init.rc revision 3094f82a8a4d4b8d2725df85a6af9d306b9f8800 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_adj -16
16
17    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18    write /sys/fs/selinux/checkreqprot 0
19
20    # Set the security context for the init process.
21    # This should occur before anything else (e.g. ueventd) is started.
22    setcon u:r:init:s0
23
24    # Set the security context of /adb_keys if present.
25    restorecon /adb_keys
26
27    start ueventd
28
29# create mountpoints
30    mkdir /mnt 0775 root system
31
32on init
33
34sysclktz 0
35
36loglevel 3
37
38# Backward compatibility
39    symlink /system/etc /etc
40    symlink /sys/kernel/debug /d
41
42# Right now vendor lives on the same filesystem as system,
43# but someday that may change.
44    symlink /system/vendor /vendor
45
46# Create cgroup mount point for cpu accounting
47    mkdir /acct
48    mount cgroup none /acct cpuacct
49    mkdir /acct/uid
50
51# Create cgroup mount point for memory
52    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
53    mkdir /sys/fs/cgroup/memory 0750 root system
54    mount cgroup none /sys/fs/cgroup/memory memory
55    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
56    chown root system /sys/fs/cgroup/memory/tasks
57    chmod 0660 /sys/fs/cgroup/memory/tasks
58    mkdir /sys/fs/cgroup/memory/sw 0750 root system
59    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
60    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
61    chown root system /sys/fs/cgroup/memory/sw/tasks
62    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
63
64    mkdir /system
65    mkdir /data 0771 system system
66    mkdir /cache 0770 system cache
67    mkdir /config 0500 root root
68
69    # See storage config details at http://source.android.com/tech/storage/
70    mkdir /mnt/shell 0700 shell shell
71    mkdir /mnt/media_rw 0700 media_rw media_rw
72    mkdir /storage 0751 root sdcard_r
73
74    # Directory for putting things only root should see.
75    mkdir /mnt/secure 0700 root root
76
77    # Directory for staging bindmounts
78    mkdir /mnt/secure/staging 0700 root root
79
80    # Directory-target for where the secure container
81    # imagefile directory will be bind-mounted
82    mkdir /mnt/secure/asec  0700 root root
83
84    # Secure container public mount points.
85    mkdir /mnt/asec  0700 root system
86    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
87
88    # Filesystem image public mount points.
89    mkdir /mnt/obb 0700 root system
90    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
91
92    write /proc/sys/kernel/panic_on_oops 1
93    write /proc/sys/kernel/hung_task_timeout_secs 0
94    write /proc/cpu/alignment 4
95    write /proc/sys/kernel/sched_latency_ns 10000000
96    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
97    write /proc/sys/kernel/sched_compat_yield 1
98    write /proc/sys/kernel/sched_child_runs_first 0
99    write /proc/sys/kernel/randomize_va_space 2
100    write /proc/sys/kernel/kptr_restrict 2
101    write /proc/sys/kernel/dmesg_restrict 1
102    write /proc/sys/vm/mmap_min_addr 32768
103    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
104    write /proc/sys/net/unix/max_dgram_qlen 300
105    write /proc/sys/kernel/sched_rt_runtime_us 950000
106    write /proc/sys/kernel/sched_rt_period_us 1000000
107
108# Create cgroup mount points for process groups
109    mkdir /dev/cpuctl
110    mount cgroup none /dev/cpuctl cpu
111    chown system system /dev/cpuctl
112    chown system system /dev/cpuctl/tasks
113    chmod 0660 /dev/cpuctl/tasks
114    write /dev/cpuctl/cpu.shares 1024
115    write /dev/cpuctl/cpu.rt_runtime_us 950000
116    write /dev/cpuctl/cpu.rt_period_us 1000000
117
118    mkdir /dev/cpuctl/apps
119    chown system system /dev/cpuctl/apps/tasks
120    chmod 0666 /dev/cpuctl/apps/tasks
121    write /dev/cpuctl/apps/cpu.shares 1024
122    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
123    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
124
125    mkdir /dev/cpuctl/apps/bg_non_interactive
126    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
127    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
128    # 5.0 %
129    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
130    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
131    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
132
133# qtaguid will limit access to specific data based on group memberships.
134#   net_bw_acct grants impersonation of socket owners.
135#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
136    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
137    chown root net_bw_stats /proc/net/xt_qtaguid/stats
138
139# Allow everybody to read the xt_qtaguid resource tracking misc dev.
140# This is needed by any process that uses socket tagging.
141    chmod 0644 /dev/xt_qtaguid
142
143# Create location for fs_mgr to store abbreviated output from filesystem
144# checker programs.
