init.rc revision 435a52ef07a5c97bdd717f20cb3115a585eb6d3c
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar:/system/framework/webviewchromium.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55# Create cgroup mount point for memory 56 mount tmpfs none /sys/fs/cgroup 57 mkdir /sys/fs/cgroup/memory 58 mount cgroup none /sys/fs/cgroup/memory memory 59 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/tasks 61 chmod 0660 /sys/fs/cgroup/memory/tasks 62 mkdir /sys/fs/cgroup/memory/sw 63 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 64 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 65 chown root system /sys/fs/cgroup/memory/sw/tasks 66 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 67 68 mkdir /system 69 mkdir /data 0771 system system 70 mkdir /cache 0770 system cache 71 mkdir /config 0500 root root 72 73 # See storage config details at http://source.android.com/tech/storage/ 74 mkdir /mnt/shell 0700 shell shell 75 mkdir /storage 0050 root sdcard_r 76 77 # Directory for putting things only root should see. 78 mkdir /mnt/secure 0700 root root 79 # Create private mountpoint so we can MS_MOVE from staging 80 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 81 82 # Directory for staging bindmounts 83 mkdir /mnt/secure/staging 0700 root root 84 85 # Directory-target for where the secure container 86 # imagefile directory will be bind-mounted 87 mkdir /mnt/secure/asec 0700 root root 88 89 # Secure container public mount points. 90 mkdir /mnt/asec 0700 root system 91 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 92 93 # Filesystem image public mount points. 94 mkdir /mnt/obb 0700 root system 95 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 96 97 write /proc/sys/kernel/panic_on_oops 1 98 write /proc/sys/kernel/hung_task_timeout_secs 0 99 write /proc/cpu/alignment 4 100 write /proc/sys/kernel/sched_latency_ns 10000000 101 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 102 write /proc/sys/kernel/sched_compat_yield 1 103 write /proc/sys/kernel/sched_child_runs_first 0 104 write /proc/sys/kernel/randomize_va_space 2 105 write /proc/sys/kernel/kptr_restrict 2 106 write /proc/sys/kernel/dmesg_restrict 1 107 write /proc/sys/vm/mmap_min_addr 32768 108 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 109 write /proc/sys/kernel/sched_rt_runtime_us 950000 110 write /proc/sys/kernel/sched_rt_period_us 1000000 111 112# Create cgroup mount points for process groups 113 mkdir /dev/cpuctl 114 mount cgroup none /dev/cpuctl cpu 115 chown system system /dev/cpuctl 116 chown system system /dev/cpuctl/tasks 117 chmod 0660 /dev/cpuctl/tasks 118 write /dev/cpuctl/cpu.shares 1024 119 write /dev/cpuctl/cpu.rt_runtime_us 950000 120 write /dev/cpuctl/cpu.rt_period_us 1000000 121 122 mkdir /dev/cpuctl/apps 123 chown system system /dev/cpuctl/apps/tasks 124 chmod 0666 /dev/cpuctl/apps/tasks 125 write /dev/cpuctl/apps/cpu.shares 1024 126 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 127 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 128 129 mkdir /dev/cpuctl/apps/bg_non_interactive 130 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 131 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 132 # 5.0 % 133 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 134 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 135 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 136 137# qtaguid will limit access to specific data based on group memberships. 138# net_bw_acct grants impersonation of socket owners. 139# net_bw_stats grants access to other apps' detailed tagged-socket stats. 140 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 141 chown root net_bw_stats /proc/net/xt_qtaguid/stats 142 143# Allow everybody to read the xt_qtaguid resource tracking misc dev. 144# This is needed by any process that uses socket tagging. 145 chmod 0644 /dev/xt_qtaguid 146 147on fs 148# mount mtd partitions 149 # Mount /system rw first to give the filesystem a chance to save a checkpoint 150 mount yaffs2 mtd@system /system 151 mount yaffs2 mtd@system /system ro remount 152 mount yaffs2 mtd@userdata /data nosuid nodev 153 mount yaffs2 mtd@cache /cache nosuid nodev 154 155on post-fs 156 # once everything is setup, no need to modify / 157 mount rootfs rootfs / ro remount 158 # mount shared so changes propagate into child namespaces 159 mount rootfs rootfs / shared rec 160 mount tmpfs tmpfs /mnt/secure private rec 161 162 # We chown/chmod /cache again so because mount is run as root + defaults 163 chown system cache /cache 164 chmod 0770 /cache 165 # We restorecon /cache in case the cache partition has been reset. 