init.rc revision 4456a55ce69cd5b8ad39349ed55d3efc3512bffa
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_adj -16 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29# create mountpoints 30 mkdir /mnt 0775 root system 31 32on init 33 34sysclktz 0 35 36loglevel 3 37 38# Backward compatibility 39 symlink /system/etc /etc 40 symlink /sys/kernel/debug /d 41 42# Right now vendor lives on the same filesystem as system, 43# but someday that may change. 44 symlink /system/vendor /vendor 45 46# Create cgroup mount point for cpu accounting 47 mkdir /acct 48 mount cgroup none /acct cpuacct 49 mkdir /acct/uid 50 51# Create cgroup mount point for memory 52 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 53 mkdir /sys/fs/cgroup/memory 0750 root system 54 mount cgroup none /sys/fs/cgroup/memory memory 55 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 56 chown root system /sys/fs/cgroup/memory/tasks 57 chmod 0660 /sys/fs/cgroup/memory/tasks 58 mkdir /sys/fs/cgroup/memory/sw 0750 root system 59 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 60 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 61 chown root system /sys/fs/cgroup/memory/sw/tasks 62 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 63 64 mkdir /system 65 mkdir /data 0771 system system 66 mkdir /cache 0770 system cache 67 mkdir /config 0500 root root 68 69 # See storage config details at http://source.android.com/tech/storage/ 70 mkdir /mnt/shell 0700 shell shell 71 mkdir /mnt/media_rw 0700 media_rw media_rw 72 mkdir /storage 0751 root sdcard_r 73 74 # Directory for putting things only root should see. 75 mkdir /mnt/secure 0700 root root 76 77 # Directory for staging bindmounts 78 mkdir /mnt/secure/staging 0700 root root 79 80 # Directory-target for where the secure container 81 # imagefile directory will be bind-mounted 82 mkdir /mnt/secure/asec 0700 root root 83 84 # Secure container public mount points. 85 mkdir /mnt/asec 0700 root system 86 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 87 88 # Filesystem image public mount points. 89 mkdir /mnt/obb 0700 root system 90 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 91 92 write /proc/sys/kernel/panic_on_oops 1 93 write /proc/sys/kernel/hung_task_timeout_secs 0 94 write /proc/cpu/alignment 4 95 write /proc/sys/kernel/sched_latency_ns 10000000 96 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 97 write /proc/sys/kernel/sched_compat_yield 1 98 write /proc/sys/kernel/sched_child_runs_first 0 99 write /proc/sys/kernel/randomize_va_space 2 100 write /proc/sys/kernel/kptr_restrict 2 101 write /proc/sys/kernel/dmesg_restrict 1 102 write /proc/sys/vm/mmap_min_addr 32768 103 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 104 write /proc/sys/net/unix/max_dgram_qlen 300 105 write /proc/sys/kernel/sched_rt_runtime_us 950000 106 write /proc/sys/kernel/sched_rt_period_us 1000000 107 108# Create cgroup mount points for process groups 109 mkdir /dev/cpuctl 110 mount cgroup none /dev/cpuctl cpu 111 chown system system /dev/cpuctl 112 chown system system /dev/cpuctl/tasks 113 chmod 0660 /dev/cpuctl/tasks 114 write /dev/cpuctl/cpu.shares 1024 115 write /dev/cpuctl/cpu.rt_runtime_us 950000 116 write /dev/cpuctl/cpu.rt_period_us 1000000 117 118 mkdir /dev/cpuctl/apps 119 chown system system /dev/cpuctl/apps/tasks 120 chmod 0666 /dev/cpuctl/apps/tasks 121 write /dev/cpuctl/apps/cpu.shares 1024 122 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 123 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 124 125 mkdir /dev/cpuctl/apps/bg_non_interactive 126 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 127 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 128 # 5.0 % 129 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 130 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 131 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 132 133# qtaguid will limit access to specific data based on group memberships. 134# net_bw_acct grants impersonation of socket owners. 135# net_bw_stats grants access to other apps' detailed tagged-socket stats. 136 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 137 chown root net_bw_stats /proc/net/xt_qtaguid/stats 138 139# Allow everybody to read the xt_qtaguid resource tracking misc dev. 140# This is needed by any process that uses socket tagging. 141 chmod 0644 /dev/xt_qtaguid 142 143# Create location for fs_mgr to store abbreviated output from filesystem 144# checker programs. 145 mkdir /dev/fscklogs 0770 root system 146 147on post-fs 148 # once everything is setup, no need to modify / 149 mount rootfs rootfs / ro remount 150 # mount shared so changes propagate into child namespaces 151 mount rootfs rootfs / shared rec 152 153 # We chown/chmod /cache again so because mount is run as root + defaults 154 chown system cache /cache 155 chmod 0770 /cache 156 # We restorecon /cache in case the cache partition has been reset. 