init.rc revision 435a52ef07a5c97bdd717f20cb3115a585eb6d3c 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.usb.rc
8import /init.${ro.hardware}.rc
9import /init.trace.rc
10
11on early-init
12    # Set init and its forked children's oom_adj.
13    write /proc/1/oom_adj -16
14
15    # Set the security context for the init process.
16    # This should occur before anything else (e.g. ueventd) is started.
17    setcon u:r:init:s0
18
19    start ueventd
20
21# create mountpoints
22    mkdir /mnt 0775 root system
23
24on init
25
26sysclktz 0
27
28loglevel 3
29
30# setup the global environment
31    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
32    export LD_LIBRARY_PATH /vendor/lib:/system/lib
33    export ANDROID_BOOTLOGO 1
34    export ANDROID_ROOT /system
35    export ANDROID_ASSETS /system/app
36    export ANDROID_DATA /data
37    export ANDROID_STORAGE /storage
38    export ASEC_MOUNTPOINT /mnt/asec
39    export LOOP_MOUNTPOINT /mnt/obb
40    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar:/system/framework/webviewchromium.jar
41
42# Backward compatibility
43    symlink /system/etc /etc
44    symlink /sys/kernel/debug /d
45
46# Right now vendor lives on the same filesystem as system,
47# but someday that may change.
48    symlink /system/vendor /vendor
49
50# Create cgroup mount point for cpu accounting
51    mkdir /acct
52    mount cgroup none /acct cpuacct
53    mkdir /acct/uid
54
55# Create cgroup mount point for memory
56    mount tmpfs none /sys/fs/cgroup
57    mkdir /sys/fs/cgroup/memory
58    mount cgroup none /sys/fs/cgroup/memory memory
59    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
60    chown root system /sys/fs/cgroup/memory/tasks
61    chmod 0660 /sys/fs/cgroup/memory/tasks
62    mkdir /sys/fs/cgroup/memory/sw
63    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
64    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
65    chown root system /sys/fs/cgroup/memory/sw/tasks
66    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
67
68    mkdir /system
69    mkdir /data 0771 system system
70    mkdir /cache 0770 system cache
71    mkdir /config 0500 root root
72
73    # See storage config details at http://source.android.com/tech/storage/
74    mkdir /mnt/shell 0700 shell shell
75    mkdir /storage 0050 root sdcard_r
76
77    # Directory for putting things only root should see.
78    mkdir /mnt/secure 0700 root root
79    # Create private mountpoint so we can MS_MOVE from staging
80    mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
81
82    # Directory for staging bindmounts
83    mkdir /mnt/secure/staging 0700 root root
84
85    # Directory-target for where the secure container
86    # imagefile directory will be bind-mounted
87    mkdir /mnt/secure/asec  0700 root root
88
89    # Secure container public mount points.
90    mkdir /mnt/asec  0700 root system
91    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
92
93    # Filesystem image public mount points.
94    mkdir /mnt/obb 0700 root system
95    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
96
97    write /proc/sys/kernel/panic_on_oops 1
98    write /proc/sys/kernel/hung_task_timeout_secs 0
99    write /proc/cpu/alignment 4
100    write /proc/sys/kernel/sched_latency_ns 10000000
101    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
102    write /proc/sys/kernel/sched_compat_yield 1
103    write /proc/sys/kernel/sched_child_runs_first 0
104    write /proc/sys/kernel/randomize_va_space 2
105    write /proc/sys/kernel/kptr_restrict 2
106    write /proc/sys/kernel/dmesg_restrict 1
107    write /proc/sys/vm/mmap_min_addr 32768
108    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
109    write /proc/sys/kernel/sched_rt_runtime_us 950000
110    write /proc/sys/kernel/sched_rt_period_us 1000000
111
112# Create cgroup mount points for process groups
113    mkdir /dev/cpuctl
114    mount cgroup none /dev/cpuctl cpu
115    chown system system /dev/cpuctl
116    chown system system /dev/cpuctl/tasks
117    chmod 0660 /dev/cpuctl/tasks
118    write /dev/cpuctl/cpu.shares 1024
119    write /dev/cpuctl/cpu.rt_runtime_us 950000
120    write /dev/cpuctl/cpu.rt_period_us 1000000
121
122    mkdir /dev/cpuctl/apps
123    chown system system /dev/cpuctl/apps/tasks
124    chmod 0666 /dev/cpuctl/apps/tasks
125    write /dev/cpuctl/apps/cpu.shares 1024
126    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
127    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
128
129    mkdir /dev/cpuctl/apps/bg_non_interactive
130    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
131    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
132    # 5.0 %
133    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
134    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
135    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
136
137# qtaguid will limit access to specific data based on group memberships.
