init.rc revision 49ed105fd91677f7c87417890bf7441146953fff
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Set the security context of /adb_keys if present. 18 restorecon /adb_keys 19 20 start ueventd 21 22on init 23 sysclktz 0 24 25 # Backward compatibility. 26 symlink /system/etc /etc 27 symlink /sys/kernel/debug /d 28 29 # Link /vendor to /system/vendor for devices without a vendor partition. 30 symlink /system/vendor /vendor 31 32 # Create cgroup mount point for cpu accounting 33 mkdir /acct 34 mount cgroup none /acct cpuacct 35 mkdir /acct/uid 36 37 # Create cgroup mount point for memory 38 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 39 mkdir /sys/fs/cgroup/memory 0750 root system 40 mount cgroup none /sys/fs/cgroup/memory memory 41 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 42 chown root system /sys/fs/cgroup/memory/tasks 43 chmod 0660 /sys/fs/cgroup/memory/tasks 44 mkdir /sys/fs/cgroup/memory/sw 0750 root system 45 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 46 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 47 chown root system /sys/fs/cgroup/memory/sw/tasks 48 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 49 50 mkdir /system 51 mkdir /data 0771 system system 52 mkdir /cache 0770 system cache 53 mkdir /config 0500 root root 54 55 # Mount staging areas for devices managed by vold 56 # See storage config details at http://source.android.com/tech/storage/ 57 mkdir /mnt 0755 root system 58 mount tmpfs tmpfs /mnt mode=0755,uid=0,gid=1000 59 restorecon_recursive /mnt 60 61 mkdir /mnt/secure 0700 root root 62 mkdir /mnt/secure/asec 0700 root root 63 mkdir /mnt/asec 0755 root system 64 mkdir /mnt/obb 0755 root system 65 mkdir /mnt/media_rw 0750 root media_rw 66 mkdir /mnt/user 0755 root root 67 mkdir /mnt/user/0 0755 root root 68 mkdir /mnt/expand 0771 system system 69 70 # sdcard_r is GID 1028 71 mkdir /storage 0751 root sdcard_r 72 mount tmpfs tmpfs /storage mode=0751,uid=0,gid=1028 73 restorecon_recursive /storage 74 75 # Symlink to keep legacy apps working in multi-user world 76 mkdir /storage/self 0751 root sdcard_r 77 symlink /storage/self/primary /sdcard 78 symlink /mnt/user/0/primary /storage/self/primary 79 80 # memory control cgroup 81 mkdir /dev/memcg 0700 root system 82 mount cgroup none /dev/memcg memory 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/vm/mmap_min_addr 32768 94 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 95 write /proc/sys/net/unix/max_dgram_qlen 300 96 write /proc/sys/kernel/sched_rt_runtime_us 950000 97 write /proc/sys/kernel/sched_rt_period_us 1000000 98 99 # reflect fwmark from incoming packets onto generated replies 100 write /proc/sys/net/ipv4/fwmark_reflect 1 101 write /proc/sys/net/ipv6/fwmark_reflect 1 102 103 # set fwmark on accepted sockets 104 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 105 106 # disable icmp redirects 107 write /proc/sys/net/ipv4/conf/all/accept_redirects 0 108 write /proc/sys/net/ipv6/conf/all/accept_redirects 0 109 110 # Create cgroup mount points for process groups 111 mkdir /dev/cpuctl 112 mount cgroup none /dev/cpuctl cpu 113 chown system system /dev/cpuctl 114 chown system system /dev/cpuctl/tasks 115 chmod 0666 /dev/cpuctl/tasks 116 write /dev/cpuctl/cpu.shares 1024 117 write /dev/cpuctl/cpu.rt_runtime_us 800000 118 write /dev/cpuctl/cpu.rt_period_us 1000000 119 120 mkdir /dev/cpuctl/bg_non_interactive 121 chown system system /dev/cpuctl/bg_non_interactive/tasks 122 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 123 # 5.0 % 124 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 125 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000 126 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 127 128 # qtaguid will limit access to specific data based on group memberships. 129 # net_bw_acct grants impersonation of socket owners. 130 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 131 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 132 chown root net_bw_stats /proc/net/xt_qtaguid/stats 133 134 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 135 # This is needed by any process that uses socket tagging. 136 chmod 0644 /dev/xt_qtaguid 137 138 # Create location for fs_mgr to store abbreviated output from filesystem 139 # checker programs. 