init.rc revision 4456a55ce69cd5b8ad39349ed55d3efc3512bffa 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_adj -16
16
17    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18    write /sys/fs/selinux/checkreqprot 0
19
20    # Set the security context for the init process.
21    # This should occur before anything else (e.g. ueventd) is started.
22    setcon u:r:init:s0
23
24    # Set the security context of /adb_keys if present.
25    restorecon /adb_keys
26
27    start ueventd
28
29# create mountpoints
30    mkdir /mnt 0775 root system
31
32on init
33
34sysclktz 0
35
36loglevel 3
37
38# Backward compatibility
39    symlink /system/etc /etc
40    symlink /sys/kernel/debug /d
41
42# Right now vendor lives on the same filesystem as system,
43# but someday that may change.
44    symlink /system/vendor /vendor
45
46# Create cgroup mount point for cpu accounting
47    mkdir /acct
48    mount cgroup none /acct cpuacct
49    mkdir /acct/uid
50
51# Create cgroup mount point for memory
52    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
53    mkdir /sys/fs/cgroup/memory 0750 root system
54    mount cgroup none /sys/fs/cgroup/memory memory
55    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
56    chown root system /sys/fs/cgroup/memory/tasks
57    chmod 0660 /sys/fs/cgroup/memory/tasks
58    mkdir /sys/fs/cgroup/memory/sw 0750 root system
59    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
60    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
61    chown root system /sys/fs/cgroup/memory/sw/tasks
62    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
63
64    mkdir /system
65    mkdir /data 0771 system system
66    mkdir /cache 0770 system cache
67    mkdir /config 0500 root root
68
69    # See storage config details at http://source.android.com/tech/storage/
70    mkdir /mnt/shell 0700 shell shell
71    mkdir /mnt/media_rw 0700 media_rw media_rw
72    mkdir /storage 0751 root sdcard_r
73
74    # Directory for putting things only root should see.
75    mkdir /mnt/secure 0700 root root
76
77    # Directory for staging bindmounts
78    mkdir /mnt/secure/staging 0700 root root
79
80    # Directory-target for where the secure container
81    # imagefile directory will be bind-mounted
82    mkdir /mnt/secure/asec  0700 root root
83
84    # Secure container public mount points.
85    mkdir /mnt/asec  0700 root system
86    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
87
88    # Filesystem image public mount points.
89    mkdir /mnt/obb 0700 root system
90    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
91
92    write /proc/sys/kernel/panic_on_oops 1
93    write /proc/sys/kernel/hung_task_timeout_secs 0
94    write /proc/cpu/alignment 4
95    write /proc/sys/kernel/sched_latency_ns 10000000
96    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
97    write /proc/sys/kernel/sched_compat_yield 1
98    write /proc/sys/kernel/sched_child_runs_first 0
99    write /proc/sys/kernel/randomize_va_space 2
100    write /proc/sys/kernel/kptr_restrict 2
101    write /proc/sys/kernel/dmesg_restrict 1
102    write /proc/sys/vm/mmap_min_addr 32768
103    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
104    write /proc/sys/net/unix/max_dgram_qlen 300
105    write /proc/sys/kernel/sched_rt_runtime_us 950000
106    write /proc/sys/kernel/sched_rt_period_us 1000000
107
108# Create cgroup mount points for process groups
109    mkdir /dev/cpuctl
110    mount cgroup none /dev/cpuctl cpu
111    chown system system /dev/cpuctl
112    chown system system /dev/cpuctl/tasks
113    chmod 0660 /dev/cpuctl/tasks
114    write /dev/cpuctl/cpu.shares 1024
115    write /dev/cpuctl/cpu.rt_runtime_us 950000
116    write /dev/cpuctl/cpu.rt_period_us 1000000
117
118    mkdir /dev/cpuctl/apps
119    chown system system /dev/cpuctl/apps/tasks
120    chmod 0666 /dev/cpuctl/apps/tasks
121    write /dev/cpuctl/apps/cpu.shares 1024
122    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
123    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
124
125    mkdir /dev/cpuctl/apps/bg_non_interactive
126    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
127    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
128    # 5.0 %
129    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
130    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
131    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
132
133# qtaguid will limit access to specific data based on group memberships.
134#   net_bw_acct grants impersonation of socket owners.
135#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
136    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
137    chown root net_bw_stats /proc/net/xt_qtaguid/stats
138
139# Allow everybody to read the xt_qtaguid resource tracking misc dev.
140# This is needed by any process that uses socket tagging.
141    chmod 0644 /dev/xt_qtaguid
142
143# Create location for fs_mgr to store abbreviated output from filesystem
144# checker programs.