138#   net_bw_acct grants impersonation of socket owners.
139#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
140    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
141    chown root net_bw_stats /proc/net/xt_qtaguid/stats
142
143# Allow everybody to read the xt_qtaguid resource tracking misc dev.
144# This is needed by any process that uses socket tagging.
145    chmod 0644 /dev/xt_qtaguid
146
147on fs
148# mount mtd partitions
149    # Mount /system rw first to give the filesystem a chance to save a checkpoint
150    mount yaffs2 mtd@system /system
151    mount yaffs2 mtd@system /system ro remount
152    mount yaffs2 mtd@userdata /data nosuid nodev
153    mount yaffs2 mtd@cache /cache nosuid nodev
154
155on post-fs
156    # once everything is setup, no need to modify /
157    mount rootfs rootfs / ro remount
158    # mount shared so changes propagate into child namespaces
159    mount rootfs rootfs / shared rec
160    mount tmpfs tmpfs /mnt/secure private rec
161
162    # We chown/chmod /cache again so because mount is run as root + defaults
163    chown system cache /cache
164    chmod 0770 /cache
165    # We restorecon /cache in case the cache partition has been reset.
166    restorecon /cache
167
168    # This may have been created by the recovery system with odd permissions
169    chown system cache /cache/recovery
170    chmod 0770 /cache/recovery
171    # This may have been created by the recovery system with the wrong context.
172    restorecon /cache/recovery
173
174    #change permissions on vmallocinfo so we can grab it from bugreports
175    chown root log /proc/vmallocinfo
176    chmod 0440 /proc/vmallocinfo
177
178    chown root log /proc/slabinfo
179    chmod 0440 /proc/slabinfo
180
181    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
182    chown root system /proc/kmsg
183    chmod 0440 /proc/kmsg
184    chown root system /proc/sysrq-trigger
185    chmod 0220 /proc/sysrq-trigger
186    chown system log /proc/last_kmsg
187    chmod 0440 /proc/last_kmsg
188
189    # create the lost+found directories, so as to enforce our permissions
190    mkdir /cache/lost+found 0770 root root
191
192on post-fs-data
193    # We chown/chmod /data again so because mount is run as root + defaults
194    chown system system /data
195    chmod 0771 /data
196    # We restorecon /data in case the userdata partition has been reset.
197    restorecon /data
198
199    # Create dump dir and collect dumps.
200    # Do this before we mount cache so eventually we can use cache for
201    # storing dumps on platforms which do not have a dedicated dump partition.
202    mkdir /data/dontpanic 0750 root log
203
204    # Collect apanic data, free resources and re-arm trigger
205    copy /proc/apanic_console /data/dontpanic/apanic_console
206    chown root log /data/dontpanic/apanic_console
207    chmod 0640 /data/dontpanic/apanic_console
208
209    copy /proc/apanic_threads /data/dontpanic/apanic_threads
210    chown root log /data/dontpanic/apanic_threads
211    chmod 0640 /data/dontpanic/apanic_threads
212
213    write /proc/apanic_console 1
214
215    # create basic filesystem structure
216    mkdir /data/misc 01771 system misc
217    mkdir /data/misc/adb 02750 system shell
218    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
219    mkdir /data/misc/bluetooth 0770 system system
220    mkdir /data/misc/keystore 0700 keystore keystore
221    mkdir /data/misc/keychain 0771 system system
222    mkdir /data/misc/sms 0770 system radio
223    mkdir /data/misc/zoneinfo 0775 system system
224    mkdir /data/misc/vpn 0770 system vpn
225    mkdir /data/misc/systemkeys 0700 system system
226    # give system access to wpa_supplicant.conf for backup and restore
227    mkdir /data/misc/wifi 0770 wifi wifi
228    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
229    mkdir /data/local 0751 root root
230    mkdir /data/misc/media 0700 media media
231
232    # For security reasons, /data/local/tmp should always be empty.