166 restorecon /cache 167 168 # This may have been created by the recovery system with odd permissions 169 chown system cache /cache/recovery 170 chmod 0770 /cache/recovery 171 # This may have been created by the recovery system with the wrong context. 172 restorecon /cache/recovery 173 174 #change permissions on vmallocinfo so we can grab it from bugreports 175 chown root log /proc/vmallocinfo 176 chmod 0440 /proc/vmallocinfo 177 178 chown root log /proc/slabinfo 179 chmod 0440 /proc/slabinfo 180 181 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 182 chown root system /proc/kmsg 183 chmod 0440 /proc/kmsg 184 chown root system /proc/sysrq-trigger 185 chmod 0220 /proc/sysrq-trigger 186 chown system log /proc/last_kmsg 187 chmod 0440 /proc/last_kmsg 188 189 # create the lost+found directories, so as to enforce our permissions 190 mkdir /cache/lost+found 0770 root root 191 192on post-fs-data 193 # We chown/chmod /data again so because mount is run as root + defaults 194 chown system system /data 195 chmod 0771 /data 196 # We restorecon /data in case the userdata partition has been reset. 197 restorecon /data 198 199 # Create dump dir and collect dumps. 200 # Do this before we mount cache so eventually we can use cache for 201 # storing dumps on platforms which do not have a dedicated dump partition. 202 mkdir /data/dontpanic 0750 root log 203 204 # Collect apanic data, free resources and re-arm trigger 205 copy /proc/apanic_console /data/dontpanic/apanic_console 206 chown root log /data/dontpanic/apanic_console 207 chmod 0640 /data/dontpanic/apanic_console 208 209 copy /proc/apanic_threads /data/dontpanic/apanic_threads 210 chown root log /data/dontpanic/apanic_threads 211 chmod 0640 /data/dontpanic/apanic_threads 212 213 write /proc/apanic_console 1 214 215 # create basic filesystem structure 216 mkdir /data/misc 01771 system misc 217 mkdir /data/misc/adb 02750 system shell 218 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 219 mkdir /data/misc/bluetooth 0770 system system 220 mkdir /data/misc/keystore 0700 keystore keystore 221 mkdir /data/misc/keychain 0771 system system 222 mkdir /data/misc/sms 0770 system radio 223 mkdir /data/misc/zoneinfo 0775 system system 224 mkdir /data/misc/vpn 0770 system vpn 225 mkdir /data/misc/systemkeys 0700 system system 226 # give system access to wpa_supplicant.conf for backup and restore 227 mkdir /data/misc/wifi 0770 wifi wifi 228 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 229 mkdir /data/local 0751 root root 230 mkdir /data/misc/media 0700 media media 231 232 # For security reasons, /data/local/tmp should always be empty. 233 # Do not place files or directories in /data/local/tmp 234 mkdir /data/local/tmp 0771 shell shell 235 mkdir /data/data 0771 system system 236 mkdir /data/app-private 0771 system system 237 mkdir /data/app-asec 0700 root root 238 mkdir /data/app-lib 0771 system system 239 mkdir /data/app 0771 system system 240 mkdir /data/property 0700 root root 241 mkdir /data/ssh 0750 root shell 242 mkdir /data/ssh/empty 0700 root root 243 244 # create dalvik-cache, so as to enforce our permissions 245 mkdir /data/dalvik-cache 0771 system system 246 247 # create resource-cache and double-check the perms 248 mkdir /data/resource-cache 0771 system system 249 chown system system /data/resource-cache 250 chmod 0771 /data/resource-cache 251 252 # create the lost+found directories, so as to enforce our permissions 253 mkdir /data/lost+found 0770 root root 254 255 # create directory for DRM plug-ins - give drm the read/write access to 256 # the following directory. 257 mkdir /data/drm 0770 drm drm 258 259 # create directory for MediaDrm plug-ins - give drm the read/write access to 260 # the following directory. 261 mkdir /data/mediadrm 0770 mediadrm mediadrm 262 263 # symlink to bugreport storage location 264 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 265 266 # Separate location for storing security policy files on data 267 mkdir /data/security 0711 system system 268 269 # If there is no fs-post-data action in the init.<device>.rc file, you 270 # must uncomment this line, otherwise encrypted filesystems 271 # won't work. 272 # Set indication (checked by vold) that we have finished this action 273 #setprop vold.post_fs_data_done 1 274 275on boot 276# basic network init 277 ifup lo 278 hostname localhost 279 domainname localdomain 280 281# set RLIMIT_NICE to allow priorities from 19 to -20 282 setrlimit 13 40 40 283 284# Memory management. Basic kernel parameters, and allow the high 285# level system server to be able to adjust the kernel OOM driver 286# parameters to match how it is managing things. 