145    mkdir /dev/fscklogs 0770 root system
146
147on post-fs
148    # once everything is setup, no need to modify /
149    mount rootfs rootfs / ro remount
150    # mount shared so changes propagate into child namespaces
151    mount rootfs rootfs / shared rec
152
153    # We chown/chmod /cache again so because mount is run as root + defaults
154    chown system cache /cache
155    chmod 0770 /cache
156    # We restorecon /cache in case the cache partition has been reset.
157    restorecon /cache
158
159    # This may have been created by the recovery system with odd permissions
160    chown system cache /cache/recovery
161    chmod 0770 /cache/recovery
162    # This may have been created by the recovery system with the wrong context.
163    restorecon /cache/recovery
164
165    #change permissions on vmallocinfo so we can grab it from bugreports
166    chown root log /proc/vmallocinfo
167    chmod 0440 /proc/vmallocinfo
168
169    chown root log /proc/slabinfo
170    chmod 0440 /proc/slabinfo
171
172    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
173    chown root system /proc/kmsg
174    chmod 0440 /proc/kmsg
175    chown root system /proc/sysrq-trigger
176    chmod 0220 /proc/sysrq-trigger
177    chown system log /proc/last_kmsg
178    chmod 0440 /proc/last_kmsg
179
180    # create the lost+found directories, so as to enforce our permissions
181    mkdir /cache/lost+found 0770 root root
182
183on post-fs-data
184    # We chown/chmod /data again so because mount is run as root + defaults
185    chown system system /data
186    chmod 0771 /data
187    # We restorecon /data in case the userdata partition has been reset.
188    restorecon /data
189
190    # Avoid predictable entropy pool. Carry over entropy from previous boot.
191    copy /data/system/entropy.dat /dev/urandom
192
193    # Create dump dir and collect dumps.
194    # Do this before we mount cache so eventually we can use cache for
195    # storing dumps on platforms which do not have a dedicated dump partition.
196    mkdir /data/dontpanic 0750 root log
197
198    # Collect apanic data, free resources and re-arm trigger
199    copy /proc/apanic_console /data/dontpanic/apanic_console
200    chown root log /data/dontpanic/apanic_console
201    chmod 0640 /data/dontpanic/apanic_console
202
203    copy /proc/apanic_threads /data/dontpanic/apanic_threads
204    chown root log /data/dontpanic/apanic_threads
205    chmod 0640 /data/dontpanic/apanic_threads
206
207    write /proc/apanic_console 1
208
209    # create basic filesystem structure
210    mkdir /data/misc 01771 system misc
211    mkdir /data/misc/adb 02750 system shell
212    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
213    mkdir /data/misc/bluetooth 0770 system system
214    mkdir /data/misc/keystore 0700 keystore keystore
215    mkdir /data/misc/keychain 0771 system system
216    mkdir /data/misc/radio 0770 system radio
217    mkdir /data/misc/sms 0770 system radio
218    mkdir /data/misc/zoneinfo 0775 system system
219    mkdir /data/misc/vpn 0770 system vpn
220    mkdir /data/misc/systemkeys 0700 system system
221    mkdir /data/misc/wifi 0770 wifi wifi
222    mkdir /data/misc/wifi/sockets 0770 wifi wifi
223    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
224    mkdir /data/misc/dhcp 0770 dhcp dhcp
225    # give system access to wpa_supplicant.conf for backup and restore
226    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
227    mkdir /data/local 0751 root root
228    mkdir /data/misc/media 0700 media media
229
230    # For security reasons, /data/local/tmp should always be empty.
231    # Do not place files or directories in /data/local/tmp
232    mkdir /data/local/tmp 0771 shell shell
233    mkdir /data/data 0771 system system
234    mkdir /data/app-private 0771 system system
235    mkdir /data/app-asec 0700 root root
236    mkdir /data/app-lib 0771 system system
237    mkdir /data/app 0771 system system
238    mkdir /data/property 0700 root root
239    mkdir /data/ssh 0750 root shell
240    mkdir /data/ssh/empty 0700 root root
241
242    # create dalvik-cache, so as to enforce our permissions
243    mkdir /data/dalvik-cache 0771 system system
244
245    # create resource-cache and double-check the perms
246    mkdir /data/resource-cache 0771 system system
247    chown system system /data/resource-cache
248    chmod 0771 /data/resource-cache
249
250    # create the lost+found directories, so as to enforce our permissions
251    mkdir /data/lost+found 0770 root root
252
253    # create directory for DRM plug-ins - give drm the read/write access to
254    # the following directory.
255    mkdir /data/drm 0770 drm drm
256
257    # create directory for MediaDrm plug-ins - give drm the read/write access to
258    # the following directory.