157 restorecon /cache 158 159 # This may have been created by the recovery system with odd permissions 160 chown system cache /cache/recovery 161 chmod 0770 /cache/recovery 162 # This may have been created by the recovery system with the wrong context. 163 restorecon /cache/recovery 164 165 #change permissions on vmallocinfo so we can grab it from bugreports 166 chown root log /proc/vmallocinfo 167 chmod 0440 /proc/vmallocinfo 168 169 chown root log /proc/slabinfo 170 chmod 0440 /proc/slabinfo 171 172 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 173 chown root system /proc/kmsg 174 chmod 0440 /proc/kmsg 175 chown root system /proc/sysrq-trigger 176 chmod 0220 /proc/sysrq-trigger 177 chown system log /proc/last_kmsg 178 chmod 0440 /proc/last_kmsg 179 180 # create the lost+found directories, so as to enforce our permissions 181 mkdir /cache/lost+found 0770 root root 182 183on post-fs-data 184 # We chown/chmod /data again so because mount is run as root + defaults 185 chown system system /data 186 chmod 0771 /data 187 # We restorecon /data in case the userdata partition has been reset. 188 restorecon /data 189 190 # Avoid predictable entropy pool. Carry over entropy from previous boot. 191 copy /data/system/entropy.dat /dev/urandom 192 193 # Create dump dir and collect dumps. 194 # Do this before we mount cache so eventually we can use cache for 195 # storing dumps on platforms which do not have a dedicated dump partition. 196 mkdir /data/dontpanic 0750 root log 197 198 # Collect apanic data, free resources and re-arm trigger 199 copy /proc/apanic_console /data/dontpanic/apanic_console 200 chown root log /data/dontpanic/apanic_console 201 chmod 0640 /data/dontpanic/apanic_console 202 203 copy /proc/apanic_threads /data/dontpanic/apanic_threads 204 chown root log /data/dontpanic/apanic_threads 205 chmod 0640 /data/dontpanic/apanic_threads 206 207 write /proc/apanic_console 1 208 209 # create basic filesystem structure 210 mkdir /data/misc 01771 system misc 211 mkdir /data/misc/adb 02750 system shell 212 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 213 mkdir /data/misc/bluetooth 0770 system system 214 mkdir /data/misc/keystore 0700 keystore keystore 215 mkdir /data/misc/keychain 0771 system system 216 mkdir /data/misc/radio 0770 system radio 217 mkdir /data/misc/sms 0770 system radio 218 mkdir /data/misc/zoneinfo 0775 system system 219 mkdir /data/misc/vpn 0770 system vpn 220 mkdir /data/misc/systemkeys 0700 system system 221 mkdir /data/misc/wifi 0770 wifi wifi 222 mkdir /data/misc/wifi/sockets 0770 wifi wifi 223 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 224 mkdir /data/misc/dhcp 0770 dhcp dhcp 225 # give system access to wpa_supplicant.conf for backup and restore 226 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 227 mkdir /data/local 0751 root root 228 mkdir /data/misc/media 0700 media media 229 230 # For security reasons, /data/local/tmp should always be empty. 231 # Do not place files or directories in /data/local/tmp 232 mkdir /data/local/tmp 0771 shell shell 233 mkdir /data/data 0771 system system 234 mkdir /data/app-private 0771 system system 235 mkdir /data/app-asec 0700 root root 236 mkdir /data/app-lib 0771 system system 237 mkdir /data/app 0771 system system 238 mkdir /data/property 0700 root root 239 mkdir /data/ssh 0750 root shell 240 mkdir /data/ssh/empty 0700 root root 241 242 # create dalvik-cache, so as to enforce our permissions 243 mkdir /data/dalvik-cache 0771 system system 244 245 # create resource-cache and double-check the perms 246 mkdir /data/resource-cache 0771 system system 247 chown system system /data/resource-cache 248 chmod 0771 /data/resource-cache 249 250 # create the lost+found directories, so as to enforce our permissions 251 mkdir /data/lost+found 0770 root root 252 253 # create directory for DRM plug-ins - give drm the read/write access to 254 # the following directory. 255 mkdir /data/drm 0770 drm drm 256 257 # create directory for MediaDrm plug-ins - give drm the read/write access to 258 # the following directory. 259 mkdir /data/mediadrm 0770 mediadrm mediadrm 260 261 # symlink to bugreport storage location 262 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 263 264 # Separate location for storing security policy files on data 265 mkdir /data/security 0711 system system 266 267 # Reload policy from /data/security if present. 268 setprop selinux.reload_policy 1 269 270 # Set SELinux security contexts on upgrade or policy update. 271 restorecon_recursive /data 272 273 # If there is no fs-post-data action in the init.