init.rc revision 3e76e0a49760c4970b7cda6153e51026af98e4f3
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_score_adj -1000 15 16 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 17 write /sys/fs/selinux/checkreqprot 0 18 19 # Set the security context for the init process. 20 # This should occur before anything else (e.g. ueventd) is started. 21 setcon u:r:init:s0 22 23 # Set the security context of /adb_keys if present. 24 restorecon /adb_keys 25 26 start ueventd 27 28# create mountpoints 29 mkdir /mnt 0775 root system 30 31on init 32 33sysclktz 0 34 35loglevel 3 36 37# Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41# Right now vendor lives on the same filesystem as system, 42# but someday that may change. 43 symlink /system/vendor /vendor 44 45# Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50# Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 # memory control cgroup 92 mkdir /dev/memcg 0700 root system 93 mount cgroup none /dev/memcg memory 94 95 write /proc/sys/kernel/panic_on_oops 1 96 write /proc/sys/kernel/hung_task_timeout_secs 0 97 write /proc/cpu/alignment 4 98 write /proc/sys/kernel/sched_latency_ns 10000000 99 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 100 write /proc/sys/kernel/sched_compat_yield 1 101 write /proc/sys/kernel/sched_child_runs_first 0 102 write /proc/sys/kernel/randomize_va_space 2 103 write /proc/sys/kernel/kptr_restrict 2 104 write /proc/sys/kernel/dmesg_restrict 1 105 write /proc/sys/vm/mmap_min_addr 32768 106 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 107 write /proc/sys/kernel/sched_rt_runtime_us 950000 108 write /proc/sys/kernel/sched_rt_period_us 1000000 109 110# Create cgroup mount points for process groups 111 mkdir /dev/cpuctl 112 mount cgroup none /dev/cpuctl cpu 113 chown system system /dev/cpuctl 114 chown system system /dev/cpuctl/tasks 115 chmod 0660 /dev/cpuctl/tasks 116 write /dev/cpuctl/cpu.shares 1024 117 write /dev/cpuctl/cpu.rt_runtime_us 950000 118 write /dev/cpuctl/cpu.rt_period_us 1000000 119 120 mkdir /dev/cpuctl/apps 121 chown system system /dev/cpuctl/apps/tasks 122 chmod 0666 /dev/cpuctl/apps/tasks 123 write /dev/cpuctl/apps/cpu.shares 1024 124 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 125 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 126 127 mkdir /dev/cpuctl/apps/bg_non_interactive 128 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 129 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 130 # 5.0 % 131 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 132 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 133 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 134 135# qtaguid will limit access to specific data based on group memberships. 136# net_bw_acct grants impersonation of socket owners. 137# net_bw_stats grants access to other apps' detailed tagged-socket stats. 138 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 139 chown root net_bw_stats /proc/net/xt_qtaguid/stats 140 141# Allow everybody to read the xt_qtaguid resource tracking misc dev. 142# This is needed by any process that uses socket tagging. 143 chmod 0644 /dev/xt_qtaguid 144 145# Create location for fs_mgr to store abbreviated output from filesystem 146# checker programs. 147 mkdir /dev/fscklogs 0770 root system 148 149# pstore/ramoops previous console log 150 mount pstore pstore /sys/fs/pstore 151 chown system log /sys/fs/pstore/console-ramoops 152 chmod 0440 /sys/fs/pstore/console-ramoops 153 154on post-fs 155 # once everything is setup, no need to modify / 156 mount rootfs rootfs / ro remount 157 # mount shared so changes propagate into child namespaces 158 mount rootfs rootfs / shared rec 159 160 # We chown/chmod /cache again so because mount is run as root + defaults 161 chown system cache /cache 162 chmod 0770 /cache 163 # We restorecon /cache in case the cache partition has been reset. 164 restorecon /cache 165 166 # This may have been created by the recovery system with odd permissions 167 chown system cache /cache/recovery 168 chmod 0770 /cache/recovery 169 # This may have been created by the recovery system with the wrong context. 170 restorecon /cache/recovery 171 172 #change permissions on vmallocinfo so we can grab it from bugreports 173 chown root log /proc/vmallocinfo 174 chmod 0440 /proc/vmallocinfo 175 176 chown root log /proc/slabinfo 177 chmod 0440 /proc/slabinfo 178 179 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 180 chown root system /proc/kmsg 181 chmod 0440 /proc/kmsg 182 chown root system /proc/sysrq-trigger 183 chmod 0220 /proc/sysrq-trigger 184 chown system log /proc/last_kmsg 185 chmod 0440 /proc/last_kmsg 186 187 # create the lost+found directories, so as to enforce our permissions 188 mkdir /cache/lost+found 0770 root root 189 190on post-fs-data 191 # We chown/chmod /data again so because mount is run as root + defaults 192 chown system system /data 193 chmod 0771 /data 194 # We restorecon /data in case the userdata partition has been reset. 