init.rc revision 3e54aabc63535572242477fadbf13ec42b06649e 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.usb.rc
8import /init.${ro.hardware}.rc
9import /init.trace.rc
10
11on early-init
12    # Set init and its forked children's oom_adj.
13    write /proc/1/oom_adj -16
14
15    # Set the security context for the init process.
16    # This should occur before anything else (e.g. ueventd) is started.
17    setcon u:r:init:s0
18
19    start ueventd
20
21# create mountpoints
22    mkdir /mnt 0775 root system
23
24on init
25
26sysclktz 0
27
28loglevel 3
29
30# setup the global environment
31    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
32    export LD_LIBRARY_PATH /vendor/lib:/system/lib
33    export ANDROID_BOOTLOGO 1
34    export ANDROID_ROOT /system
35    export ANDROID_ASSETS /system/app
36    export ANDROID_DATA /data
37    export ANDROID_STORAGE /storage
38    export ASEC_MOUNTPOINT /mnt/asec
39    export LOOP_MOUNTPOINT /mnt/obb
40    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
41
42# Backward compatibility
43    symlink /system/etc /etc
44    symlink /sys/kernel/debug /d
45
46# Right now vendor lives on the same filesystem as system,
47# but someday that may change.
48    symlink /system/vendor /vendor
49
50# Create cgroup mount point for cpu accounting
51    mkdir /acct
52    mount cgroup none /acct cpuacct
53    mkdir /acct/uid
54
55    mkdir /system
56    mkdir /data 0771 system system
57    mkdir /cache 0770 system cache
58    mkdir /config 0500 root root
59
60    # See storage config details at http://source.android.com/tech/storage/
61    mkdir /mnt/shell 0700 shell shell
62    mkdir /storage 0050 root sdcard_r
63
64    # Directory for putting things only root should see.
65    mkdir /mnt/secure 0700 root root
66    # Create private mountpoint so we can MS_MOVE from staging
67    mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
68
69    # Directory for staging bindmounts
70    mkdir /mnt/secure/staging 0700 root root
71
72    # Directory-target for where the secure container
73    # imagefile directory will be bind-mounted
74    mkdir /mnt/secure/asec  0700 root root
75
76    # Secure container public mount points.
77    mkdir /mnt/asec  0700 root system
78    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
79
80    # Filesystem image public mount points.
81    mkdir /mnt/obb 0700 root system
82    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
83
84    write /proc/sys/kernel/panic_on_oops 1
85    write /proc/sys/kernel/hung_task_timeout_secs 0
86    write /proc/cpu/alignment 4
87    write /proc/sys/kernel/sched_latency_ns 10000000
88    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
89    write /proc/sys/kernel/sched_compat_yield 1
90    write /proc/sys/kernel/sched_child_runs_first 0
91    write /proc/sys/kernel/randomize_va_space 2
92    write /proc/sys/kernel/kptr_restrict 2
93    write /proc/sys/kernel/dmesg_restrict 1
94    write /proc/sys/vm/mmap_min_addr 32768
95    write /proc/sys/kernel/sched_rt_runtime_us 950000
96    write /proc/sys/kernel/sched_rt_period_us 1000000
97
98# Create cgroup mount points for process groups
99    mkdir /dev/cpuctl
100    mount cgroup none /dev/cpuctl cpu
101    chown system system /dev/cpuctl
102    chown system system /dev/cpuctl/tasks
103    chmod 0660 /dev/cpuctl/tasks
104    write /dev/cpuctl/cpu.shares 1024
105    write /dev/cpuctl/cpu.rt_runtime_us 950000
106    write /dev/cpuctl/cpu.rt_period_us 1000000
107
108    mkdir /dev/cpuctl/apps
109    chown system system /dev/cpuctl/apps/tasks
110    chmod 0666 /dev/cpuctl/apps/tasks
111    write /dev/cpuctl/apps/cpu.shares 1024
112    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
113    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
114
115    mkdir /dev/cpuctl/apps/bg_non_interactive
116    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
117    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
118    # 5.0 %
119    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
120    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
121    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
122
123# qtaguid will limit access to specific data based on group memberships.
124#   net_bw_acct grants impersonation of socket owners.