233    # Do not place files or directories in /data/local/tmp
234    mkdir /data/local/tmp 0771 shell shell
235    mkdir /data/data 0771 system system
236    mkdir /data/app-private 0771 system system
237    mkdir /data/app-asec 0700 root root
238    mkdir /data/app-lib 0771 system system
239    mkdir /data/app 0771 system system
240    mkdir /data/property 0700 root root
241    mkdir /data/ssh 0750 root shell
242    mkdir /data/ssh/empty 0700 root root
243
244    # create dalvik-cache, so as to enforce our permissions
245    mkdir /data/dalvik-cache 0771 system system
246
247    # create resource-cache and double-check the perms
248    mkdir /data/resource-cache 0771 system system
249    chown system system /data/resource-cache
250    chmod 0771 /data/resource-cache
251
252    # create the lost+found directories, so as to enforce our permissions
253    mkdir /data/lost+found 0770 root root
254
255    # create directory for DRM plug-ins - give drm the read/write access to
256    # the following directory.
257    mkdir /data/drm 0770 drm drm
258
259    # create directory for MediaDrm plug-ins - give drm the read/write access to
260    # the following directory.
261    mkdir /data/mediadrm 0770 mediadrm mediadrm
262
263    # symlink to bugreport storage location
264    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
265
266    # Separate location for storing security policy files on data
267    mkdir /data/security 0711 system system
268
269    # If there is no fs-post-data action in the init.<device>.rc file, you
270    # must uncomment this line, otherwise encrypted filesystems
271    # won't work.
272    # Set indication (checked by vold) that we have finished this action
273    #setprop vold.post_fs_data_done 1
274
275on boot
276# basic network init
277    ifup lo
278    hostname localhost
279    domainname localdomain
280
281# set RLIMIT_NICE to allow priorities from 19 to -20
282    setrlimit 13 40 40
283
284# Memory management.  Basic kernel parameters, and allow the high
285# level system server to be able to adjust the kernel OOM driver
286# parameters to match how it is managing things.
287    write /proc/sys/vm/overcommit_memory 1
288    write /proc/sys/vm/min_free_order_shift 4
289    chown root system /sys/module/lowmemorykiller/parameters/adj
290    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
291    chown root system /sys/module/lowmemorykiller/parameters/minfree
292    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
293
294    # Tweak background writeout
295    write /proc/sys/vm/dirty_expire_centisecs 200
296    write /proc/sys/vm/dirty_background_ratio  5
297
298    # Permissions for System Server and daemons.
299    chown radio system /sys/android_power/state
300    chown radio system /sys/android_power/request_state
301    chown radio system /sys/android_power/acquire_full_wake_lock
302    chown radio system /sys/android_power/acquire_partial_wake_lock
303    chown radio system /sys/android_power/release_wake_lock
304    chown system system /sys/power/autosleep
305    chown system system /sys/power/state
306    chown system system /sys/power/wakeup_count
307    chown radio system /sys/power/wake_lock
308    chown radio system /sys/power/wake_unlock
309    chmod 0660 /sys/power/state
310    chmod 0660 /sys/power/wake_lock
311    chmod 0660 /sys/power/wake_unlock
312
313    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
314    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
315    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
316    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
317    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
318    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
319    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
320    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
321    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
322    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
323    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
324    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
325    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
326    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
327    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
328    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
329    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
330    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
331    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
332    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
333    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
334    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
335    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
336
337    # Assume SMP uses shared cpufreq policy for all CPUs
338    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
339    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
340
341    chown system system /sys/class/timed_output/vibrator/enable
342    chown system system /sys/class/leds/keyboard-backlight/brightness
343    chown system system /sys/class/leds/lcd-backlight/brightness
344    chown system system /sys/class/leds/button-backlight/brightness
345    chown system system /sys/class/leds/jogball-backlight/brightness
346    chown system system /sys/class/leds/red/brightness
347    chown system system /sys/class/leds/green/brightness
348    chown system system /sys/class/leds/blue/brightness
349    chown system system /sys/class/leds/red/device/grpfreq
350    chown system system /sys/class/leds/red/device/grppwm
351    chown system system /sys/class/leds/red/device/blink
352    chown system system /sys/class/timed_output/vibrator/enable
353    chown system system /sys/module/sco/parameters/disable_esco
354    chown system system /sys/kernel/ipv4/tcp_wmem_min
355    chown system system /sys/kernel/ipv4/tcp_wmem_def
356    chown system system /sys/kernel/ipv4/tcp_wmem_max
357    chown system system /sys/kernel/ipv4/tcp_rmem_min
358    chown system system /sys/kernel/ipv4/tcp_rmem_def
359    chown system system /sys/kernel/ipv4/tcp_rmem_max
360    chown root radio /proc/cmdline
361
362# Set these so we can remotely update SELinux policy
363    chown system system /sys/fs/selinux/load
364    chown system system /sys/fs/selinux/enforce
365
366# Define TCP buffer sizes for various networks
367#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
368    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
369    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
370    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
371    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
372    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
373    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
374    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
375    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
376    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
377    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
378    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
379
380    class_start core
381    class_start main
382
383on nonencrypted
384    class_start late_start
385
386on charger
387    class_start charger
388
389on property:vold.decrypt=trigger_reset_main
390    class_reset main
391
392on property:vold.decrypt=trigger_load_persist_props
393    load_persist_props
394
395on property:vold.decrypt=trigger_post_fs_data
396    trigger post-fs-data
397
398on property:vold.decrypt=trigger_restart_min_framework
399    class_start main
400
401on property:vold.decrypt=trigger_restart_framework
402    class_start main
403    class_start late_start
404
405on property:vold.decrypt=trigger_shutdown_framework
406    class_reset late_start
407    class_reset main
408
409on property:sys.powerctl=*
410    powerctl ${sys.powerctl}
411
412## Daemon processes to be run by init.