259    mkdir /data/mediadrm 0770 mediadrm mediadrm
260
261    # symlink to bugreport storage location
262    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
263
264    # Separate location for storing security policy files on data
265    mkdir /data/security 0711 system system
266
267    # Reload policy from /data/security if present.
268    setprop selinux.reload_policy 1
269
270    # Set SELinux security contexts on upgrade or policy update.
271    restorecon_recursive /data
272
273    # If there is no fs-post-data action in the init.<device>.rc file, you
274    # must uncomment this line, otherwise encrypted filesystems
275    # won't work.
276    # Set indication (checked by vold) that we have finished this action
277    #setprop vold.post_fs_data_done 1
278
279on boot
280# basic network init
281    ifup lo
282    hostname localhost
283    domainname localdomain
284
285# set RLIMIT_NICE to allow priorities from 19 to -20
286    setrlimit 13 40 40
287
288# Memory management.  Basic kernel parameters, and allow the high
289# level system server to be able to adjust the kernel OOM driver
290# parameters to match how it is managing things.
291    write /proc/sys/vm/overcommit_memory 1
292    write /proc/sys/vm/min_free_order_shift 4
293    chown root system /sys/module/lowmemorykiller/parameters/adj
294    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
295    chown root system /sys/module/lowmemorykiller/parameters/minfree
296    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
297
298    # Tweak background writeout
299    write /proc/sys/vm/dirty_expire_centisecs 200
300    write /proc/sys/vm/dirty_background_ratio  5
301
302    # Permissions for System Server and daemons.
303    chown radio system /sys/android_power/state
304    chown radio system /sys/android_power/request_state
305    chown radio system /sys/android_power/acquire_full_wake_lock
306    chown radio system /sys/android_power/acquire_partial_wake_lock
307    chown radio system /sys/android_power/release_wake_lock
308    chown system system /sys/power/autosleep
309    chown system system /sys/power/state
310    chown system system /sys/power/wakeup_count
311    chown radio system /sys/power/wake_lock
312    chown radio system /sys/power/wake_unlock
313    chmod 0660 /sys/power/state
314    chmod 0660 /sys/power/wake_lock
315    chmod 0660 /sys/power/wake_unlock
316
317    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
318    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
319    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
320    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
321    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
322    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
323    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
324    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
325    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
326    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
327    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
328    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
329    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
330    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
331    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
332    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
333    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
334    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
335    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
336    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
337    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
338    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
339    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
340
341    # Assume SMP uses shared cpufreq policy for all CPUs
342    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
343    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
344
345    chown system system /sys/class/timed_output/vibrator/enable
346    chown system system /sys/class/leds/keyboard-backlight/brightness
347    chown system system /sys/class/leds/lcd-backlight/brightness
348    chown system system /sys/class/leds/button-backlight/brightness
349    chown system system /sys/class/leds/jogball-backlight/brightness
350    chown system system /sys/class/leds/red/brightness
351    chown system system /sys/class/leds/green/brightness
352    chown system system /sys/class/leds/blue/brightness
353    chown system system /sys/class/leds/red/device/grpfreq
354    chown system system /sys/class/leds/red/device/grppwm
355    chown system system /sys/class/leds/red/device/blink
356    chown system system /sys/class/timed_output/vibrator/enable
357    chown system system /sys/module/sco/parameters/disable_esco
358    chown system system /sys/kernel/ipv4/tcp_wmem_min
359    chown system system /sys/kernel/ipv4/tcp_wmem_def
360    chown system system /sys/kernel/ipv4/tcp_wmem_max
361    chown system system /sys/kernel/ipv4/tcp_rmem_min
362    chown system system /sys/kernel/ipv4/tcp_rmem_def
363    chown system system /sys/kernel/ipv4/tcp_rmem_max
364    chown root radio /proc/cmdline
365
366# Define TCP buffer sizes for various networks
367#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
368    setprop net.tcp.buffersize.default  4096,87380,110208,4096,16384,110208
369    setprop net.tcp.buffersize.wifi     524288,1048576,2097152,262144,524288,1048576
370    setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152
371    setprop net.tcp.buffersize.lte      524288,1048576,2097152,262144,524288,1048576
372    setprop net.tcp.buffersize.umts     4094,87380,110208,4096,16384,110208
373    setprop net.tcp.buffersize.hspa     4094,87380,262144,4096,16384,262144
374    setprop net.tcp.buffersize.hsupa    4094,87380,262144,4096,16384,262144
375    setprop net.tcp.buffersize.hsdpa    4094,87380,262144,4096,16384,262144
376    setprop net.tcp.buffersize.hspap    4094,87380,1220608,4096,16384,1220608
377    setprop net.tcp.buffersize.edge     4093,26280,35040,4096,16384,35040
378    setprop net.tcp.buffersize.gprs     4092,8760,11680,4096,8760,11680
379    setprop net.tcp.buffersize.evdo     4094,87380,262144,4096,16384,262144
380
381    class_start core
382    class_start main
383
384on nonencrypted
385    class_start late_start
386
387on charger
388    class_start charger
389
390on property:vold.decrypt=trigger_reset_main
391    class_reset main
392
393on property:vold.decrypt=trigger_load_persist_props
394    load_persist_props
395
396on property:vold.decrypt=trigger_post_fs_data
397    trigger post-fs-data
398
399on property:vold.decrypt=trigger_restart_min_framework
400    class_start main
401
402on property:vold.decrypt=trigger_restart_framework
403    class_start main
404    class_start late_start
405
406on property:vold.decrypt=trigger_shutdown_framework
407    class_reset late_start
408    class_reset main
409
410on property:sys.powerctl=*
411    powerctl ${sys.powerctl}
412
413# system server cannot write to /proc/sys files, so proxy it through init
414on property:sys.sysctl.extra_free_kbytes=*
415    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
416
417## Daemon processes to be run by init.
