init.rc revision 5054417c1025b0f3f36f4b537e51ddd3eea981c8
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.trace.rc 9import /init.${ro.hardware}.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/kernel/sched_rt_runtime_us 950000 96 write /proc/sys/kernel/sched_rt_period_us 1000000 97 98# Create cgroup mount points for process groups 99 mkdir /dev/cpuctl 100 mount cgroup none /dev/cpuctl cpu 101 chown system system /dev/cpuctl 102 chown system system /dev/cpuctl/tasks 103 chmod 0660 /dev/cpuctl/tasks 104 write /dev/cpuctl/cpu.shares 1024 105 write /dev/cpuctl/cpu.rt_runtime_us 950000 106 write /dev/cpuctl/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps 109 chown system system /dev/cpuctl/apps/tasks 110 chmod 0666 /dev/cpuctl/apps/tasks 111 write /dev/cpuctl/apps/cpu.shares 1024 112 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 113 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 114 115 mkdir /dev/cpuctl/apps/bg_non_interactive 116 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 117 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 118 # 5.0 % 119 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 122 123# Allow everybody to read the xt_qtaguid resource tracking misc dev. 124# This is needed by any process that uses socket tagging. 125 chmod 0644 /dev/xt_qtaguid 126 127on fs 128# mount mtd partitions 129 # Mount /system rw first to give the filesystem a chance to save a checkpoint 130 mount yaffs2 mtd@system /system 131 mount yaffs2 mtd@system /system ro remount 132 mount yaffs2 mtd@userdata /data nosuid nodev 133 mount yaffs2 mtd@cache /cache nosuid nodev 134 135on post-fs 136 # once everything is setup, no need to modify / 137 mount rootfs rootfs / ro remount 138 # mount shared so changes propagate into child namespaces 139 mount rootfs rootfs / shared rec 140 mount tmpfs tmpfs /mnt/secure private rec 141 142 # We chown/chmod /cache again so because mount is run as root + defaults 143 chown system cache /cache 144 chmod 0770 /cache 145 # We restorecon /cache in case the cache partition has been reset. 146 restorecon /cache 147 148 # This may have been created by the recovery system with odd permissions 149 chown system cache /cache/recovery 150 chmod 0770 /cache/recovery 151 # This may have been created by the recovery system with the wrong context. 152 restorecon /cache/recovery 153 154 #change permissions on vmallocinfo so we can grab it from bugreports 155 chown root log /proc/vmallocinfo 156 chmod 0440 /proc/vmallocinfo 157 158 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 159 chown root system /proc/kmsg 160 chmod 0440 /proc/kmsg 161 chown root system /proc/sysrq-trigger 162 chmod 0220 /proc/sysrq-trigger 163 chown system log /proc/last_kmsg 164 chmod 0440 /proc/last_kmsg 165 166 # create the lost+found directories, so as to enforce our permissions 167 mkdir /cache/lost+found 0770 root root 168 169on post-fs-data 170 # We chown/chmod /data again so because mount is run as root + defaults 171 chown system system /data 172 chmod 0771 /data 173 # We restorecon /data in case the userdata partition has been reset. 174 restorecon /data 175 176 # Create dump dir and collect dumps. 177 # Do this before we mount cache so eventually we can use cache for 178 # storing dumps on platforms which do not have a dedicated dump partition. 179 mkdir /data/dontpanic 0750 root log 180 181 # Collect apanic data, free resources and re-arm trigger 182 copy /proc/apanic_console /data/dontpanic/apanic_console 183 chown root log /data/dontpanic/apanic_console 184 chmod 0640 /data/dontpanic/apanic_console 185 186 copy /proc/apanic_threads /data/dontpanic/apanic_threads 187 chown root log /data/dontpanic/apanic_threads 188 chmod 0640 /data/dontpanic/apanic_threads 189 190 write /proc/apanic_console 1 191 192 # create basic filesystem structure 193 mkdir /data/misc 01771 system misc 194 mkdir /data/misc/adb 02750 system shell 195 mkdir /data/misc/bluedroid 0770 bluetooth bluetooth 196 mkdir /data/misc/bluetooth 0770 system system 197 mkdir /data/misc/keystore 0700 keystore keystore 198 mkdir /data/misc/keychain 0771 system system 199 mkdir /data/misc/vpn 0770 system vpn 200 mkdir /data/misc/systemkeys 0700 system system 201 # give system access to wpa_supplicant.conf for backup and restore 202 mkdir /data/misc/wifi 0770 wifi wifi 203 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 204 mkdir /data/local 0751 root root 205 206 # For security reasons, /data/local/tmp should always be empty. 