init.rc revision 3094f82a8a4d4b8d2725df85a6af9d306b9f8800
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_adj -16 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29# create mountpoints 30 mkdir /mnt 0775 root system 31 32on init 33 34sysclktz 0 35 36loglevel 3 37 38# Backward compatibility 39 symlink /system/etc /etc 40 symlink /sys/kernel/debug /d 41 42# Right now vendor lives on the same filesystem as system, 43# but someday that may change. 44 symlink /system/vendor /vendor 45 46# Create cgroup mount point for cpu accounting 47 mkdir /acct 48 mount cgroup none /acct cpuacct 49 mkdir /acct/uid 50 51# Create cgroup mount point for memory 52 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 53 mkdir /sys/fs/cgroup/memory 0750 root system 54 mount cgroup none /sys/fs/cgroup/memory memory 55 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 56 chown root system /sys/fs/cgroup/memory/tasks 57 chmod 0660 /sys/fs/cgroup/memory/tasks 58 mkdir /sys/fs/cgroup/memory/sw 0750 root system 59 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 60 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 61 chown root system /sys/fs/cgroup/memory/sw/tasks 62 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 63 64 mkdir /system 65 mkdir /data 0771 system system 66 mkdir /cache 0770 system cache 67 mkdir /config 0500 root root 68 69 # See storage config details at http://source.android.com/tech/storage/ 70 mkdir /mnt/shell 0700 shell shell 71 mkdir /mnt/media_rw 0700 media_rw media_rw 72 mkdir /storage 0751 root sdcard_r 73 74 # Directory for putting things only root should see. 75 mkdir /mnt/secure 0700 root root 76 77 # Directory for staging bindmounts 78 mkdir /mnt/secure/staging 0700 root root 79 80 # Directory-target for where the secure container 81 # imagefile directory will be bind-mounted 82 mkdir /mnt/secure/asec 0700 root root 83 84 # Secure container public mount points. 85 mkdir /mnt/asec 0700 root system 86 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 87 88 # Filesystem image public mount points. 89 mkdir /mnt/obb 0700 root system 90 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 91 92 write /proc/sys/kernel/panic_on_oops 1 93 write /proc/sys/kernel/hung_task_timeout_secs 0 94 write /proc/cpu/alignment 4 95 write /proc/sys/kernel/sched_latency_ns 10000000 96 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 97 write /proc/sys/kernel/sched_compat_yield 1 98 write /proc/sys/kernel/sched_child_runs_first 0 99 write /proc/sys/kernel/randomize_va_space 2 100 write /proc/sys/kernel/kptr_restrict 2 101 write /proc/sys/kernel/dmesg_restrict 1 102 write /proc/sys/vm/mmap_min_addr 32768 103 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 104 write /proc/sys/net/unix/max_dgram_qlen 300 105 write /proc/sys/kernel/sched_rt_runtime_us 950000 106 write /proc/sys/kernel/sched_rt_period_us 1000000 107 108# Create cgroup mount points for process groups 109 mkdir /dev/cpuctl 110 mount cgroup none /dev/cpuctl cpu 111 chown system system /dev/cpuctl 112 chown system system /dev/cpuctl/tasks 113 chmod 0660 /dev/cpuctl/tasks 114 write /dev/cpuctl/cpu.shares 1024 115 write /dev/cpuctl/cpu.rt_runtime_us 950000 116 write /dev/cpuctl/cpu.rt_period_us 1000000 117 118 mkdir /dev/cpuctl/apps 119 chown system system /dev/cpuctl/apps/tasks 120 chmod 0666 /dev/cpuctl/apps/tasks 121 write /dev/cpuctl/apps/cpu.shares 1024 122 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 123 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 124 125 mkdir /dev/cpuctl/apps/bg_non_interactive 126 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 127 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 128 # 5.0 % 129 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 130 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 131 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 132 133# qtaguid will limit access to specific data based on group memberships. 134# net_bw_acct grants impersonation of socket owners. 135# net_bw_stats grants access to other apps' detailed tagged-socket stats. 136 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 137 chown root net_bw_stats /proc/net/xt_qtaguid/stats 138 139# Allow everybody to read the xt_qtaguid resource tracking misc dev. 140# This is needed by any process that uses socket tagging. 141 chmod 0644 /dev/xt_qtaguid 142 143# Create location for fs_mgr to store abbreviated output from filesystem 144# checker programs. 145 mkdir /dev/fscklogs 0770 root system 146 147on post-fs 148 # once everything is setup, no need to modify / 149 mount rootfs rootfs / ro remount 150 # mount shared so changes propagate into child namespaces 151 mount rootfs rootfs / shared rec 152 153 # We chown/chmod /cache again so because mount is run as root + defaults 154 chown system cache /cache 155 chmod 0770 /cache 156 # We restorecon /cache in case the cache partition has been reset. 