145    mkdir /dev/fscklogs 0770 root system
146
147on post-fs
148    # once everything is setup, no need to modify /
149    mount rootfs rootfs / ro remount
150    # mount shared so changes propagate into child namespaces
151    mount rootfs rootfs / shared rec
152
153    # We chown/chmod /cache again so because mount is run as root + defaults
154    chown system cache /cache
155    chmod 0770 /cache
156    # We restorecon /cache in case the cache partition has been reset.
157    restorecon /cache
158
159    # This may have been created by the recovery system with odd permissions
160    chown system cache /cache/recovery
161    chmod 0770 /cache/recovery
162    # This may have been created by the recovery system with the wrong context.
163    restorecon /cache/recovery
164
165    #change permissions on vmallocinfo so we can grab it from bugreports
166    chown root log /proc/vmallocinfo
167    chmod 0440 /proc/vmallocinfo
168
169    chown root log /proc/slabinfo
170    chmod 0440 /proc/slabinfo
171
172    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
173    chown root system /proc/kmsg
174    chmod 0440 /proc/kmsg
175    chown root system /proc/sysrq-trigger
176    chmod 0220 /proc/sysrq-trigger
177    chown system log /proc/last_kmsg
178    chmod 0440 /proc/last_kmsg
179
180    # make the selinux kernel policy world-readable
181    chmod 0444 /sys/fs/selinux/policy
182
183    # create the lost+found directories, so as to enforce our permissions
184    mkdir /cache/lost+found 0770 root root
185
186on post-fs-data
187    # We chown/chmod /data again so because mount is run as root + defaults
188    chown system system /data
189    chmod 0771 /data
190    # We restorecon /data in case the userdata partition has been reset.
191    restorecon /data
192
193    # Avoid predictable entropy pool. Carry over entropy from previous boot.
194    copy /data/system/entropy.dat /dev/urandom
195
196    # Create dump dir and collect dumps.
197    # Do this before we mount cache so eventually we can use cache for
198    # storing dumps on platforms which do not have a dedicated dump partition.
199    mkdir /data/dontpanic 0750 root log
200
201    # Collect apanic data, free resources and re-arm trigger
202    copy /proc/apanic_console /data/dontpanic/apanic_console
203    chown root log /data/dontpanic/apanic_console
204    chmod 0640 /data/dontpanic/apanic_console
205
206    copy /proc/apanic_threads /data/dontpanic/apanic_threads
207    chown root log /data/dontpanic/apanic_threads
208    chmod 0640 /data/dontpanic/apanic_threads
209
210    write /proc/apanic_console 1
211
212    # create basic filesystem structure
213    mkdir /data/misc 01771 system misc
214    mkdir /data/misc/adb 02750 system shell
215    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
216    mkdir /data/misc/bluetooth 0770 system system
217    mkdir /data/misc/keystore 0700 keystore keystore
218    mkdir /data/misc/keychain 0771 system system
219    mkdir /data/misc/radio 0770 system radio
220    mkdir /data/misc/sms 0770 system radio
221    mkdir /data/misc/zoneinfo 0775 system system
222    mkdir /data/misc/vpn 0770 system vpn
223    mkdir /data/misc/systemkeys 0700 system system
224    mkdir /data/misc/wifi 0770 wifi wifi
225    mkdir /data/misc/wifi/sockets 0770 wifi wifi
226    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
227    mkdir /data/misc/dhcp 0770 dhcp dhcp
228    mkdir /data/misc/user 0771 root root
229    # give system access to wpa_supplicant.conf for backup and restore
230    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
231    mkdir /data/local 0751 root root
232    mkdir /data/misc/media 0700 media media
233
234    # For security reasons, /data/local/tmp should always be empty.
235    # Do not place files or directories in /data/local/tmp
236    mkdir /data/local/tmp 0771 shell shell
237    mkdir /data/data 0771 system system
238    mkdir /data/app-private 0771 system system
239    mkdir /data/app-asec 0700 root root
240    mkdir /data/app-lib 0771 system system
241    mkdir /data/app 0771 system system
242    mkdir /data/property 0700 root root
243    mkdir /data/ssh 0750 root shell
244    mkdir /data/ssh/empty 0700 root root
245
246    # create dalvik-cache, so as to enforce our permissions
247    mkdir /data/dalvik-cache 0771 system system
248
249    # create resource-cache and double-check the perms
250    mkdir /data/resource-cache 0771 system system
251    chown system system /data/resource-cache
252    chmod 0771 /data/resource-cache
253
254    # create the lost+found directories, so as to enforce our permissions
255    mkdir /data/lost+found 0770 root root
256
257    # create directory for DRM plug-ins - give drm the read/write access to
258    # the following directory.
259    mkdir /data/drm 0770 drm drm
260
261    # create directory for MediaDrm plug-ins - give drm the read/write access to
262    # the following directory.