207 # Do not place files or directories in /data/local/tmp 208 mkdir /data/local/tmp 0771 shell shell 209 mkdir /data/data 0771 system system 210 mkdir /data/app-private 0771 system system 211 mkdir /data/app-asec 0700 root root 212 mkdir /data/app-lib 0771 system system 213 mkdir /data/app 0771 system system 214 mkdir /data/property 0700 root root 215 mkdir /data/ssh 0750 root shell 216 mkdir /data/ssh/empty 0700 root root 217 218 # create dalvik-cache, so as to enforce our permissions 219 mkdir /data/dalvik-cache 0771 system system 220 221 # create resource-cache and double-check the perms 222 mkdir /data/resource-cache 0771 system system 223 chown system system /data/resource-cache 224 chmod 0771 /data/resource-cache 225 226 # create the lost+found directories, so as to enforce our permissions 227 mkdir /data/lost+found 0770 root root 228 229 # create directory for DRM plug-ins - give drm the read/write access to 230 # the following directory. 231 mkdir /data/drm 0770 drm drm 232 233 # If there is no fs-post-data action in the init.<device>.rc file, you 234 # must uncomment this line, otherwise encrypted filesystems 235 # won't work. 236 # Set indication (checked by vold) that we have finished this action 237 #setprop vold.post_fs_data_done 1 238 239on boot 240# basic network init 241 ifup lo 242 hostname localhost 243 domainname localdomain 244 245# set RLIMIT_NICE to allow priorities from 19 to -20 246 setrlimit 13 40 40 247 248# Memory management. Basic kernel parameters, and allow the high 249# level system server to be able to adjust the kernel OOM driver 250# parameters to match how it is managing things. 251 write /proc/sys/vm/overcommit_memory 1 252 write /proc/sys/vm/min_free_order_shift 4 253 chown root system /sys/module/lowmemorykiller/parameters/adj 254 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 255 chown root system /sys/module/lowmemorykiller/parameters/minfree 256 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 257 258 # Tweak background writeout 259 write /proc/sys/vm/dirty_expire_centisecs 200 260 write /proc/sys/vm/dirty_background_ratio 5 261 262 # Permissions for System Server and daemons. 263 chown radio system /sys/android_power/state 264 chown radio system /sys/android_power/request_state 265 chown radio system /sys/android_power/acquire_full_wake_lock 266 chown radio system /sys/android_power/acquire_partial_wake_lock 267 chown radio system /sys/android_power/release_wake_lock 268 chown system system /sys/power/autosleep 269 chown system system /sys/power/state 270 chown system system /sys/power/wakeup_count 271 chown radio system /sys/power/wake_lock 272 chown radio system /sys/power/wake_unlock 273 chmod 0660 /sys/power/state 274 chmod 0660 /sys/power/wake_lock 275 chmod 0660 /sys/power/wake_unlock 276 277 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 278 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 279 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 280 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 281 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 282 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 283 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 284 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 285 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 286 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 287 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 288 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 289 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 290 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 291 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 292 293 # Assume SMP uses shared cpufreq policy for all CPUs 294 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 295 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 296 297 chown system system /sys/class/timed_output/vibrator/enable 298 chown system system /sys/class/leds/keyboard-backlight/brightness 299 chown system system /sys/class/leds/lcd-backlight/brightness 300 chown system system /sys/class/leds/button-backlight/brightness 301 chown system system /sys/class/leds/jogball-backlight/brightness 302 chown system system /sys/class/leds/red/brightness 303 chown system system /sys/class/leds/green/brightness 304 chown system system /sys/class/leds/blue/brightness 305 chown system system /sys/class/leds/red/device/grpfreq 306 chown system system /sys/class/leds/red/device/grppwm 307 chown system system /sys/class/leds/red/device/blink 308 chown system system /sys/class/leds/red/brightness 309 chown system system /sys/class/leds/green/brightness 310 chown system system /sys/class/leds/blue/brightness 311 chown system system /sys/class/leds/red/device/grpfreq 312 chown system system /sys/class/leds/red/device/grppwm 313 chown system system /sys/class/leds/red/device/blink 314 chown system system /sys/class/timed_output/vibrator/enable 315 chown system system /sys/module/sco/parameters/disable_esco 