157 restorecon /cache 158 159 # This may have been created by the recovery system with odd permissions 160 chown system cache /cache/recovery 161 chmod 0770 /cache/recovery 162 # This may have been created by the recovery system with the wrong context. 163 restorecon /cache/recovery 164 165 #change permissions on vmallocinfo so we can grab it from bugreports 166 chown root log /proc/vmallocinfo 167 chmod 0440 /proc/vmallocinfo 168 169 chown root log /proc/slabinfo 170 chmod 0440 /proc/slabinfo 171 172 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 173 chown root system /proc/kmsg 174 chmod 0440 /proc/kmsg 175 chown root system /proc/sysrq-trigger 176 chmod 0220 /proc/sysrq-trigger 177 chown system log /proc/last_kmsg 178 chmod 0440 /proc/last_kmsg 179 180 # make the selinux kernel policy world-readable 181 chmod 0444 /sys/fs/selinux/policy 182 183 # create the lost+found directories, so as to enforce our permissions 184 mkdir /cache/lost+found 0770 root root 185 186on post-fs-data 187 # We chown/chmod /data again so because mount is run as root + defaults 188 chown system system /data 189 chmod 0771 /data 190 # We restorecon /data in case the userdata partition has been reset. 191 restorecon /data 192 193 # Avoid predictable entropy pool. Carry over entropy from previous boot. 194 copy /data/system/entropy.dat /dev/urandom 195 196 # Create dump dir and collect dumps. 197 # Do this before we mount cache so eventually we can use cache for 198 # storing dumps on platforms which do not have a dedicated dump partition. 199 mkdir /data/dontpanic 0750 root log 200 201 # Collect apanic data, free resources and re-arm trigger 202 copy /proc/apanic_console /data/dontpanic/apanic_console 203 chown root log /data/dontpanic/apanic_console 204 chmod 0640 /data/dontpanic/apanic_console 205 206 copy /proc/apanic_threads /data/dontpanic/apanic_threads 207 chown root log /data/dontpanic/apanic_threads 208 chmod 0640 /data/dontpanic/apanic_threads 209 210 write /proc/apanic_console 1 211 212 # create basic filesystem structure 213 mkdir /data/misc 01771 system misc 214 mkdir /data/misc/adb 02750 system shell 215 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 216 mkdir /data/misc/bluetooth 0770 system system 217 mkdir /data/misc/keystore 0700 keystore keystore 218 mkdir /data/misc/keychain 0771 system system 219 mkdir /data/misc/radio 0770 system radio 220 mkdir /data/misc/sms 0770 system radio 221 mkdir /data/misc/zoneinfo 0775 system system 222 mkdir /data/misc/vpn 0770 system vpn 223 mkdir /data/misc/systemkeys 0700 system system 224 mkdir /data/misc/wifi 0770 wifi wifi 225 mkdir /data/misc/wifi/sockets 0770 wifi wifi 226 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 227 mkdir /data/misc/dhcp 0770 dhcp dhcp 228 mkdir /data/misc/user 0771 root root 229 # give system access to wpa_supplicant.conf for backup and restore 230 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 231 mkdir /data/local 0751 root root 232 mkdir /data/misc/media 0700 media media 233 234 # For security reasons, /data/local/tmp should always be empty. 235 # Do not place files or directories in /data/local/tmp 236 mkdir /data/local/tmp 0771 shell shell 237 mkdir /data/data 0771 system system 238 mkdir /data/app-private 0771 system system 239 mkdir /data/app-asec 0700 root root 240 mkdir /data/app-lib 0771 system system 241 mkdir /data/app 0771 system system 242 mkdir /data/property 0700 root root 243 mkdir /data/ssh 0750 root shell 244 mkdir /data/ssh/empty 0700 root root 245 246 # create dalvik-cache, so as to enforce our permissions 247 mkdir /data/dalvik-cache 0771 system system 248 249 # create resource-cache and double-check the perms 250 mkdir /data/resource-cache 0771 system system 251 chown system system /data/resource-cache 252 chmod 0771 /data/resource-cache 253 254 # create the lost+found directories, so as to enforce our permissions 255 mkdir /data/lost+found 0770 root root 256 257 # create directory for DRM plug-ins - give drm the read/write access to 258 # the following directory. 259 mkdir /data/drm 0770 drm drm 260 261 # create directory for MediaDrm plug-ins - give drm the read/write access to 262 # the following directory. 263 mkdir /data/mediadrm 0770 mediadrm mediadrm 264 265 # symlink to bugreport storage location 266 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 267 268 # Separate location for storing security policy files on data 269 mkdir /data/security 0711 system system 270 271 # Reload policy from /data/security if present. 272 setprop selinux.reload_policy 1 273 274 # Set SELinux security contexts on upgrade or policy update. 275 restorecon_recursive /data 276 277 # If there is no fs-post-data action in the init.