init.rc revision 5054417c1025b0f3f36f4b537e51ddd3eea981c8 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.usb.rc
8import /init.trace.rc
9import /init.${ro.hardware}.rc
10
11on early-init
12    # Set init and its forked children's oom_adj.
13    write /proc/1/oom_adj -16
14
15    # Set the security context for the init process.
16    # This should occur before anything else (e.g. ueventd) is started.
17    setcon u:r:init:s0
18
19    start ueventd
20
21# create mountpoints
22    mkdir /mnt 0775 root system
23
24on init
25
26sysclktz 0
27
28loglevel 3
29
30# setup the global environment
31    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
32    export LD_LIBRARY_PATH /vendor/lib:/system/lib
33    export ANDROID_BOOTLOGO 1
34    export ANDROID_ROOT /system
35    export ANDROID_ASSETS /system/app
36    export ANDROID_DATA /data
37    export ANDROID_STORAGE /storage
38    export ASEC_MOUNTPOINT /mnt/asec
39    export LOOP_MOUNTPOINT /mnt/obb
40    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
41
42# Backward compatibility
43    symlink /system/etc /etc
44    symlink /sys/kernel/debug /d
45
46# Right now vendor lives on the same filesystem as system,
47# but someday that may change.
48    symlink /system/vendor /vendor
49
50# Create cgroup mount point for cpu accounting
51    mkdir /acct
52    mount cgroup none /acct cpuacct
53    mkdir /acct/uid
54
55    mkdir /system
56    mkdir /data 0771 system system
57    mkdir /cache 0770 system cache
58    mkdir /config 0500 root root
59
60    # See storage config details at http://source.android.com/tech/storage/
61    mkdir /mnt/shell 0700 shell shell
62    mkdir /storage 0050 root sdcard_r
63
64    # Directory for putting things only root should see.
65    mkdir /mnt/secure 0700 root root
66    # Create private mountpoint so we can MS_MOVE from staging
67    mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
68
69    # Directory for staging bindmounts
70    mkdir /mnt/secure/staging 0700 root root
71
72    # Directory-target for where the secure container
73    # imagefile directory will be bind-mounted
74    mkdir /mnt/secure/asec  0700 root root
75
76    # Secure container public mount points.
77    mkdir /mnt/asec  0700 root system
78    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
79
80    # Filesystem image public mount points.
81    mkdir /mnt/obb 0700 root system
82    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
83
84    write /proc/sys/kernel/panic_on_oops 1
85    write /proc/sys/kernel/hung_task_timeout_secs 0
86    write /proc/cpu/alignment 4
87    write /proc/sys/kernel/sched_latency_ns 10000000
88    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
89    write /proc/sys/kernel/sched_compat_yield 1
90    write /proc/sys/kernel/sched_child_runs_first 0
91    write /proc/sys/kernel/randomize_va_space 2
92    write /proc/sys/kernel/kptr_restrict 2
93    write /proc/sys/kernel/dmesg_restrict 1
94    write /proc/sys/vm/mmap_min_addr 32768
95    write /proc/sys/kernel/sched_rt_runtime_us 950000
96    write /proc/sys/kernel/sched_rt_period_us 1000000
97
98# Create cgroup mount points for process groups
99    mkdir /dev/cpuctl
100    mount cgroup none /dev/cpuctl cpu
101    chown system system /dev/cpuctl
102    chown system system /dev/cpuctl/tasks
103    chmod 0660 /dev/cpuctl/tasks
104    write /dev/cpuctl/cpu.shares 1024
105    write /dev/cpuctl/cpu.rt_runtime_us 950000
106    write /dev/cpuctl/cpu.rt_period_us 1000000
107
108    mkdir /dev/cpuctl/apps
109    chown system system /dev/cpuctl/apps/tasks
110    chmod 0666 /dev/cpuctl/apps/tasks
111    write /dev/cpuctl/apps/cpu.shares 1024
112    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
113    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
114
115    mkdir /dev/cpuctl/apps/bg_non_interactive
116    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
117    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
118    # 5.0 %
119    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
120    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
121    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
122
123# Allow everybody to read the xt_qtaguid resource tracking misc dev.