195 restorecon /data 196 197 # Avoid predictable entropy pool. Carry over entropy from previous boot. 198 copy /data/system/entropy.dat /dev/urandom 199 200 # Create dump dir and collect dumps. 201 # Do this before we mount cache so eventually we can use cache for 202 # storing dumps on platforms which do not have a dedicated dump partition. 203 mkdir /data/dontpanic 0750 root log 204 205 # Collect apanic data, free resources and re-arm trigger 206 copy /proc/apanic_console /data/dontpanic/apanic_console 207 chown root log /data/dontpanic/apanic_console 208 chmod 0640 /data/dontpanic/apanic_console 209 210 copy /proc/apanic_threads /data/dontpanic/apanic_threads 211 chown root log /data/dontpanic/apanic_threads 212 chmod 0640 /data/dontpanic/apanic_threads 213 214 write /proc/apanic_console 1 215 216 # create basic filesystem structure 217 mkdir /data/misc 01771 system misc 218 mkdir /data/misc/adb 02750 system shell 219 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 220 mkdir /data/misc/bluetooth 0770 system system 221 mkdir /data/misc/keystore 0700 keystore keystore 222 mkdir /data/misc/keychain 0771 system system 223 mkdir /data/misc/radio 0770 system radio 224 mkdir /data/misc/sms 0770 system radio 225 mkdir /data/misc/zoneinfo 0775 system system 226 restorecon_recursive /data/misc/zoneinfo 227 mkdir /data/misc/vpn 0770 system vpn 228 mkdir /data/misc/systemkeys 0700 system system 229 mkdir /data/misc/wifi 0770 wifi wifi 230 mkdir /data/misc/wifi/sockets 0770 wifi wifi 231 restorecon_recursive /data/misc/wifi/sockets 232 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 233 mkdir /data/misc/dhcp 0770 dhcp dhcp 234 # give system access to wpa_supplicant.conf for backup and restore 235 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 236 mkdir /data/local 0751 root root 237 mkdir /data/misc/media 0700 media media 238 restorecon_recursive /data/misc/media 239 240 # Set security context of any pre-existing /data/misc/adb/adb_keys file. 241 restorecon /data/misc/adb 242 restorecon /data/misc/adb/adb_keys 243 244 # For security reasons, /data/local/tmp should always be empty. 245 # Do not place files or directories in /data/local/tmp 246 mkdir /data/local/tmp 0771 shell shell 247 mkdir /data/data 0771 system system 248 mkdir /data/app-private 0771 system system 249 mkdir /data/app-asec 0700 root root 250 mkdir /data/app-lib 0771 system system 251 mkdir /data/app 0771 system system 252 mkdir /data/property 0700 root root 253 mkdir /data/ssh 0750 root shell 254 mkdir /data/ssh/empty 0700 root root 255 256 # create dalvik-cache, so as to enforce our permissions 257 mkdir /data/dalvik-cache 0771 system system 258 259 # create resource-cache and double-check the perms 260 mkdir /data/resource-cache 0771 system system 261 chown system system /data/resource-cache 262 chmod 0771 /data/resource-cache 263 264 # create the lost+found directories, so as to enforce our permissions 265 mkdir /data/lost+found 0770 root root 266 267 # create directory for DRM plug-ins - give drm the read/write access to 268 # the following directory. 269 mkdir /data/drm 0770 drm drm 270 271 # create directory for MediaDrm plug-ins - give drm the read/write access to 272 # the following directory. 273 mkdir /data/mediadrm 0770 mediadrm mediadrm 274 restorecon_recursive /data/mediadrm 275 276 # symlink to bugreport storage location 277 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 278 279 # Separate location for storing security policy files on data 280 mkdir /data/security 0711 system system 281 282 # Reload policy from /data/security if present. 283 setprop selinux.reload_policy 1 284 285 # If there is no fs-post-data action in the init.<device>.rc file, you 286 # must uncomment this line, otherwise encrypted filesystems 287 # won't work. 288 # Set indication (checked by vold) that we have finished this action 289 #setprop vold.post_fs_data_done 1 290 291on boot 292# basic network init 293 ifup lo 294 hostname localhost 295 domainname localdomain 296 297# set RLIMIT_NICE to allow priorities from 19 to -20 298 setrlimit 13 40 40 299 300# Memory management. Basic kernel parameters, and allow the high 301# level system server to be able to adjust the kernel OOM driver 302# parameters to match how it is managing things. 