418##
419service ueventd /sbin/ueventd
420    class core
421    critical
422    seclabel u:r:ueventd:s0
423
424service logd /system/bin/logd
425    class core
426    socket logd stream 0666 logd logd
427    socket logdr seqpacket 0666 logd logd
428    socket logdw dgram 0222 logd logd
429    seclabel u:r:logd:s0
430
431service healthd /sbin/healthd
432    class core
433    critical
434    seclabel u:r:healthd:s0
435
436service healthd-charger /sbin/healthd -n
437    class charger
438    critical
439    seclabel u:r:healthd:s0
440
441service console /system/bin/sh
442    class core
443    console
444    disabled
445    user shell
446    group log
447    seclabel u:r:shell:s0
448
449on property:ro.debuggable=1
450    start console
451
452# adbd is controlled via property triggers in init.<platform>.usb.rc
453service adbd /sbin/adbd --root_seclabel=u:r:su:s0
454    class core
455    socket adbd stream 660 system system
456    disabled
457    seclabel u:r:adbd:s0
458
459# adbd on at boot in emulator
460on property:ro.kernel.qemu=1
461    start adbd
462
463service servicemanager /system/bin/servicemanager
464    class core
465    user system
466    group system
467    critical
468    onrestart restart healthd
469    onrestart restart zygote
470    onrestart restart media
471    onrestart restart surfaceflinger
472    onrestart restart drm
473
474service vold /system/bin/vold
475    class core
476    socket vold stream 0660 root mount
477    ioprio be 2
478
479service netd /system/bin/netd
480    class main
481    socket netd stream 0660 root system
482    socket dnsproxyd stream 0660 root inet
483    socket mdns stream 0660 root system
484
485service debuggerd /system/bin/debuggerd
486    class main
487
488service debuggerd64 /system/bin/debuggerd64
489    class main
490
491service ril-daemon /system/bin/rild
492    class main
493    socket rild stream 660 root radio
494    socket rild-debug stream 660 radio system
495    user root
496    group radio cache inet misc audio log
497
498service surfaceflinger /system/bin/surfaceflinger
499    class main
500    user system
501    group graphics drmrpc
502    onrestart restart zygote
503
504service drm /system/bin/drmserver
505    class main
506    user drm
507    group drm system inet drmrpc
508
509service media /system/bin/mediaserver
510    class main
511    user media
512    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
513    ioprio rt 4
514
515service bootanim /system/bin/bootanimation
516    class main
517    user graphics
518    group graphics
519    disabled
520    oneshot
521
522service installd /system/bin/installd
523    class main
524    socket installd stream 600 system system
525
526service flash_recovery /system/etc/install-recovery.sh
527    class main
528    oneshot
529
530service racoon /system/bin/racoon
531    class main
532    socket racoon stream 600 system system
533    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
534    group vpn net_admin inet
535    disabled
536    oneshot
537
538service mtpd /system/bin/mtpd
539    class main
540    socket mtpd stream 600 system system
541    user vpn
542    group vpn net_admin inet net_raw
543    disabled
544    oneshot
545
546service keystore /system/bin/keystore /data/misc/keystore
547    class main
548    user keystore
549    group keystore drmrpc
550
551service dumpstate /system/bin/dumpstate -s
552    class main
553    socket dumpstate stream 0660 shell log
554    disabled
555    oneshot
556
557service sshd /system/bin/start-ssh
558    class main
559    disabled
560
561service mdnsd /system/bin/mdnsd
562    class main
563    user mdnsr
564    group inet net_raw
565    socket mdnsd stream 0660 mdnsr inet
566    disabled
567    oneshot
568