124# This is needed by any process that uses socket tagging.
125    chmod 0644 /dev/xt_qtaguid
126
127on fs
128# mount mtd partitions
129    # Mount /system rw first to give the filesystem a chance to save a checkpoint
130    mount yaffs2 mtd@system /system
131    mount yaffs2 mtd@system /system ro remount
132    mount yaffs2 mtd@userdata /data nosuid nodev
133    mount yaffs2 mtd@cache /cache nosuid nodev
134
135on post-fs
136    # once everything is setup, no need to modify /
137    mount rootfs rootfs / ro remount
138    # mount shared so changes propagate into child namespaces
139    mount rootfs rootfs / shared rec
140    mount tmpfs tmpfs /mnt/secure private rec
141
142    # We chown/chmod /cache again so because mount is run as root + defaults
143    chown system cache /cache
144    chmod 0770 /cache
145    # We restorecon /cache in case the cache partition has been reset.
146    restorecon /cache
147
148    # This may have been created by the recovery system with odd permissions
149    chown system cache /cache/recovery
150    chmod 0770 /cache/recovery
151    # This may have been created by the recovery system with the wrong context.
152    restorecon /cache/recovery
153
154    #change permissions on vmallocinfo so we can grab it from bugreports
155    chown root log /proc/vmallocinfo
156    chmod 0440 /proc/vmallocinfo
157
158    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
159    chown root system /proc/kmsg
160    chmod 0440 /proc/kmsg
161    chown root system /proc/sysrq-trigger
162    chmod 0220 /proc/sysrq-trigger
163    chown system log /proc/last_kmsg
164    chmod 0440 /proc/last_kmsg
165
166    # create the lost+found directories, so as to enforce our permissions
167    mkdir /cache/lost+found 0770 root root
168
169on post-fs-data
170    # We chown/chmod /data again so because mount is run as root + defaults
171    chown system system /data
172    chmod 0771 /data
173    # We restorecon /data in case the userdata partition has been reset.
174    restorecon /data
175
176    # Create dump dir and collect dumps.
177    # Do this before we mount cache so eventually we can use cache for
178    # storing dumps on platforms which do not have a dedicated dump partition.
179    mkdir /data/dontpanic 0750 root log
180
181    # Collect apanic data, free resources and re-arm trigger
182    copy /proc/apanic_console /data/dontpanic/apanic_console
183    chown root log /data/dontpanic/apanic_console
184    chmod 0640 /data/dontpanic/apanic_console
185
186    copy /proc/apanic_threads /data/dontpanic/apanic_threads
187    chown root log /data/dontpanic/apanic_threads
188    chmod 0640 /data/dontpanic/apanic_threads
189
190    write /proc/apanic_console 1
191
192    # create basic filesystem structure
193    mkdir /data/misc 01771 system misc
194    mkdir /data/misc/adb 02750 system shell
195    mkdir /data/misc/bluedroid 0770 bluetooth bluetooth
196    mkdir /data/misc/bluetooth 0770 system system
197    mkdir /data/misc/keystore 0700 keystore keystore
198    mkdir /data/misc/keychain 0771 system system
199    mkdir /data/misc/vpn 0770 system vpn
200    mkdir /data/misc/systemkeys 0700 system system
201    # give system access to wpa_supplicant.conf for backup and restore
202    mkdir /data/misc/wifi 0770 wifi wifi
203    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
204    mkdir /data/local 0751 root root
205
206    # For security reasons, /data/local/tmp should always be empty.
207    # Do not place files or directories in /data/local/tmp
208    mkdir /data/local/tmp 0771 shell shell
209    mkdir /data/data 0771 system system
210    mkdir /data/app-private 0771 system system
211    mkdir /data/app-asec 0700 root root
212    mkdir /data/app-lib 0771 system system
213    mkdir /data/app 0771 system system
214    mkdir /data/property 0700 root root
215    mkdir /data/ssh 0750 root shell
216    mkdir /data/ssh/empty 0700 root root
217
218    # create dalvik-cache, so as to enforce our permissions
219    mkdir /data/dalvik-cache 0771 system system
220
221    # create resource-cache and double-check the perms
222    mkdir /data/resource-cache 0771 system system
223    chown system system /data/resource-cache
224    chmod 0771 /data/resource-cache
225
226    # create the lost+found directories, so as to enforce our permissions
227    mkdir /data/lost+found 0770 root root
228
229    # create directory for DRM plug-ins - give drm the read/write access to
230    # the following directory.