140 mkdir /dev/fscklogs 0770 root system 141 142 # pstore/ramoops previous console log 143 mount pstore pstore /sys/fs/pstore 144 chown system log /sys/fs/pstore/console-ramoops 145 chmod 0440 /sys/fs/pstore/console-ramoops 146 chown system log /sys/fs/pstore/pmsg-ramoops-0 147 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 148 149 # enable armv8_deprecated instruction hooks 150 write /proc/sys/abi/swp 1 151 152# Healthd can trigger a full boot from charger mode by signaling this 153# property when the power button is held. 154on property:sys.boot_from_charger_mode=1 155 class_stop charger 156 trigger late-init 157 158# Load properties from /system/ + /factory after fs mount. 159on load_all_props_action 160 load_all_props 161 start logd 162 start logd-reinit 163 164# Indicate to fw loaders that the relevant mounts are up. 165on firmware_mounts_complete 166 rm /dev/.booting 167 168# Mount filesystems and start core system services. 169on late-init 170 trigger early-fs 171 trigger fs 172 trigger post-fs 173 trigger post-fs-data 174 175 # Load properties from /system/ + /factory after fs mount. Place 176 # this in another action so that the load will be scheduled after the prior 177 # issued fs triggers have completed. 178 trigger load_all_props_action 179 180 # Remove a file to wake up anything waiting for firmware. 181 trigger firmware_mounts_complete 182 183 trigger early-boot 184 trigger boot 185 186 187on post-fs 188 start logd 189 # once everything is setup, no need to modify / 190 mount rootfs rootfs / ro remount 191 # mount shared so changes propagate into child namespaces 192 mount rootfs rootfs / shared rec 193 194 # We chown/chmod /cache again so because mount is run as root + defaults 195 chown system cache /cache 196 chmod 0770 /cache 197 # We restorecon /cache in case the cache partition has been reset. 198 restorecon_recursive /cache 199 200 # Create /cache/recovery in case it's not there. It'll also fix the odd 201 # permissions if created by the recovery system. 202 mkdir /cache/recovery 0770 system cache 203 204 #change permissions on vmallocinfo so we can grab it from bugreports 205 chown root log /proc/vmallocinfo 206 chmod 0440 /proc/vmallocinfo 207 208 chown root log /proc/slabinfo 209 chmod 0440 /proc/slabinfo 210 211 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 212 chown root system /proc/kmsg 213 chmod 0440 /proc/kmsg 214 chown root system /proc/sysrq-trigger 215 chmod 0220 /proc/sysrq-trigger 216 chown system log /proc/last_kmsg 217 chmod 0440 /proc/last_kmsg 218 219 # make the selinux kernel policy world-readable 220 chmod 0444 /sys/fs/selinux/policy 221 222 # create the lost+found directories, so as to enforce our permissions 223 mkdir /cache/lost+found 0770 root root 224 225on post-fs-data 226 # We chown/chmod /data again so because mount is run as root + defaults 227 chown system system /data 228 chmod 0771 /data 229 # We restorecon /data in case the userdata partition has been reset. 230 restorecon /data 231 232 # Emulated internal storage area 233 mkdir /data/media 0770 media_rw media_rw 234 235 # Make sure we have the device encryption key 236 start logd 237 start vold 238 installkey /data 239 240 # Start bootcharting as soon as possible after the data partition is 241 # mounted to collect more data. 242 mkdir /data/bootchart 0755 shell shell 243 bootchart_init 244 245 # Avoid predictable entropy pool. Carry over entropy from previous boot. 246 copy /data/system/entropy.dat /dev/urandom 247 248 # create basic filesystem structure 249 mkdir /data/misc 01771 system misc 250 mkdir /data/misc/adb 02750 system shell 251 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 252 mkdir /data/misc/bluetooth 0770 system system 253 mkdir /data/misc/keystore 0700 keystore keystore 254 mkdir /data/misc/gatekeeper 0700 system system 255 mkdir /data/misc/keychain 0771 system system 256 mkdir /data/misc/net 0750 root shell 257 mkdir /data/misc/radio 0770 system radio 258 mkdir /data/misc/sms 0770 system radio 259 mkdir /data/misc/zoneinfo 0775 system system 260 mkdir /data/misc/vpn 0770 system vpn 261 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 262 mkdir /data/misc/systemkeys 0700 system system 263 mkdir /data/misc/wifi 0770 wifi wifi 264 mkdir /data/misc/wifi/sockets 0770 wifi wifi 265 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 266 mkdir /data/misc/ethernet 0770 system system 267 mkdir /data/misc/dhcp 0770 dhcp dhcp 268 mkdir /data/misc/user 0771 root root 269 mkdir /data/misc/perfprofd 0775 root root 270 # give system access to wpa_supplicant.conf for backup and restore 271 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 272 mkdir /data/local 0751 root root 273 mkdir /data/misc/media 0700 media media 274 mkdir /data/misc/vold 0700 root root 275 276 # For security reasons, /data/local/tmp should always be empty. 