<device>.rc file, you 274 # must uncomment this line, otherwise encrypted filesystems 275 # won't work. 276 # Set indication (checked by vold) that we have finished this action 277 #setprop vold.post_fs_data_done 1 278 279on boot 280# basic network init 281 ifup lo 282 hostname localhost 283 domainname localdomain 284 285# set RLIMIT_NICE to allow priorities from 19 to -20 286 setrlimit 13 40 40 287 288# Memory management. Basic kernel parameters, and allow the high 289# level system server to be able to adjust the kernel OOM driver 290# parameters to match how it is managing things. 291 write /proc/sys/vm/overcommit_memory 1 292 write /proc/sys/vm/min_free_order_shift 4 293 chown root system /sys/module/lowmemorykiller/parameters/adj 294 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 295 chown root system /sys/module/lowmemorykiller/parameters/minfree 296 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 297 298 # Tweak background writeout 299 write /proc/sys/vm/dirty_expire_centisecs 200 300 write /proc/sys/vm/dirty_background_ratio 5 301 302 # Permissions for System Server and daemons. 303 chown radio system /sys/android_power/state 304 chown radio system /sys/android_power/request_state 305 chown radio system /sys/android_power/acquire_full_wake_lock 306 chown radio system /sys/android_power/acquire_partial_wake_lock 307 chown radio system /sys/android_power/release_wake_lock 308 chown system system /sys/power/autosleep 309 chown system system /sys/power/state 310 chown system system /sys/power/wakeup_count 311 chown radio system /sys/power/wake_lock 312 chown radio system /sys/power/wake_unlock 313 chmod 0660 /sys/power/state 314 chmod 0660 /sys/power/wake_lock 315 chmod 0660 /sys/power/wake_unlock 316 317 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 318 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 319 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 320 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 321 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 322 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 323 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 324 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 325 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 326 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 327 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 328 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 329 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 330 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 331 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 332 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 333 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 334 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 335 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 336 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 337 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 338 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 339 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 340 341 # Assume SMP uses shared cpufreq policy for all CPUs 342 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 343 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 344 345 chown system system /sys/class/timed_output/vibrator/enable 346 chown system system /sys/class/leds/keyboard-backlight/brightness 347 chown system system /sys/class/leds/lcd-backlight/brightness 348 chown system system /sys/class/leds/button-backlight/brightness 349 chown system system /sys/class/leds/jogball-backlight/brightness 350 chown system system /sys/class/leds/red/brightness 351 chown system system /sys/class/leds/green/brightness 352 chown system system /sys/class/leds/blue/brightness 353 chown system system /sys/class/leds/red/device/grpfreq 354 chown system system /sys/class/leds/red/device/grppwm 355 chown system system /sys/class/leds/red/device/blink 356 chown system system /sys/class/timed_output/vibrator/enable 357 chown system system /sys/module/sco/parameters/disable_esco 358 chown system system /sys/kernel/ipv4/tcp_wmem_min 359 chown system system /sys/kernel/ipv4/tcp_wmem_def 360 chown system system /sys/kernel/ipv4/tcp_wmem_max 361 chown system system /sys/kernel/ipv4/tcp_rmem_min 362 chown system system /sys/kernel/ipv4/tcp_rmem_def 363 chown system system /sys/kernel/ipv4/tcp_rmem_max 364 chown root radio /proc/cmdline 365 366# Define TCP buffer sizes for various networks 367# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 368 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 369 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 370 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 371 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 372 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 373 