231    mkdir /data/drm 0770 drm drm
232
233    # If there is no fs-post-data action in the init.<device>.rc file, you
234    # must uncomment this line, otherwise encrypted filesystems
235    # won't work.
236    # Set indication (checked by vold) that we have finished this action
237    #setprop vold.post_fs_data_done 1
238
239on boot
240# basic network init
241    ifup lo
242    hostname localhost
243    domainname localdomain
244
245# set RLIMIT_NICE to allow priorities from 19 to -20
246    setrlimit 13 40 40
247
248# Memory management.  Basic kernel parameters, and allow the high
249# level system server to be able to adjust the kernel OOM driver
250# parameters to match how it is managing things.
251    write /proc/sys/vm/overcommit_memory 1
252    write /proc/sys/vm/min_free_order_shift 4
253    chown root system /sys/module/lowmemorykiller/parameters/adj
254    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
255    chown root system /sys/module/lowmemorykiller/parameters/minfree
256    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
257
258    # Tweak background writeout
259    write /proc/sys/vm/dirty_expire_centisecs 200
260    write /proc/sys/vm/dirty_background_ratio  5
261
262    # Permissions for System Server and daemons.
263    chown radio system /sys/android_power/state
264    chown radio system /sys/android_power/request_state
265    chown radio system /sys/android_power/acquire_full_wake_lock
266    chown radio system /sys/android_power/acquire_partial_wake_lock
267    chown radio system /sys/android_power/release_wake_lock
268    chown system system /sys/power/autosleep
269    chown system system /sys/power/state
270    chown system system /sys/power/wakeup_count
271    chown radio system /sys/power/wake_lock
272    chown radio system /sys/power/wake_unlock
273    chmod 0660 /sys/power/state
274    chmod 0660 /sys/power/wake_lock
275    chmod 0660 /sys/power/wake_unlock
276
277    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
278    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
279    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
280    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
281    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
282    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
283    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
284    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
285    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
286    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
287    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
288    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
289    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
290    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
291    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
292
293    # Assume SMP uses shared cpufreq policy for all CPUs
294    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
295    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
296
297    chown system system /sys/class/timed_output/vibrator/enable
298    chown system system /sys/class/leds/keyboard-backlight/brightness
299    chown system system /sys/class/leds/lcd-backlight/brightness
300    chown system system /sys/class/leds/button-backlight/brightness
301    chown system system /sys/class/leds/jogball-backlight/brightness
302    chown system system /sys/class/leds/red/brightness
303    chown system system /sys/class/leds/green/brightness
304    chown system system /sys/class/leds/blue/brightness
305    chown system system /sys/class/leds/red/device/grpfreq
306    chown system system /sys/class/leds/red/device/grppwm
307    chown system system /sys/class/leds/red/device/blink
308    chown system system /sys/class/leds/red/brightness
309    chown system system /sys/class/leds/green/brightness
310    chown system system /sys/class/leds/blue/brightness
311    chown system system /sys/class/leds/red/device/grpfreq
312    chown system system /sys/class/leds/red/device/grppwm
313    chown system system /sys/class/leds/red/device/blink
314    chown system system /sys/class/timed_output/vibrator/enable
315    chown system system /sys/module/sco/parameters/disable_esco
316    chown system system /sys/kernel/ipv4/tcp_wmem_min
317    chown system system /sys/kernel/ipv4/tcp_wmem_def
318    chown system system /sys/kernel/ipv4/tcp_wmem_max
319    chown system system /sys/kernel/ipv4/tcp_rmem_min
320    chown system system /sys/kernel/ipv4/tcp_rmem_def
321    chown system system /sys/kernel/ipv4/tcp_rmem_max
322    chown root radio /proc/cmdline
323
324# Define TCP buffer sizes for various networks
325#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
326    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
327    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
328    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
329    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
330    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
331    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
332    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
333    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
334    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
335    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
336    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
337
338# Set this property so surfaceflinger is not started by system_init
339    setprop system_init.startsurfaceflinger 0
340
341    class_start core
342    class_start main
343
344on nonencrypted
345    class_start late_start
346
347on charger
348    class_start charger
349
350on property:vold.decrypt=trigger_reset_main
351    class_reset main
352
353on property:vold.decrypt=trigger_load_persist_props
354    load_persist_props
355
356on property:vold.decrypt=trigger_post_fs_data
357    trigger post-fs-data
358
359on property:vold.decrypt=trigger_restart_min_framework
360    class_start main
361
362on property:vold.decrypt=trigger_restart_framework
363    class_start main
364    class_start late_start
365
366on property:vold.decrypt=trigger_shutdown_framework
367    class_reset late_start
368    class_reset main
369
370## Daemon processes to be run by init.