303 write /proc/sys/vm/overcommit_memory 1 304 write /proc/sys/vm/min_free_order_shift 4 305 chown root system /sys/module/lowmemorykiller/parameters/adj 306 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 307 chown root system /sys/module/lowmemorykiller/parameters/minfree 308 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 309 310 # Tweak background writeout 311 write /proc/sys/vm/dirty_expire_centisecs 200 312 write /proc/sys/vm/dirty_background_ratio 5 313 314 # Permissions for System Server and daemons. 315 chown radio system /sys/android_power/state 316 chown radio system /sys/android_power/request_state 317 chown radio system /sys/android_power/acquire_full_wake_lock 318 chown radio system /sys/android_power/acquire_partial_wake_lock 319 chown radio system /sys/android_power/release_wake_lock 320 chown system system /sys/power/autosleep 321 chown system system /sys/power/state 322 chown system system /sys/power/wakeup_count 323 chown radio system /sys/power/wake_lock 324 chown radio system /sys/power/wake_unlock 325 chmod 0660 /sys/power/state 326 chmod 0660 /sys/power/wake_lock 327 chmod 0660 /sys/power/wake_unlock 328 329 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 330 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 331 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 332 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 333 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 334 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 335 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 336 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 338 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 339 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 340 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 341 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 342 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 343 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 344 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 345 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 346 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 347 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 348 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 349 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 350 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 351 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 352 353 # Assume SMP uses shared cpufreq policy for all CPUs 354 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 355 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 356 357 chown system system /sys/class/timed_output/vibrator/enable 358 chown system system /sys/class/leds/keyboard-backlight/brightness 359 chown system system /sys/class/leds/lcd-backlight/brightness 360 chown system system /sys/class/leds/button-backlight/brightness 361 chown system system /sys/class/leds/jogball-backlight/brightness 362 chown system system /sys/class/leds/red/brightness 363 chown system system /sys/class/leds/green/brightness 364 chown system system /sys/class/leds/blue/brightness 365 chown system system /sys/class/leds/red/device/grpfreq 366 chown system system /sys/class/leds/red/device/grppwm 367 chown system system /sys/class/leds/red/device/blink 368 chown system system /sys/class/timed_output/vibrator/enable 369 chown system system /sys/module/sco/parameters/disable_esco 370 chown system system /sys/kernel/ipv4/tcp_wmem_min 371 chown system system /sys/kernel/ipv4/tcp_wmem_def 372 chown system system /sys/kernel/ipv4/tcp_wmem_max 373 chown system system /sys/kernel/ipv4/tcp_rmem_min 374 chown system system /sys/kernel/ipv4/tcp_rmem_def 375 chown system system /sys/kernel/ipv4/tcp_rmem_max 376 chown root radio /proc/cmdline 377 378# Define TCP buffer sizes for various networks 379# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 380 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 381 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 382 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 383 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 384 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 385 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 386 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 387 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 388 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 389 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 390 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 391 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 392 393 class_start core 394 class_start main 395 396on nonencrypted 397 class_start late_start 398 399on charger 400 class_start charger 401 402on