 mkdir /data/resource-cache 0771 system system 261 chown system system /data/resource-cache 262 chmod 0771 /data/resource-cache 263 264 # create the lost+found directories, so as to enforce our permissions 265 mkdir /data/lost+found 0770 root root 266 267 # create directory for DRM plug-ins - give drm the read/write access to 268 # the following directory. 269 mkdir /data/drm 0770 drm drm 270 271 # create directory for MediaDrm plug-ins - give drm the read/write access to 272 # the following directory. 273 mkdir /data/mediadrm 0770 mediadrm mediadrm 274 restorecon_recursive /data/mediadrm 275 276 # symlink to bugreport storage location 277 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 278 279 # Separate location for storing security policy files on data 280 mkdir /data/security 0711 system system 281 282 # Reload policy from /data/security if present. 283 setprop selinux.reload_policy 1 284 285 # If there is no fs-post-data action in the init.<device>.rc file, you 286 # must uncomment this line, otherwise encrypted filesystems 287 # won't work. 288 # Set indication (checked by vold) that we have finished this action 289 #setprop vold.post_fs_data_done 1 290 291on boot 292# basic network init 293 ifup lo 294 hostname localhost 295 domainname localdomain 296 297# set RLIMIT_NICE to allow priorities from 19 to -20 298 setrlimit 13 40 40 299 300# Memory management. Basic kernel parameters, and allow the high 301# level system server to be able to adjust the kernel OOM driver 302# parameters to match how it is managing things. 303 write /proc/sys/vm/overcommit_memory 1 304 write /proc/sys/vm/min_free_order_shift 4 305 chown root system /sys/module/lowmemorykiller/parameters/adj 306 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 307 chown root system /sys/module/lowmemorykiller/parameters/minfree 308 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 309 310 # Tweak background writeout 311 write /proc/sys/vm/dirty_expire_centisecs 200 312 write /proc/sys/vm/dirty_background_ratio 5 313 314 # Permissions for System Server and daemons. 315 chown radio system /sys/android_power/state 316 chown radio system /sys/android_power/request_state 317 chown radio system /sys/android_power/acquire_full_wake_lock 318 chown radio system /sys/android_power/acquire_partial_wake_lock 319 chown radio system /sys/android_power/release_wake_lock 320 chown system system /sys/power/autosleep 321 chown system system /sys/power/state 322 chown system system /sys/power/wakeup_count 323 chown radio system /sys/power/wake_lock 324 chown radio system /sys/power/wake_unlock 325 chmod 0660 /sys/power/state 326 chmod 0660 /sys/power/wake_lock 327 chmod 0660 /sys/power/wake_unlock 328 329 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 330 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 331 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 332 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 333 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 334 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 335 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 336 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 338 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 339 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 340 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 341 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 342 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 343 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 344 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 345 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 346 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 347 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 348 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 349 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 350 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 351 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 352 353 # Assume SMP uses shared cpufreq policy for all CPUs 354 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 355 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 356 357 chown system system /sys/class/timed_output/vibrator/enable 358 chown system system /sys/class/leds/keyboard-backlight/brightness 359 chown system system /sys/class/leds/lcd-backlight/brightness 360 chown system system /sys/class/leds/button-backlight/brightness 361 chown system system /sys/class/leds/jogball-backlight/brightness 362 chown system system /sys/class/leds/red/brightness 363 chown system system /sys/class/leds/green/brightness 364 chown system system /sys/class/leds/blue/brightness 365 chown system system /sys/class/leds/red/device/grpfreq 366 chown system system /sys/class/leds/red/device/grppwm 367 chown system system /sys/class/leds/red/device/blink 368 chown system system /sys/class/timed_output/vibrator/enable 369 chown system system /sys/module/sco/parameters/disable_esco 370 chown system system /sys/kernel/ipv4/tcp_wmem_min 371 chown system system /sys/kernel/ipv4/tcp_wmem_def 372 chown system system /sys/kernel/ipv4/tcp_wmem_max 373 chown system system /sys/kernel/ipv4/tcp_rmem_min 374 chown system system /sys/kernel/ipv4/tcp_rmem_def 375 chown system system /sys/kernel/ipv4/tcp_rmem_max 376 chown root radio /proc/cmdline 377 378# Define TCP buffer sizes for various networks 379# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 380 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 381 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 382 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 