263    mkdir /data/mediadrm 0770 mediadrm mediadrm
264
265    # symlink to bugreport storage location
266    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
267
268    # Separate location for storing security policy files on data
269    mkdir /data/security 0711 system system
270
271    # Reload policy from /data/security if present.
272    setprop selinux.reload_policy 1
273
274    # Set SELinux security contexts on upgrade or policy update.
275    restorecon_recursive /data
276
277    # If there is no fs-post-data action in the init.<device>.rc file, you
278    # must uncomment this line, otherwise encrypted filesystems
279    # won't work.
280    # Set indication (checked by vold) that we have finished this action
281    #setprop vold.post_fs_data_done 1
282
283on boot
284# basic network init
285    ifup lo
286    hostname localhost
287    domainname localdomain
288
289# set RLIMIT_NICE to allow priorities from 19 to -20
290    setrlimit 13 40 40
291
292# Memory management.  Basic kernel parameters, and allow the high
293# level system server to be able to adjust the kernel OOM driver
294# parameters to match how it is managing things.
295    write /proc/sys/vm/overcommit_memory 1
296    write /proc/sys/vm/min_free_order_shift 4
297    chown root system /sys/module/lowmemorykiller/parameters/adj
298    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
299    chown root system /sys/module/lowmemorykiller/parameters/minfree
300    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
301
302    # Tweak background writeout
303    write /proc/sys/vm/dirty_expire_centisecs 200
304    write /proc/sys/vm/dirty_background_ratio  5
305
306    # Permissions for System Server and daemons.
307    chown radio system /sys/android_power/state
308    chown radio system /sys/android_power/request_state
309    chown radio system /sys/android_power/acquire_full_wake_lock
310    chown radio system /sys/android_power/acquire_partial_wake_lock
311    chown radio system /sys/android_power/release_wake_lock
312    chown system system /sys/power/autosleep
313    chown system system /sys/power/state
314    chown system system /sys/power/wakeup_count
315    chown radio system /sys/power/wake_lock
316    chown radio system /sys/power/wake_unlock
317    chmod 0660 /sys/power/state
318    chmod 0660 /sys/power/wake_lock
319    chmod 0660 /sys/power/wake_unlock
320
321    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
322    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
323    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
324    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
325    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
326    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
327    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
328    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
329    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
330    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
331    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
332    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
333    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
334    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
335    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
336    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
337    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
338    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
339    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
340    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
341    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
342    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
343    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
344
345    # Assume SMP uses shared cpufreq policy for all CPUs
346    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
347    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
348
349    chown system system /sys/class/timed_output/vibrator/enable
350    chown system system /sys/class/leds/keyboard-backlight/brightness
351    chown system system /sys/class/leds/lcd-backlight/brightness
352    chown system system /sys/class/leds/button-backlight/brightness
353    chown system system /sys/class/leds/jogball-backlight/brightness
354    chown system system /sys/class/leds/red/brightness
355    chown system system /sys/class/leds/green/brightness
356    chown system system /sys/class/leds/blue/brightness
357    chown system system /sys/class/leds/red/device/grpfreq
358    chown system system /sys/class/leds/red/device/grppwm
359    chown system system /sys/class/leds/red/device/blink
360    chown system system /sys/class/timed_output/vibrator/enable
361    chown system system /sys/module/sco/parameters/disable_esco
362    chown system system /sys/kernel/ipv4/tcp_wmem_min
363    chown system system /sys/kernel/ipv4/tcp_wmem_def
364    chown system system /sys/kernel/ipv4/tcp_wmem_max
365    chown system system /sys/kernel/ipv4/tcp_rmem_min
366    chown system system /sys/kernel/ipv4/tcp_rmem_def
367    chown system system /sys/kernel/ipv4/tcp_rmem_max
368    chown root radio /proc/cmdline
369
370# Define TCP buffer sizes for various networks
371#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
372    setprop net.tcp.buffersize.default  4096,87380,110208,4096,16384,110208
373    setprop net.tcp.buffersize.wifi     524288,1048576,2097152,262144,524288,1048576
374    setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152
375    setprop net.tcp.buffersize.lte      524288,1048576,2097152,262144,524288,1048576
376    setprop net.tcp.buffersize.umts     58254,349525,1048576,58254,349525,1048576
377    setprop net.tcp.buffersize.hspa     40778,244668,734003,16777,100663,301990
378    setprop net.tcp.buffersize.hsupa    40778,244668,734003,16777,100663,301990
379    setprop net.tcp.buffersize.hsdpa    61167,367002,1101005,8738,52429,262114
380    setprop net.tcp.buffersize.hspap    122334,734003,2202010,32040,192239,576717
381    setprop net.tcp.buffersize.edge     4093,26280,70800,4096,16384,70800
382    setprop net.tcp.buffersize.gprs     4092,8760,48000,4096,8760,48000
383    setprop net.tcp.buffersize.evdo     4094,87380,262144,4096,16384,262144
384
385    class_start core
386    class_start main
387
388on nonencrypted
389    class_start late_start
390
391on charger
392    class_start charger
393
394on property:vold.decrypt=trigger_reset_main
395    class_reset main
396
397on property:vold.decrypt=trigger_load_persist_props
398    load_persist_props
399
400on property:vold.decrypt=trigger_post_fs_data
401    trigger post-fs-data
402
403on property:vold.decrypt=trigger_restart_min_framework
404    class_start main
405
406on property:vold.decrypt=trigger_restart_framework
407    class_start main
408    class_start late_start
409
410on property:vold.decrypt=trigger_shutdown_framework
411    class_reset late_start
412    class_reset main
413
414on property:sys.powerctl=*
415    powerctl ${sys.powerctl}
416
417# system server cannot write to /proc/sys files, so proxy it through init
418on property:sys.sysctl.extra_free_kbytes=*
419    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
420
421## Daemon processes to be run by init.