property:vold.decrypt=trigger_reset_main 403 class_reset main 404 405on property:vold.decrypt=trigger_load_persist_props 406 load_persist_props 407 408on property:vold.decrypt=trigger_post_fs_data 409 trigger post-fs-data 410 411on property:vold.decrypt=trigger_restart_min_framework 412 class_start main 413 414on property:vold.decrypt=trigger_restart_framework 415 class_start main 416 class_start late_start 417 418on property:vold.decrypt=trigger_shutdown_framework 419 class_reset late_start 420 class_reset main 421 422on property:sys.powerctl=* 423 powerctl ${sys.powerctl} 424 425# system server cannot write to /proc/sys files, so proxy it through init 426on property:sys.sysctl.extra_free_kbytes=* 427 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 428 429## Daemon processes to be run by init. 430## 431service ueventd /sbin/ueventd 432 class core 433 critical 434 seclabel u:r:ueventd:s0 435 436service healthd /sbin/healthd 437 class core 438 critical 439 seclabel u:r:healthd:s0 440 441service console /system/bin/sh 442 class core 443 console 444 disabled 445 user shell 446 group log 447 seclabel u:r:shell:s0 448 449on property:ro.debuggable=1 450 start console 451 452# adbd is controlled via property triggers in init.<platform>.usb.rc 453service adbd /sbin/adbd --root_seclabel=u:r:su:s0 454 class core 455 socket adbd stream 660 system system 456 disabled 457 seclabel u:r:adbd:s0 458 459# adbd on at boot in emulator 460on property:ro.kernel.qemu=1 461 start adbd 462 463service lmkd /system/bin/lmkd 464 class core 465 critical 466 socket lmkd seqpacket 0660 system system 467 468service logd /system/bin/logd 469 class main 470 socket logd stream 0666 logd logd 471 socket logdr seqpacket 0666 logd logd 472 socket logdw dgram 0222 logd logd 473 474service servicemanager /system/bin/servicemanager 475 class core 476 user system 477 group system 478 critical 479 onrestart restart healthd 480 onrestart restart zygote 481 onrestart restart media 482 onrestart restart surfaceflinger 483 onrestart restart inputflinger 484 onrestart restart drm 485 486service vold /system/bin/vold 487 class core 488 socket vold stream 0660 root mount 489 ioprio be 2 490 491service netd /system/bin/netd 492 class main 493 socket netd stream 0660 root system 494 socket dnsproxyd stream 0660 root inet 495 socket mdns stream 0660 root system 496 497service debuggerd /system/bin/debuggerd 498 class main 499 500service ril-daemon /system/bin/rild 501 class main 502 socket rild stream 660 root radio 503 socket rild-debug stream 660 radio system 504 user root 505 group radio cache inet misc audio log 506 507service surfaceflinger /system/bin/surfaceflinger 508 class main 509 user system 510 group graphics drmrpc 511 onrestart restart zygote 512 513service inputflinger /system/bin/inputflinger 514 class main 515 user system 516 group input 517 onrestart restart zygote 518 519service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 520 class main 521 socket zygote stream 660 root system 522 onrestart write /sys/android_power/request_state wake 523 onrestart write /sys/power/state on 524 onrestart restart media 525 onrestart restart netd 526 527service drm /system/bin/drmserver 528 class main 529 user drm 530 group drm system inet drmrpc 531 532service media /system/bin/mediaserver 533 class main 534 user media 535 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 536 ioprio rt 4 537 538service bootanim /system/bin/bootanimation 539 class main 540 user graphics 541 group graphics 542 disabled 543 oneshot 544 545service installd /system/bin/installd 546 class main 547 socket installd stream 600 system system 548 549service flash_recovery /system/bin/install-recovery.sh 550 class main 551 oneshot 552 553service racoon /system/bin/racoon 554 class main 555 socket racoon stream 600 system system 556 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 557 group vpn net_admin inet 558 disabled 559 oneshot 560 561service mtpd /system/bin/mtpd 562 class main 563 socket mtpd stream 600 system system 564 user vpn 565 group vpn net_admin inet net_raw 566 disabled 567 oneshot 568 569service keystore /system/bin/keystore /data/misc/keystore 570 class main 571 user keystore 572 group keystore drmrpc 573 574service dumpstate /system/bin/dumpstate -s 575 class main 576 socket dumpstate stream 0660 shell log 577 disabled 578 oneshot 579 580service sshd /system/bin/start-ssh 581 class main 582 disabled 583 584service mdnsd /system/bin/mdnsd 585 class main 586 user mdnsr 587 group inet net_raw 588 socket mdnsd stream 0660 mdnsr inet 589 disabled 590 oneshot 591 592service pre-recovery /system/bin/uncrypt 593 class main 594 disabled 595 oneshot 596