277 # Do not place files or directories in /data/local/tmp 278 mkdir /data/local/tmp 0771 shell shell 279 mkdir /data/data 0771 system system 280 mkdir /data/app-private 0771 system system 281 mkdir /data/app-asec 0700 root root 282 mkdir /data/app-lib 0771 system system 283 mkdir /data/app 0771 system system 284 mkdir /data/property 0700 root root 285 mkdir /data/tombstones 0771 system system 286 287 # create dalvik-cache, so as to enforce our permissions 288 mkdir /data/dalvik-cache 0771 root root 289 mkdir /data/dalvik-cache/profiles 0711 system system 290 291 # create resource-cache and double-check the perms 292 mkdir /data/resource-cache 0771 system system 293 chown system system /data/resource-cache 294 chmod 0771 /data/resource-cache 295 296 # create the lost+found directories, so as to enforce our permissions 297 mkdir /data/lost+found 0770 root root 298 299 # create directory for DRM plug-ins - give drm the read/write access to 300 # the following directory. 301 mkdir /data/drm 0770 drm drm 302 303 # create directory for MediaDrm plug-ins - give drm the read/write access to 304 # the following directory. 305 mkdir /data/mediadrm 0770 mediadrm mediadrm 306 307 mkdir /data/adb 0700 root root 308 309 # symlink to bugreport storage location 310 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 311 312 # Separate location for storing security policy files on data 313 mkdir /data/security 0711 system system 314 315 # Create all remaining /data root dirs so that they are made through init 316 # and get proper encryption policy installed 317 mkdir /data/backup 0700 system system 318 mkdir /data/media 0770 media_rw media_rw 319 mkdir /data/ss 0700 system system 320 mkdir /data/system 0775 system system 321 mkdir /data/system/heapdump 0700 system system 322 mkdir /data/user 0711 system system 323 324 # Reload policy from /data/security if present. 325 setprop selinux.reload_policy 1 326 327 # Set SELinux security contexts on upgrade or policy update. 328 restorecon_recursive /data 329 330 # Check any timezone data in /data is newer than the copy in /system, delete if not. 331 exec u:r:tzdatacheck:s0 system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo 332 333 # If there is no fs-post-data action in the init.<device>.rc file, you 334 # must uncomment this line, otherwise encrypted filesystems 335 # won't work. 336 # Set indication (checked by vold) that we have finished this action 337 #setprop vold.post_fs_data_done 1 338 339on boot 340 # basic network init 341 ifup lo 342 hostname localhost 343 domainname localdomain 344 345 # set RLIMIT_NICE to allow priorities from 19 to -20 346 setrlimit 13 40 40 347 348 # Memory management. Basic kernel parameters, and allow the high 349 # level system server to be able to adjust the kernel OOM driver 350 # parameters to match how it is managing things. 351 write /proc/sys/vm/overcommit_memory 1 352 write /proc/sys/vm/min_free_order_shift 4 353 chown root system /sys/module/lowmemorykiller/parameters/adj 354 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 355 chown root system /sys/module/lowmemorykiller/parameters/minfree 356 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 357 358 # Tweak background writeout 359 write /proc/sys/vm/dirty_expire_centisecs 200 360 write /proc/sys/vm/dirty_background_ratio 5 361 362 # Permissions for System Server and daemons. 363 chown radio system /sys/android_power/state 364 chown radio system /sys/android_power/request_state 365 chown radio system /sys/android_power/acquire_full_wake_lock 366 chown radio system /sys/android_power/acquire_partial_wake_lock 367 chown radio system /sys/android_power/release_wake_lock 368 chown system system /sys/power/autosleep 369 chown system system /sys/power/state 370 chown system system /sys/power/wakeup_count 371 chown radio system /sys/power/wake_lock 372 chown radio system /sys/power/wake_unlock 373 chmod 0660 /sys/power/state 374 chmod 0660 /sys/power/wake_lock 375 chmod 0660 /sys/power/wake_unlock 376 377 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 378 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 379 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 380 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 381 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 382 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 383 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 384 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 