<device>.rc file, you 278 # must uncomment this line, otherwise encrypted filesystems 279 # won't work. 280 # Set indication (checked by vold) that we have finished this action 281 #setprop vold.post_fs_data_done 1 282 283on boot 284# basic network init 285 ifup lo 286 hostname localhost 287 domainname localdomain 288 289# set RLIMIT_NICE to allow priorities from 19 to -20 290 setrlimit 13 40 40 291 292# Memory management. Basic kernel parameters, and allow the high 293# level system server to be able to adjust the kernel OOM driver 294# parameters to match how it is managing things. 295 write /proc/sys/vm/overcommit_memory 1 296 write /proc/sys/vm/min_free_order_shift 4 297 chown root system /sys/module/lowmemorykiller/parameters/adj 298 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 299 chown root system /sys/module/lowmemorykiller/parameters/minfree 300 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 301 302 # Tweak background writeout 303 write /proc/sys/vm/dirty_expire_centisecs 200 304 write /proc/sys/vm/dirty_background_ratio 5 305 306 # Permissions for System Server and daemons. 307 chown radio system /sys/android_power/state 308 chown radio system /sys/android_power/request_state 309 chown radio system /sys/android_power/acquire_full_wake_lock 310 chown radio system /sys/android_power/acquire_partial_wake_lock 311 chown radio system /sys/android_power/release_wake_lock 312 chown system system /sys/power/autosleep 313 chown system system /sys/power/state 314 chown system system /sys/power/wakeup_count 315 chown radio system /sys/power/wake_lock 316 chown radio system /sys/power/wake_unlock 317 chmod 0660 /sys/power/state 318 chmod 0660 /sys/power/wake_lock 319 chmod 0660 /sys/power/wake_unlock 320 321 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 322 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 323 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 324 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 325 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 326 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 327 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 328 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 329 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 330 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 331 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 332 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 333 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 334 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 335 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 336 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 338 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 339 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 340 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 341 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 342 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 343 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 344 345 # Assume SMP uses shared cpufreq policy for all CPUs 346 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 347 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 348 349 chown system system /sys/class/timed_output/vibrator/enable 350 chown system system /sys/class/leds/keyboard-backlight/brightness 351 chown system system /sys/class/leds/lcd-backlight/brightness 352 chown system system /sys/class/leds/button-backlight/brightness 353 chown system system /sys/class/leds/jogball-backlight/brightness 354 chown system system /sys/class/leds/red/brightness 355 chown system system /sys/class/leds/green/brightness 356 chown system system /sys/class/leds/blue/brightness 357 chown system system /sys/class/leds/red/device/grpfreq 358 chown system system /sys/class/leds/red/device/grppwm 359 chown system system /sys/class/leds/red/device/blink 360 chown system system /sys/class/timed_output/vibrator/enable 361 chown system system /sys/module/sco/parameters/disable_esco 362 chown system system /sys/kernel/ipv4/tcp_wmem_min 363 chown system system /sys/kernel/ipv4/tcp_wmem_def 364 chown system system /sys/kernel/ipv4/tcp_wmem_max 365 chown system system /sys/kernel/ipv4/tcp_rmem_min 366 chown system system /sys/kernel/ipv4/tcp_rmem_def 367 chown system system /sys/kernel/ipv4/tcp_rmem_max 368 chown root radio /proc/cmdline 369 370# Define TCP buffer sizes for various networks 371# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 372 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 373 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 374 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 375 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 376 setprop net.tcp.buffersize.umts 58254,349525,1048576,58254,349525,1048576 377 setprop net.tcp.buffersize.hspa 40778,244668,734003,16777,100663,301990 