422##
423service ueventd /sbin/ueventd
424    class core
425    critical
426    seclabel u:r:ueventd:s0
427
428service logd /system/bin/logd
429    class core
430    socket logd stream 0666 logd logd
431    socket logdr seqpacket 0666 logd logd
432    socket logdw dgram 0222 logd logd
433    seclabel u:r:logd:s0
434
435service healthd /sbin/healthd
436    class core
437    critical
438    seclabel u:r:healthd:s0
439
440service healthd-charger /sbin/healthd -n
441    class charger
442    critical
443    seclabel u:r:healthd:s0
444
445service console /system/bin/sh
446    class core
447    console
448    disabled
449    user shell
450    group log
451    seclabel u:r:shell:s0
452
453on property:ro.debuggable=1
454    start console
455
456# adbd is controlled via property triggers in init.<platform>.usb.rc
457service adbd /sbin/adbd --root_seclabel=u:r:su:s0
458    class core
459    socket adbd stream 660 system system
460    disabled
461    seclabel u:r:adbd:s0
462
463# adbd on at boot in emulator
464on property:ro.kernel.qemu=1
465    start adbd
466
467service servicemanager /system/bin/servicemanager
468    class core
469    user system
470    group system
471    critical
472    onrestart restart healthd
473    onrestart restart zygote
474    onrestart restart media
475    onrestart restart surfaceflinger
476    onrestart restart drm
477
478service vold /system/bin/vold
479    class core
480    socket vold stream 0660 root mount
481    ioprio be 2
482
483service netd /system/bin/netd
484    class main
485    socket netd stream 0660 root system
486    socket dnsproxyd stream 0660 root inet
487    socket mdns stream 0660 root system
488
489service debuggerd /system/bin/debuggerd
490    class main
491
492service debuggerd64 /system/bin/debuggerd64
493    class main
494
495service ril-daemon /system/bin/rild
496    class main
497    socket rild stream 660 root radio
498    socket rild-debug stream 660 radio system
499    user root
500    group radio cache inet misc audio log
501
502service surfaceflinger /system/bin/surfaceflinger
503    class main
504    user system
505    group graphics drmrpc
506    onrestart restart zygote
507
508service drm /system/bin/drmserver
509    class main
510    user drm
511    group drm system inet drmrpc
512
513service media /system/bin/mediaserver
514    class main
515    user media
516    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
517    ioprio rt 4
518
519service bootanim /system/bin/bootanimation
520    class main
521    user graphics
522    group graphics
523    disabled
524    oneshot
525
526service installd /system/bin/installd
527    class main
528    socket installd stream 600 system system
529
530service flash_recovery /system/etc/install-recovery.sh
531    class main
532    oneshot
533
534service racoon /system/bin/racoon
535    class main
536    socket racoon stream 600 system system
537    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
538    group vpn net_admin inet
539    disabled
540    oneshot
541
542service mtpd /system/bin/mtpd
543    class main
544    socket mtpd stream 600 system system
545    user vpn
546    group vpn net_admin inet net_raw
547    disabled
548    oneshot
549
550service keystore /system/bin/keystore /data/misc/keystore
551    class main
552    user keystore
553    group keystore drmrpc
554
555service dumpstate /system/bin/dumpstate -s
556    class main
557    socket dumpstate stream 0660 shell log
558    disabled
559    oneshot
560
561service sshd /system/bin/start-ssh
562    class main
563    disabled
564
565service mdnsd /system/bin/mdnsd
566    class main
567    user mdnsr
568    group inet net_raw
569    socket mdnsd stream 0660 mdnsr inet
570    disabled
571    oneshot
572