385 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 386 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 387 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 388 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 389 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 390 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 391 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 392 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 393 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 394 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 395 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 396 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 397 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 398 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 399 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 400 401 # Assume SMP uses shared cpufreq policy for all CPUs 402 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 403 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 404 405 chown system system /sys/class/timed_output/vibrator/enable 406 chown system system /sys/class/leds/keyboard-backlight/brightness 407 chown system system /sys/class/leds/lcd-backlight/brightness 408 chown system system /sys/class/leds/button-backlight/brightness 409 chown system system /sys/class/leds/jogball-backlight/brightness 410 chown system system /sys/class/leds/red/brightness 411 chown system system /sys/class/leds/green/brightness 412 chown system system /sys/class/leds/blue/brightness 413 chown system system /sys/class/leds/red/device/grpfreq 414 chown system system /sys/class/leds/red/device/grppwm 415 chown system system /sys/class/leds/red/device/blink 416 chown system system /sys/class/timed_output/vibrator/enable 417 chown system system /sys/module/sco/parameters/disable_esco 418 chown system system /sys/kernel/ipv4/tcp_wmem_min 419 chown system system /sys/kernel/ipv4/tcp_wmem_def 420 chown system system /sys/kernel/ipv4/tcp_wmem_max 421 chown system system /sys/kernel/ipv4/tcp_rmem_min 422 chown system system /sys/kernel/ipv4/tcp_rmem_def 423 chown system system /sys/kernel/ipv4/tcp_rmem_max 424 chown root radio /proc/cmdline 425 426 # Define default initial receive window size in segments. 427 setprop net.tcp.default_init_rwnd 60 428 429 class_start core 430 431on nonencrypted 432 class_start main 433 class_start late_start 434 435on property:vold.decrypt=trigger_default_encryption 436 start defaultcrypto 437 438on property:vold.decrypt=trigger_encryption 439 start surfaceflinger 440 start encrypt 441 442on property:sys.init_log_level=* 443 loglevel ${sys.init_log_level} 444 445on charger 446 class_start charger 447 448on property:vold.decrypt=trigger_reset_main 449 class_reset main 450 451on property:vold.decrypt=trigger_load_persist_props 452 load_persist_props 453 start logd 454 start logd-reinit 455 456on property:vold.decrypt=trigger_post_fs_data 457 trigger post-fs-data 458 459on property:vold.decrypt=trigger_restart_min_framework 460 class_start main 461 462on property:vold.decrypt=trigger_restart_framework 463 class_start main 464 class_start late_start 465 466on property:vold.decrypt=trigger_shutdown_framework 467 class_reset late_start 468 class_reset main 469 470on property:sys.powerctl=* 471 powerctl ${sys.powerctl} 472 473# system server cannot write to /proc/sys files, 474# and chown/chmod does not work for /proc/sys/ entries. 475# So proxy writes through init. 476on property:sys.sysctl.extra_free_kbytes=* 477 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 478 479# "tcp_default_init_rwnd" Is too long! 480on property:sys.sysctl.tcp_def_init_rwnd=* 481 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 482 483 484## Daemon processes to be run by init. 485## 486service ueventd /sbin/ueventd 487 class core 488 critical 489 seclabel u:r:ueventd:s0 490 491service logd /system/bin/logd 492 class core 493 socket logd stream 0666 logd logd 494 socket logdr seqpacket 0666 logd logd 495 socket logdw dgram 0222 logd logd 496 497service logd-reinit /system/bin/logd --reinit 498 oneshot 499 disabled 500 501service healthd /sbin/healthd 502 class core 503 critical 504 seclabel u:r:healthd:s0 505 506service console /system/bin/sh 507 class core 508 console 509 disabled 510 user shell 511 group shell log 512 seclabel u:r:shell:s0 513 514on property:ro.debuggable=1 515 start console 516 517# adbd is controlled via property triggers in init.