125#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
126    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
127    chown root net_bw_stats /proc/net/xt_qtaguid/stats
128
129# Allow everybody to read the xt_qtaguid resource tracking misc dev.
130# This is needed by any process that uses socket tagging.
131    chmod 0644 /dev/xt_qtaguid
132
133on fs
134# mount mtd partitions
135    # Mount /system rw first to give the filesystem a chance to save a checkpoint
136    mount yaffs2 mtd@system /system
137    mount yaffs2 mtd@system /system ro remount
138    mount yaffs2 mtd@userdata /data nosuid nodev
139    mount yaffs2 mtd@cache /cache nosuid nodev
140
141on post-fs
142    # once everything is setup, no need to modify /
143    mount rootfs rootfs / ro remount
144    # mount shared so changes propagate into child namespaces
145    mount rootfs rootfs / shared rec
146    mount tmpfs tmpfs /mnt/secure private rec
147
148    # We chown/chmod /cache again so because mount is run as root + defaults
149    chown system cache /cache
150    chmod 0770 /cache
151    # We restorecon /cache in case the cache partition has been reset.
152    restorecon /cache
153
154    # This may have been created by the recovery system with odd permissions
155    chown system cache /cache/recovery
156    chmod 0770 /cache/recovery
157    # This may have been created by the recovery system with the wrong context.
158    restorecon /cache/recovery
159
160    #change permissions on vmallocinfo so we can grab it from bugreports
161    chown root log /proc/vmallocinfo
162    chmod 0440 /proc/vmallocinfo
163
164    chown root log /proc/slabinfo
165    chmod 0440 /proc/slabinfo
166
167    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
168    chown root system /proc/kmsg
169    chmod 0440 /proc/kmsg
170    chown root system /proc/sysrq-trigger
171    chmod 0220 /proc/sysrq-trigger
172    chown system log /proc/last_kmsg
173    chmod 0440 /proc/last_kmsg
174
175    # create the lost+found directories, so as to enforce our permissions
176    mkdir /cache/lost+found 0770 root root
177
178on post-fs-data
179    # We chown/chmod /data again so because mount is run as root + defaults
180    chown system system /data
181    chmod 0771 /data
182    # We restorecon /data in case the userdata partition has been reset.
183    restorecon /data
184
185    # Create dump dir and collect dumps.
186    # Do this before we mount cache so eventually we can use cache for
187    # storing dumps on platforms which do not have a dedicated dump partition.
188    mkdir /data/dontpanic 0750 root log
189
190    # Collect apanic data, free resources and re-arm trigger
191    copy /proc/apanic_console /data/dontpanic/apanic_console
192    chown root log /data/dontpanic/apanic_console
193    chmod 0640 /data/dontpanic/apanic_console
194
195    copy /proc/apanic_threads /data/dontpanic/apanic_threads
196    chown root log /data/dontpanic/apanic_threads
197    chmod 0640 /data/dontpanic/apanic_threads
198
199    write /proc/apanic_console 1
200
201    # create basic filesystem structure
202    mkdir /data/misc 01771 system misc
203    mkdir /data/misc/adb 02750 system shell
204    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
205    mkdir /data/misc/bluetooth 0770 system system
206    mkdir /data/misc/keystore 0700 keystore keystore
207    mkdir /data/misc/keychain 0771 system system
208    mkdir /data/misc/sms 0770 system radio
209    mkdir /data/misc/zoneinfo 0775 system system
210    mkdir /data/misc/vpn 0770 system vpn
211    mkdir /data/misc/systemkeys 0700 system system
212    # give system access to wpa_supplicant.conf for backup and restore
213    mkdir /data/misc/wifi 0770 wifi wifi
214    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
215    mkdir /data/local 0751 root root
216
217    # For security reasons, /data/local/tmp should always be empty.
218    # Do not place files or directories in /data/local/tmp
219    mkdir /data/local/tmp 0771 shell shell
220    mkdir /data/data 0771 system system
221    mkdir /data/app-private 0771 system system
222    mkdir /data/app-asec 0700 root root
223    mkdir /data/app-lib 0771 system system
224    mkdir /data/app 0771 system system
225    mkdir /data/property 0700 root root
226    mkdir /data/ssh 0750 root shell
227    mkdir /data/ssh/empty 0700 root root
228
229    # create dalvik-cache, so as to enforce our permissions
230    mkdir /data/dalvik-cache 0771 system system
231
232    # create resource-cache and double-check the perms
233    mkdir /data/resource-cache 0771 system system
234    chown system system /data/resource-cache
235    chmod 0771 /data/resource-cache
236
237    # create the lost+found directories, so as to enforce our permissions
238    mkdir /data/lost+found 0770 root root
239
240    # create directory for DRM plug-ins - give drm the read/write access to
241    # the following directory.