287 write /proc/sys/vm/overcommit_memory 1 288 write /proc/sys/vm/min_free_order_shift 4 289 chown root system /sys/module/lowmemorykiller/parameters/adj 290 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 291 chown root system /sys/module/lowmemorykiller/parameters/minfree 292 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 293 294 # Tweak background writeout 295 write /proc/sys/vm/dirty_expire_centisecs 200 296 write /proc/sys/vm/dirty_background_ratio 5 297 298 # Permissions for System Server and daemons. 299 chown radio system /sys/android_power/state 300 chown radio system /sys/android_power/request_state 301 chown radio system /sys/android_power/acquire_full_wake_lock 302 chown radio system /sys/android_power/acquire_partial_wake_lock 303 chown radio system /sys/android_power/release_wake_lock 304 chown system system /sys/power/autosleep 305 chown system system /sys/power/state 306 chown system system /sys/power/wakeup_count 307 chown radio system /sys/power/wake_lock 308 chown radio system /sys/power/wake_unlock 309 chmod 0660 /sys/power/state 310 chmod 0660 /sys/power/wake_lock 311 chmod 0660 /sys/power/wake_unlock 312 313 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 314 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 315 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 316 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 317 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 318 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 319 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 320 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 321 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 322 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 323 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 324 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 325 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 326 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 327 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 328 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 329 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 330 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 331 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 332 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 333 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 334 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 335 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 336 337 # Assume SMP uses shared cpufreq policy for all CPUs 338 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 339 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 340 341 chown system system /sys/class/timed_output/vibrator/enable 342 chown system system /sys/class/leds/keyboard-backlight/brightness 343 chown system system /sys/class/leds/lcd-backlight/brightness 344 chown system system /sys/class/leds/button-backlight/brightness 345 chown system system /sys/class/leds/jogball-backlight/brightness 346 chown system system /sys/class/leds/red/brightness 347 chown system system /sys/class/leds/green/brightness 348 chown system system /sys/class/leds/blue/brightness 349 chown system system /sys/class/leds/red/device/grpfreq 350 chown system system /sys/class/leds/red/device/grppwm 351 chown system system /sys/class/leds/red/device/blink 352 chown system system /sys/class/timed_output/vibrator/enable 353 chown system system /sys/module/sco/parameters/disable_esco 354 chown system system /sys/kernel/ipv4/tcp_wmem_min 355 chown system system /sys/kernel/ipv4/tcp_wmem_def 356 chown system system /sys/kernel/ipv4/tcp_wmem_max 357 chown system system /sys/kernel/ipv4/tcp_rmem_min 358 chown system system /sys/kernel/ipv4/tcp_rmem_def 359 chown system system /sys/kernel/ipv4/tcp_rmem_max 360 chown root radio /proc/cmdline 361 362# Set these so we can remotely update SELinux policy 363 chown system system /sys/fs/selinux/load 364 chown system system /sys/fs/selinux/enforce 365 366# Define TCP buffer sizes for various networks 367# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 368 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 369 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 370 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 