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 374 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 375 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 376 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 377 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 378 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 379 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 380 381 class_start core 382 class_start main 383 384on nonencrypted 385 class_start late_start 386 387on charger 388 class_start charger 389 390on property:vold.decrypt=trigger_reset_main 391 class_reset main 392 393on property:vold.decrypt=trigger_load_persist_props 394 load_persist_props 395 396on property:vold.decrypt=trigger_post_fs_data 397 trigger post-fs-data 398 399on property:vold.decrypt=trigger_restart_min_framework 400 class_start main 401 402on property:vold.decrypt=trigger_restart_framework 403 class_start main 404 class_start late_start 405 406on property:vold.decrypt=trigger_shutdown_framework 407 class_reset late_start 408 class_reset main 409 410on property:sys.powerctl=* 411 powerctl ${sys.powerctl} 412 413# system server cannot write to /proc/sys files, so proxy it through init 414on property:sys.sysctl.extra_free_kbytes=* 415 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 416 417## Daemon processes to be run by init. 418## 419service ueventd /sbin/ueventd 420 class core 421 critical 422 seclabel u:r:ueventd:s0 423 424service logd /system/bin/logd 425 class core 426 socket logd stream 0666 logd logd 427 socket logdr seqpacket 0666 logd logd 428 socket logdw dgram 0222 logd logd 429 seclabel u:r:logd:s0 430 431service healthd /sbin/healthd 432 class core 433 critical 434 seclabel u:r:healthd:s0 435 436service healthd-charger /sbin/healthd -n 437 class charger 438 critical 439 seclabel u:r:healthd:s0 440 441service console /system/bin/sh 442 class core 443 console 444 disabled 445 user shell 446 group log 447 seclabel u:r:shell:s0 448 449on property:ro.debuggable=1 450 start console 451 452# adbd is controlled via property triggers in init.<platform>.usb.rc 453service adbd /sbin/adbd --root_seclabel=u:r:su:s0 454 class core 455 socket adbd stream 660 system system 456 disabled 457 seclabel u:r:adbd:s0 458 459# adbd on at boot in emulator 460on property:ro.kernel.qemu=1 461 start adbd 462 463service servicemanager /system/bin/servicemanager 464 class core 465 user system 466 group system 467 critical 468 onrestart restart healthd 469 onrestart restart zygote 470 onrestart restart media 471 onrestart restart surfaceflinger 472 onrestart restart drm 473 474service vold /system/bin/vold 475 class core 476 socket vold stream 0660 root mount 477 ioprio be 2 478 479service netd /system/bin/netd 480 class main 481 socket netd stream 0660 root system 482 socket dnsproxyd stream 0660 root inet 483 socket mdns stream 0660 root system 484 485service debuggerd /system/bin/debuggerd 486 class main 487 488service debuggerd64 /system/bin/debuggerd64 489 class main 490 491service ril-daemon /system/bin/rild 492 class main 493 socket rild stream 660 root radio 494 socket rild-debug stream 660 radio system 495 user root 496 group radio cache inet misc audio log 497 498service surfaceflinger /system/bin/surfaceflinger 499 class main 500 user system 501 group graphics drmrpc 502 onrestart restart zygote 503 504service drm /system/bin/drmserver 505 class main 506 user drm 507 group drm system inet drmrpc 508 509service media /system/bin/mediaserver 510 class main 511 user media 512 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 513 ioprio rt 4 514 515service bootanim /system/bin/bootanimation 516 class main 517 user graphics 518 group graphics 519 disabled 520 oneshot 521 522service installd /system/bin/installd 523 class main 524 socket installd stream 600 system system 525 526service flash_recovery /system/etc/install-recovery.sh 527 class main 528 oneshot 529 530service racoon /system/bin/racoon 531 class main 532 socket racoon stream 600 system system 533 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 534 group vpn net_admin inet 535 disabled 536 oneshot 537 538service mtpd /system/bin/mtpd 539 class main 540 socket mtpd stream 600 system system 541 user vpn 542 group vpn net_admin inet net_raw 543 disabled 544 oneshot 545 546service keystore /system/bin/keystore /data/misc/keystore 547 class main 548 user keystore 549 group keystore drmrpc 550 551service dumpstate /system/bin/dumpstate -s 552 class main 553 socket dumpstate stream 0660 shell log 554 disabled 555 oneshot 556 557service sshd /system/bin/start-ssh 558 class main 559 disabled 560 561service mdnsd /system/bin/mdnsd 562 class main 563 user mdnsr 564 group inet net_raw 565 socket mdnsd stream 0660 mdnsr inet 566 disabled 567 oneshot 568