378 setprop net.tcp.buffersize.hsupa 40778,244668,734003,16777,100663,301990 379 setprop net.tcp.buffersize.hsdpa 61167,367002,1101005,8738,52429,262114 380 setprop net.tcp.buffersize.hspap 122334,734003,2202010,32040,192239,576717 381 setprop net.tcp.buffersize.edge 4093,26280,70800,4096,16384,70800 382 setprop net.tcp.buffersize.gprs 4092,8760,48000,4096,8760,48000 383 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 384 385 class_start core 386 class_start main 387 388on nonencrypted 389 class_start late_start 390 391on charger 392 class_start charger 393 394on property:vold.decrypt=trigger_reset_main 395 class_reset main 396 397on property:vold.decrypt=trigger_load_persist_props 398 load_persist_props 399 400on property:vold.decrypt=trigger_post_fs_data 401 trigger post-fs-data 402 403on property:vold.decrypt=trigger_restart_min_framework 404 class_start main 405 406on property:vold.decrypt=trigger_restart_framework 407 class_start main 408 class_start late_start 409 410on property:vold.decrypt=trigger_shutdown_framework 411 class_reset late_start 412 class_reset main 413 414on property:sys.powerctl=* 415 powerctl ${sys.powerctl} 416 417# system server cannot write to /proc/sys files, so proxy it through init 418on property:sys.sysctl.extra_free_kbytes=* 419 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 420 421## Daemon processes to be run by init. 422## 423service ueventd /sbin/ueventd 424 class core 425 critical 426 seclabel u:r:ueventd:s0 427 428service logd /system/bin/logd 429 class core 430 socket logd stream 0666 logd logd 431 socket logdr seqpacket 0666 logd logd 432 socket logdw dgram 0222 logd logd 433 seclabel u:r:logd:s0 434 435service healthd /sbin/healthd 436 class core 437 critical 438 seclabel u:r:healthd:s0 439 440service healthd-charger /sbin/healthd -n 441 class charger 442 critical 443 seclabel u:r:healthd:s0 444 445service console /system/bin/sh 446 class core 447 console 448 disabled 449 user shell 450 group log 451 seclabel u:r:shell:s0 452 453on property:ro.debuggable=1 454 start console 455 456# adbd is controlled via property triggers in init.<platform>.usb.rc 457service adbd /sbin/adbd --root_seclabel=u:r:su:s0 458 class core 459 socket adbd stream 660 system system 460 disabled 461 seclabel u:r:adbd:s0 462 463# adbd on at boot in emulator 464on property:ro.kernel.qemu=1 465 start adbd 466 467service servicemanager /system/bin/servicemanager 468 class core 469 user system 470 group system 471 critical 472 onrestart restart healthd 473 onrestart restart zygote 474 onrestart restart media 475 onrestart restart surfaceflinger 476 onrestart restart drm 477 478service vold /system/bin/vold 479 class core 480 socket vold stream 0660 root mount 481 ioprio be 2 482 483service netd /system/bin/netd 484 class main 485 socket netd stream 0660 root system 486 socket dnsproxyd stream 0660 root inet 487 socket mdns stream 0660 root system 488 489service debuggerd /system/bin/debuggerd 490 class main 491 492service debuggerd64 /system/bin/debuggerd64 493 class main 494 495service ril-daemon /system/bin/rild 496 class main 497 socket rild stream 660 root radio 498 socket rild-debug stream 660 radio system 499 user root 500 group radio cache inet misc audio log 501 502service surfaceflinger /system/bin/surfaceflinger 503 class main 504 user system 505 group graphics drmrpc 506 onrestart restart zygote 507 508service drm /system/bin/drmserver 509 class main 510 user drm 511 group drm system inet drmrpc 512 513service media /system/bin/mediaserver 514 class main 515 user media 516 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 517 ioprio rt 4 518 519service bootanim /system/bin/bootanimation 520 class main 521 user graphics 522 group graphics 523 disabled 524 oneshot 525 526service installd /system/bin/installd 527 class main 528 socket installd stream 600 system system 529 530service flash_recovery /system/etc/install-recovery.sh 531 class main 532 oneshot 533 534service racoon /system/bin/racoon 535 class main 536 socket racoon stream 600 system system 537 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 538 group vpn net_admin inet 539 disabled 540 oneshot 541 542service mtpd /system/bin/mtpd 543 class main 544 socket mtpd stream 600 system system 545 user vpn 546 group vpn net_admin inet net_raw 547 disabled 548 oneshot 549 550service keystore /system/bin/keystore /data/misc/keystore 551 class main 552 user keystore 553 group keystore drmrpc 554 555service dumpstate /system/bin/dumpstate -s 556 class main 557 socket dumpstate stream 0660 shell log 558 disabled 559 oneshot 560 561service sshd /system/bin/start-ssh 562 class main 563 disabled 564 565service mdnsd /system/bin/mdnsd 566 class main 567 user mdnsr 568 group inet net_raw 569 socket mdnsd stream 0660 mdnsr inet 570 disabled 571 oneshot 572