<platform>.usb.rc 518service adbd /sbin/adbd --root_seclabel=u:r:su:s0 519 class core 520 socket adbd stream 660 system system 521 disabled 522 seclabel u:r:adbd:s0 523 524# adbd on at boot in emulator 525on property:ro.kernel.qemu=1 526 start adbd 527 528service lmkd /system/bin/lmkd 529 class core 530 critical 531 socket lmkd seqpacket 0660 system system 532 533service servicemanager /system/bin/servicemanager 534 class core 535 user system 536 group system 537 critical 538 onrestart restart healthd 539 onrestart restart zygote 540 onrestart restart media 541 onrestart restart surfaceflinger 542 onrestart restart drm 543 544service vold /system/bin/vold \ 545 --blkid_context=u:r:blkid:s0 --blkid_untrusted_context=u:r:blkid_untrusted:s0 \ 546 --fsck_context=u:r:fsck:s0 --fsck_untrusted_context=u:r:fsck_untrusted:s0 547 class core 548 socket vold stream 0660 root mount 549 ioprio be 2 550 551service netd /system/bin/netd 552 class main 553 socket netd stream 0660 root system 554 socket dnsproxyd stream 0660 root inet 555 socket mdns stream 0660 root system 556 socket fwmarkd stream 0660 root inet 557 558service debuggerd /system/bin/debuggerd 559 class main 560 561service debuggerd64 /system/bin/debuggerd64 562 class main 563 564service ril-daemon /system/bin/rild 565 class main 566 socket rild stream 660 root radio 567 socket sap_uim_socket1 stream 660 bluetooth bluetooth 568 socket rild-debug stream 660 radio system 569 user root 570 group radio cache inet misc audio log 571 572service surfaceflinger /system/bin/surfaceflinger 573 class core 574 user system 575 group graphics drmrpc 576 onrestart restart zygote 577 578service drm /system/bin/drmserver 579 class main 580 user drm 581 group drm system inet drmrpc 582 583service media /system/bin/mediaserver 584 class main 585 user media 586 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 587 ioprio rt 4 588 589# One shot invocation to deal with encrypted volume. 590service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 591 disabled 592 oneshot 593 # vold will set vold.decrypt to trigger_restart_framework (default 594 # encryption) or trigger_restart_min_framework (other encryption) 595 596# One shot invocation to encrypt unencrypted volumes 597service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 598 disabled 599 oneshot 600 # vold will set vold.decrypt to trigger_restart_framework (default 601 # encryption) 602 603service bootanim /system/bin/bootanimation 604 class core 605 user graphics 606 group graphics audio 607 disabled 608 oneshot 609 610service gatekeeperd /system/bin/gatekeeperd /data/misc/gatekeeper 611 class main 612 user system 613 614service installd /system/bin/installd 615 class main 616 socket installd stream 600 system system 617 618service flash_recovery /system/bin/install-recovery.sh 619 class main 620 oneshot 621 622service racoon /system/bin/racoon 623 class main 624 socket racoon stream 600 system system 625 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 626 group vpn net_admin inet 627 disabled 628 oneshot 629 630service mtpd /system/bin/mtpd 631 class main 632 socket mtpd stream 600 system system 633 user vpn 634 group vpn net_admin inet net_raw 635 disabled 636 oneshot 637 638service keystore /system/bin/keystore /data/misc/keystore 639 class main 640 user keystore 641 group keystore drmrpc 642 643service dumpstate /system/bin/dumpstate -s 644 class main 645 socket dumpstate stream 0660 shell log 646 disabled 647 oneshot 648 649service mdnsd /system/bin/mdnsd 650 class main 651 user mdnsr 652 group inet net_raw 653 socket mdnsd stream 0660 mdnsr inet 654 disabled 655 oneshot 656 657service uncrypt /system/bin/uncrypt 658 class main 659 disabled 660 oneshot 661 662service pre-recovery /system/bin/uncrypt --reboot 663 class main 664 disabled 665 oneshot 666 667service perfprofd /system/xbin/perfprofd 668 class late_start 669 user root 670 oneshot 671 672on property:persist.logd.logpersistd=logcatd 673 # all exec/services are called with umask(077), so no gain beyond 0700 674 mkdir /data/misc/logd 0700 logd log 675 # logd for write to /data/misc/logd, log group for read from pstore (-L) 676 exec - logd log -- /system/bin/logcat -L -b all -v threadtime -v usec -v printable -D -f /data/misc/logd/logcat -r 64 -n 256 677 start logcatd 678 679service logcatd /system/bin/logcat -b all -v threadtime -v usec -v printable -D -f /data/misc/logd/logcat -r 64 -n 256 680 class late_start 681 disabled 682 # logd for write to /data/misc/logd, log group for read from log daemon 683 user logd 684 group log 685