242    mkdir /data/drm 0770 drm drm
243
244    # If there is no fs-post-data action in the init.<device>.rc file, you
245    # must uncomment this line, otherwise encrypted filesystems
246    # won't work.
247    # Set indication (checked by vold) that we have finished this action
248    #setprop vold.post_fs_data_done 1
249
250on boot
251# basic network init
252    ifup lo
253    hostname localhost
254    domainname localdomain
255
256# set RLIMIT_NICE to allow priorities from 19 to -20
257    setrlimit 13 40 40
258
259# Memory management.  Basic kernel parameters, and allow the high
260# level system server to be able to adjust the kernel OOM driver
261# parameters to match how it is managing things.
262    write /proc/sys/vm/overcommit_memory 1
263    write /proc/sys/vm/min_free_order_shift 4
264    chown root system /sys/module/lowmemorykiller/parameters/adj
265    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
266    chown root system /sys/module/lowmemorykiller/parameters/minfree
267    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
268
269    # Tweak background writeout
270    write /proc/sys/vm/dirty_expire_centisecs 200
271    write /proc/sys/vm/dirty_background_ratio  5
272
273    # Permissions for System Server and daemons.
274    chown radio system /sys/android_power/state
275    chown radio system /sys/android_power/request_state
276    chown radio system /sys/android_power/acquire_full_wake_lock
277    chown radio system /sys/android_power/acquire_partial_wake_lock
278    chown radio system /sys/android_power/release_wake_lock
279    chown system system /sys/power/autosleep
280    chown system system /sys/power/state
281    chown system system /sys/power/wakeup_count
282    chown radio system /sys/power/wake_lock
283    chown radio system /sys/power/wake_unlock
284    chmod 0660 /sys/power/state
285    chmod 0660 /sys/power/wake_lock
286    chmod 0660 /sys/power/wake_unlock
287
288    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
289    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
290    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
291    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
292    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
293    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
294    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
295    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
296    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
297    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
298    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
299    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
300    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
301    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
302    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
303
304    # Assume SMP uses shared cpufreq policy for all CPUs
305    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
306    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
307
308    chown system system /sys/class/timed_output/vibrator/enable
309    chown system system /sys/class/leds/keyboard-backlight/brightness
310    chown system system /sys/class/leds/lcd-backlight/brightness
311    chown system system /sys/class/leds/button-backlight/brightness
312    chown system system /sys/class/leds/jogball-backlight/brightness
313    chown system system /sys/class/leds/red/brightness
314    chown system system /sys/class/leds/green/brightness
315    chown system system /sys/class/leds/blue/brightness
316    chown system system /sys/class/leds/red/device/grpfreq
317    chown system system /sys/class/leds/red/device/grppwm
318    chown system system /sys/class/leds/red/device/blink
319    chown system system /sys/class/leds/red/brightness
320    chown system system /sys/class/leds/green/brightness
321    chown system system /sys/class/leds/blue/brightness
322    chown system system /sys/class/leds/red/device/grpfreq
323    chown system system /sys/class/leds/red/device/grppwm
324    chown system system /sys/class/leds/red/device/blink
325    chown system system /sys/class/timed_output/vibrator/enable
326    chown system system /sys/module/sco/parameters/disable_esco
327    chown system system /sys/kernel/ipv4/tcp_wmem_min
328    chown system system /sys/kernel/ipv4/tcp_wmem_def
329    chown system system /sys/kernel/ipv4/tcp_wmem_max
330    chown system system /sys/kernel/ipv4/tcp_rmem_min
331    chown system system /sys/kernel/ipv4/tcp_rmem_def
332    chown system system /sys/kernel/ipv4/tcp_rmem_max
333    chown root radio /proc/cmdline
334
335# Define TCP buffer sizes for various networks
336#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
337    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
338    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
339    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
340    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
341    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
342    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
343    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
344    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
345    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
346    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
347    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
348
349# Set this property so surfaceflinger is not started by system_init
350    setprop system_init.startsurfaceflinger 0
351
352    class_start core
353    class_start main
354
355on nonencrypted
356    class_start late_start
357
358on charger
359    class_start charger
360
361on property:vold.decrypt=trigger_reset_main
362    class_reset main
363
364on property:vold.decrypt=trigger_load_persist_props
365    load_persist_props
366
367on property:vold.decrypt=trigger_post_fs_data
368    trigger post-fs-data
369
370on property:vold.decrypt=trigger_restart_min_framework
371    class_start main
372
373on property:vold.decrypt=trigger_restart_framework
374    class_start main
375    class_start late_start
376
377on property:vold.decrypt=trigger_shutdown_framework
378    class_reset late_start
379    class_reset main
380
381## Daemon processes to be run by init.