383 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 384 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 385 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 386 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 387 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 388 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 389 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 390 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 391 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 392 393 class_start core 394 395on nonencrypted 396 class_start main 397 class_start late_start 398 399on property:vold.decrypt=trigger_default_encryption 400 start surfaceflinger 401 start defaultcrypto 402 403on charger 404 class_start charger 405 406on property:vold.decrypt=trigger_reset_main 407 class_reset main 408 409on property:vold.decrypt=trigger_load_persist_props 410 load_persist_props 411 412on property:vold.decrypt=trigger_post_fs_data 413 trigger post-fs-data 414 415on property:vold.decrypt=trigger_restart_min_framework 416 class_start main 417 418on property:vold.decrypt=trigger_restart_framework 419 class_start main 420 class_start late_start 421 422on property:vold.decrypt=trigger_shutdown_framework 423 class_reset late_start 424 class_reset main 425 426on property:sys.powerctl=* 427 powerctl ${sys.powerctl} 428 429# system server cannot write to /proc/sys files, so proxy it through init 430on property:sys.sysctl.extra_free_kbytes=* 431 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 432 433## Daemon processes to be run by init. 434## 435service ueventd /sbin/ueventd 436 class core 437 critical 438 seclabel u:r:ueventd:s0 439 440service healthd /sbin/healthd 441 class core 442 critical 443 seclabel u:r:healthd:s0 444 445service console /system/bin/sh 446 class core 447 console 448 disabled 449 user shell 450 group log 451 seclabel u:r:shell:s0 452 453on property:ro.debuggable=1 454 start console 455 456# adbd is controlled via property triggers in init.<platform>.usb.rc 457service adbd /sbin/adbd --root_seclabel=u:r:su:s0 458 class core 459 socket adbd stream 660 system system 460 disabled 461 seclabel u:r:adbd:s0 462 463# adbd on at boot in emulator 464on property:ro.kernel.qemu=1 465 start adbd 466 467service lmkd /system/bin/lmkd 468 class core 469 critical 470 socket lmkd seqpacket 0660 system system 471 472service servicemanager /system/bin/servicemanager 473 class core 474 user system 475 group system 476 critical 477 onrestart restart healthd 478 onrestart restart zygote 479 onrestart restart media 480 onrestart restart surfaceflinger 481 onrestart restart inputflinger 482 onrestart restart drm 483 484service vold /system/bin/vold 485 class core 486 socket vold stream 0660 root mount 487 ioprio be 2 488 489service netd /system/bin/netd 490 class main 491 socket netd stream 0660 root system 492 socket dnsproxyd stream 0660 root inet 493 socket mdns stream 0660 root system 494 495service debuggerd /system/bin/debuggerd 496 class main 497 498service ril-daemon /system/bin/rild 499 class main 500 socket rild stream 660 root radio 501 socket rild-debug stream 660 radio system 502 user root 503 group radio cache inet misc audio log 504 505service surfaceflinger /system/bin/surfaceflinger 506 class main 507 user system 508 group graphics drmrpc 509 onrestart restart zygote 510 511service inputflinger /system/bin/inputflinger 512 class main 513 user system 514 group input 515 onrestart restart zygote 516 517service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 518 class main 519 socket zygote stream 660 root system 520 onrestart write /sys/android_power/request_state wake 521 onrestart write /sys/power/state on 522 onrestart restart media 523 onrestart restart netd 524 525service drm /system/bin/drmserver 526 class main 527 user drm 528 group drm system inet drmrpc 529 530service media /system/bin/mediaserver 531 class main 532 user media 533 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 534 ioprio rt 4 535 536# One shot invocation to deal with encrypted volume. 537service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 538 disabled 539 oneshot 540 # vold will set vold.decrypt to trigger_restart_framework (default 541 # encryption) or trigger_restart_min_framework (other encryption) 542 543service bootanim /system/bin/bootanimation 544 class main 545 user graphics 546 group graphics 547 disabled 548 oneshot 549 550service installd /system/bin/installd 551 class main 552 socket installd stream 600 system system 553 554service flash_recovery /system/bin/install-recovery.sh 555 class main 556 oneshot 557 558service racoon /system/bin/racoon 559 class main 560 socket racoon stream 600 system system 561 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 562 group vpn net_admin inet 563 disabled 564 oneshot 565 566service mtpd /system/bin/mtpd 567 class main 568 socket mtpd stream 600 system system 569 user vpn 570 group vpn net_admin inet net_raw 571 disabled 572 oneshot 573 574service keystore /system/bin/keystore /data/misc/keystore 575 class main 576 user keystore 577 group keystore drmrpc 578 579service dumpstate /system/bin/dumpstate -s 580 class main 581 socket dumpstate stream 0660 shell log 582 disabled 583 oneshot 584 585service sshd /system/bin/start-ssh 586 class main 587 disabled 588 589service mdnsd /system/bin/mdnsd 590 class main 591 user mdnsr 592 group inet net_raw 593 socket mdnsd stream 0660 mdnsr inet 594 disabled 595 oneshot 596 597service pre-recovery /system/bin/uncrypt 598 class main 599 disabled 600 oneshot 601