371##
372service ueventd /sbin/ueventd
373    class core
374    critical
375    seclabel u:r:ueventd:s0
376
377on property:selinux.reload_policy=1
378    restart ueventd
379    restart installd
380
381service console /system/bin/sh
382    class core
383    console
384    disabled
385    user shell
386    group log
387
388on property:ro.debuggable=1
389    start console
390
391# adbd is controlled via property triggers in init.<platform>.usb.rc
392service adbd /sbin/adbd
393    class core
394    socket adbd stream 660 system system
395    disabled
396    seclabel u:r:adbd:s0
397
398# adbd on at boot in emulator
399on property:ro.kernel.qemu=1
400    start adbd
401
402service servicemanager /system/bin/servicemanager
403    class core
404    user system
405    group system
406    critical
407    onrestart restart zygote
408    onrestart restart media
409    onrestart restart surfaceflinger
410    onrestart restart drm
411
412service vold /system/bin/vold
413    class core
414    socket vold stream 0660 root mount
415    ioprio be 2
416
417service netd /system/bin/netd
418    class main
419    socket netd stream 0660 root system
420    socket dnsproxyd stream 0660 root inet
421    socket mdns stream 0660 root system
422
423service debuggerd /system/bin/debuggerd
424    class main
425
426service ril-daemon /system/bin/rild
427    class main
428    socket rild stream 660 root radio
429    socket rild-debug stream 660 radio system
430    user root
431    group radio cache inet misc audio log
432
433service surfaceflinger /system/bin/surfaceflinger
434    class main
435    user system
436    group graphics
437    onrestart restart zygote
438
439service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
440    class main
441    socket zygote stream 660 root system
442    onrestart write /sys/android_power/request_state wake
443    onrestart write /sys/power/state on
444    onrestart restart media
445    onrestart restart netd
446
447service drm /system/bin/drmserver
448    class main
449    user drm
450    group drm system inet drmrpc
451
452service media /system/bin/mediaserver
453    class main
454    user media
455    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc
456    ioprio rt 4
457
458service bootanim /system/bin/bootanimation
459    class main
460    user graphics
461    group graphics
462    disabled
463    oneshot
464
465service installd /system/bin/installd
466    class main
467    socket installd stream 600 system system
468
469service flash_recovery /system/etc/install-recovery.sh
470    class main
471    oneshot
472
473service racoon /system/bin/racoon
474    class main
475    socket racoon stream 600 system system
476    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
477    group vpn net_admin inet
478    disabled
479    oneshot
480
481service mtpd /system/bin/mtpd
482    class main
483    socket mtpd stream 600 system system
484    user vpn
485    group vpn net_admin inet net_raw
486    disabled
487    oneshot
488
489service keystore /system/bin/keystore /data/misc/keystore
490    class main
491    user keystore
492    group keystore drmrpc
493    socket keystore stream 666
494
495service dumpstate /system/bin/dumpstate -s
496    class main
497    socket dumpstate stream 0660 shell log
498    disabled
499    oneshot
500
501service sshd /system/bin/start-ssh
502    class main
503    disabled
504
505service mdnsd /system/bin/mdnsd
506    class main
507    user mdnsr
508    group inet net_raw
509    socket mdnsd stream 0660 mdnsr inet
510    disabled
511    oneshot
512