382##
383service ueventd /sbin/ueventd
384    class core
385    critical
386    seclabel u:r:ueventd:s0
387
388on property:selinux.reload_policy=1
389    restart ueventd
390    restart installd
391
392service console /system/bin/sh
393    class core
394    console
395    disabled
396    user shell
397    group log
398
399on property:ro.debuggable=1
400    start console
401
402# adbd is controlled via property triggers in init.<platform>.usb.rc
403service adbd /sbin/adbd
404    class core
405    socket adbd stream 660 system system
406    disabled
407    seclabel u:r:adbd:s0
408
409# adbd on at boot in emulator
410on property:ro.kernel.qemu=1
411    start adbd
412
413service servicemanager /system/bin/servicemanager
414    class core
415    user system
416    group system
417    critical
418    onrestart restart zygote
419    onrestart restart media
420    onrestart restart surfaceflinger
421    onrestart restart drm
422
423service vold /system/bin/vold
424    class core
425    socket vold stream 0660 root mount
426    ioprio be 2
427
428service netd /system/bin/netd
429    class main
430    socket netd stream 0660 root system
431    socket dnsproxyd stream 0660 root inet
432    socket mdns stream 0660 root system
433
434service debuggerd /system/bin/debuggerd
435    class main
436
437service ril-daemon /system/bin/rild
438    class main
439    socket rild stream 660 root radio
440    socket rild-debug stream 660 radio system
441    user root
442    group radio cache inet misc audio log
443
444service surfaceflinger /system/bin/surfaceflinger
445    class main
446    user system
447    group graphics drmrpc
448    onrestart restart zygote
449
450service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
451    class main
452    socket zygote stream 660 root system
453    onrestart write /sys/android_power/request_state wake
454    onrestart write /sys/power/state on
455    onrestart restart media
456    onrestart restart netd
457
458service drm /system/bin/drmserver
459    class main
460    user drm
461    group drm system inet drmrpc
462
463service media /system/bin/mediaserver
464    class main
465    user media
466    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc
467    ioprio rt 4
468
469service bootanim /system/bin/bootanimation
470    class main
471    user graphics
472    group graphics
473    disabled
474    oneshot
475
476service installd /system/bin/installd
477    class main
478    socket installd stream 600 system system
479
480service flash_recovery /system/etc/install-recovery.sh
481    class main
482    oneshot
483
484service racoon /system/bin/racoon
485    class main
486    socket racoon stream 600 system system
487    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
488    group vpn net_admin inet
489    disabled
490    oneshot
491
492service mtpd /system/bin/mtpd
493    class main
494    socket mtpd stream 600 system system
495    user vpn
496    group vpn net_admin inet net_raw
497    disabled
498    oneshot
499
500service keystore /system/bin/keystore /data/misc/keystore
501    class main
502    user keystore
503    group keystore drmrpc
504
505service dumpstate /system/bin/dumpstate -s
506    class main
507    socket dumpstate stream 0660 shell log
508    disabled
509    oneshot
510
511service sshd /system/bin/start-ssh
512    class main
513    disabled
514
515service mdnsd /system/bin/mdnsd
516    class main
517    user mdnsr
518    group inet net_raw
519    socket mdnsd stream 0660 mdnsr inet
520    disabled
521    oneshot
522