413##
414service ueventd /sbin/ueventd
415    class core
416    critical
417    seclabel u:r:ueventd:s0
418
419on property:selinux.reload_policy=1
420    restart ueventd
421    restart installd
422
423service console /system/bin/sh
424    class core
425    console
426    disabled
427    user shell
428    group log
429
430on property:ro.debuggable=1
431    start console
432
433# adbd is controlled via property triggers in init.<platform>.usb.rc
434service adbd /sbin/adbd
435    class core
436    socket adbd stream 660 system system
437    disabled
438    seclabel u:r:adbd:s0
439
440# adbd on at boot in emulator
441on property:ro.kernel.qemu=1
442    start adbd
443
444service servicemanager /system/bin/servicemanager
445    class core
446    user system
447    group system
448    critical
449    onrestart restart zygote
450    onrestart restart media
451    onrestart restart surfaceflinger
452    onrestart restart drm
453
454service vold /system/bin/vold
455    class core
456    socket vold stream 0660 root mount
457    ioprio be 2
458
459service netd /system/bin/netd
460    class main
461    socket netd stream 0660 root system
462    socket dnsproxyd stream 0660 root inet
463    socket mdns stream 0660 root system
464
465service debuggerd /system/bin/debuggerd
466    class main
467
468service ril-daemon /system/bin/rild
469    class main
470    socket rild stream 660 root radio
471    socket rild-debug stream 660 radio system
472    user root
473    group radio cache inet misc audio log
474
475service surfaceflinger /system/bin/surfaceflinger
476    class main
477    user system
478    group graphics drmrpc
479    onrestart restart zygote
480
481service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
482    class main
483    socket zygote stream 660 root system
484    onrestart write /sys/android_power/request_state wake
485    onrestart write /sys/power/state on
486    onrestart restart media
487    onrestart restart netd
488
489service drm /system/bin/drmserver
490    class main
491    user drm
492    group drm system inet drmrpc
493
494service media /system/bin/mediaserver
495    class main
496    user media
497    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
498    ioprio rt 4
499
500service bootanim /system/bin/bootanimation
501    class main
502    user graphics
503    group graphics
504    disabled
505    oneshot
506
507service installd /system/bin/installd
508    class main
509    socket installd stream 600 system system
510
511service flash_recovery /system/etc/install-recovery.sh
512    class main
513    oneshot
514
515service racoon /system/bin/racoon
516    class main
517    socket racoon stream 600 system system
518    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
519    group vpn net_admin inet
520    disabled
521    oneshot
522
523service mtpd /system/bin/mtpd
524    class main
525    socket mtpd stream 600 system system
526    user vpn
527    group vpn net_admin inet net_raw
528    disabled
529    oneshot
530
531service keystore /system/bin/keystore /data/misc/keystore
532    class main
533    user keystore
534    group keystore drmrpc
535
536service dumpstate /system/bin/dumpstate -s
537    class main
538    socket dumpstate stream 0660 shell log
539    disabled
540    oneshot
541
542service sshd /system/bin/start-ssh
543    class main
544    disabled
545
546service mdnsd /system/bin/mdnsd
547    class main
548    user mdnsr
549    group inet net_raw
550    socket mdnsd stream 0660 mdnsr inet
551    disabled
552    oneshot
553