371 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 372 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 373 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 374 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 375 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 376 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 377 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 378 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 379 380 class_start core 381 class_start main 382 383on nonencrypted 384 class_start late_start 385 386on charger 387 class_start charger 388 389on property:vold.decrypt=trigger_reset_main 390 class_reset main 391 392on property:vold.decrypt=trigger_load_persist_props 393 load_persist_props 394 395on property:vold.decrypt=trigger_post_fs_data 396 trigger post-fs-data 397 398on property:vold.decrypt=trigger_restart_min_framework 399 class_start main 400 401on property:vold.decrypt=trigger_restart_framework 402 class_start main 403 class_start late_start 404 405on property:vold.decrypt=trigger_shutdown_framework 406 class_reset late_start 407 class_reset main 408 409on property:sys.powerctl=* 410 powerctl ${sys.powerctl} 411 412## Daemon processes to be run by init. 413## 414service ueventd /sbin/ueventd 415 class core 416 critical 417 seclabel u:r:ueventd:s0 418 419on property:selinux.reload_policy=1 420 restart ueventd 421 restart installd 422 423service console /system/bin/sh 424 class core 425 console 426 disabled 427 user shell 428 group log 429 430on property:ro.debuggable=1 431 start console 432 433# adbd is controlled via property triggers in init.<platform>.usb.rc 434service adbd /sbin/adbd 435 class core 436 socket adbd stream 660 system system 437 disabled 438 seclabel u:r:adbd:s0 439 440# adbd on at boot in emulator 441on property:ro.kernel.qemu=1 442 start adbd 443 444service servicemanager /system/bin/servicemanager 445 class core 446 user system 447 group system 448 critical 449 onrestart restart zygote 450 onrestart restart media 451 onrestart restart surfaceflinger 452 onrestart restart drm 453 454service vold /system/bin/vold 455 class core 456 socket vold stream 0660 root mount 457 ioprio be 2 458 459service netd /system/bin/netd 460 class main 461 socket netd stream 0660 root system 462 socket dnsproxyd stream 0660 root inet 463 socket mdns stream 0660 root system 464 465service debuggerd /system/bin/debuggerd 466 class main 467 468service ril-daemon /system/bin/rild 469 class main 470 socket rild stream 660 root radio 471 socket rild-debug stream 660 radio system 472 user root 473 group radio cache inet misc audio log 474 475service surfaceflinger /system/bin/surfaceflinger 476 class main 477 user system 478 group graphics drmrpc 479 onrestart restart zygote 480 481service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 482 class main 483 socket zygote stream 660 root system 484 onrestart write /sys/android_power/request_state wake 485 onrestart write /sys/power/state on 486 onrestart restart media 487 onrestart restart netd 488 489service drm /system/bin/drmserver 490 class main 491 user drm 492 group drm system inet drmrpc 493 494service media /system/bin/mediaserver 495 class main 496 user media 497 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 498 ioprio rt 4 499 500service bootanim /system/bin/bootanimation 501 class main 502 user graphics 503 group graphics 504 disabled 505 oneshot 506 507service installd /system/bin/installd 508 class main 509 socket installd stream 600 system system 510 511service flash_recovery /system/etc/install-recovery.sh 512 class main 513 oneshot 514 515service racoon /system/bin/racoon 516 class main 517 socket racoon stream 600 system system 518 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 519 group vpn net_admin inet 520 disabled 521 oneshot 522 523service mtpd /system/bin/mtpd 524 class main 525 socket mtpd stream 600 system system 526 user vpn 527 group vpn net_admin inet net_raw 528 disabled 529 oneshot 530 531service keystore /system/bin/keystore /data/misc/keystore 532 class main 533 user keystore 534 group keystore drmrpc 535 536service dumpstate /system/bin/dumpstate -s 537 class main 538 socket dumpstate stream 0660 shell log 539 disabled 540 oneshot 541 542service sshd /system/bin/start-ssh 543 class main 544 disabled 545 546service mdnsd /system/bin/mdnsd 547 class main 548 user mdnsr 549 group inet net_raw 550 socket mdnsd stream 0660 mdnsr inet 551 disabled 552 oneshot 553