316 chown system system /sys/kernel/ipv4/tcp_wmem_min 317 chown system system /sys/kernel/ipv4/tcp_wmem_def 318 chown system system /sys/kernel/ipv4/tcp_wmem_max 319 chown system system /sys/kernel/ipv4/tcp_rmem_min 320 chown system system /sys/kernel/ipv4/tcp_rmem_def 321 chown system system /sys/kernel/ipv4/tcp_rmem_max 322 chown root radio /proc/cmdline 323 324# Define TCP buffer sizes for various networks 325# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 326 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 327 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 328 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 329 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 330 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 331 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 332 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 333 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 334 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 335 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 336 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 337 338# Set this property so surfaceflinger is not started by system_init 339 setprop system_init.startsurfaceflinger 0 340 341 class_start core 342 class_start main 343 344on nonencrypted 345 class_start late_start 346 347on charger 348 class_start charger 349 350on property:vold.decrypt=trigger_reset_main 351 class_reset main 352 353on property:vold.decrypt=trigger_load_persist_props 354 load_persist_props 355 356on property:vold.decrypt=trigger_post_fs_data 357 trigger post-fs-data 358 359on property:vold.decrypt=trigger_restart_min_framework 360 class_start main 361 362on property:vold.decrypt=trigger_restart_framework 363 class_start main 364 class_start late_start 365 366on property:vold.decrypt=trigger_shutdown_framework 367 class_reset late_start 368 class_reset main 369 370## Daemon processes to be run by init. 371## 372service ueventd /sbin/ueventd 373 class core 374 critical 375 seclabel u:r:ueventd:s0 376 377on property:selinux.reload_policy=1 378 restart ueventd 379 restart installd 380 381service console /system/bin/sh 382 class core 383 console 384 disabled 385 user shell 386 group log 387 388on property:ro.debuggable=1 389 start console 390 391# adbd is controlled via property triggers in init.<platform>.usb.rc 392service adbd /sbin/adbd 393 class core 394 socket adbd stream 660 system system 395 disabled 396 seclabel u:r:adbd:s0 397 398# adbd on at boot in emulator 399on property:ro.kernel.qemu=1 400 start adbd 401 402service servicemanager /system/bin/servicemanager 403 class core 404 user system 405 group system 406 critical 407 onrestart restart zygote 408 onrestart restart media 409 onrestart restart surfaceflinger 410 onrestart restart drm 411 412service vold /system/bin/vold 413 class core 414 socket vold stream 0660 root mount 415 ioprio be 2 416 417service netd /system/bin/netd 418 class main 419 socket netd stream 0660 root system 420 socket dnsproxyd stream 0660 root inet 421 socket mdns stream 0660 root system 422 423service debuggerd /system/bin/debuggerd 424 class main 425 426service ril-daemon /system/bin/rild 427 class main 428 socket rild stream 660 root radio 429 socket rild-debug stream 660 radio system 430 user root 431 group radio cache inet misc audio log 432 433service surfaceflinger /system/bin/surfaceflinger 434 class main 435 user system 436 group graphics 437 onrestart restart zygote 438 439service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 440 class main 441 socket zygote stream 660 root system 442 onrestart write /sys/android_power/request_state wake 443 onrestart write /sys/power/state on 444 onrestart restart media 445 onrestart restart netd 446 447service drm /system/bin/drmserver 448 class main 449 user drm 450 group drm system inet drmrpc 451 452service media /system/bin/mediaserver 453 class main 454 user media 455 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 456 ioprio rt 4 457 458service bootanim /system/bin/bootanimation 459 class main 460 user graphics 461 group graphics 462 disabled 463 oneshot 464 465service installd /system/bin/installd 466 class main 467 socket installd stream 600 system system 468 469service flash_recovery /system/etc/install-recovery.sh 470 class main 471 oneshot 472 473service racoon /system/bin/racoon 474 class main 475 socket racoon stream 600 system system 476 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 477 group vpn net_admin inet 478 disabled 479 oneshot 480 481service mtpd /system/bin/mtpd 482 class main 483 socket mtpd stream 600 system system 484 user vpn 485 group vpn net_admin inet net_raw 486 disabled 487 oneshot 488 489service keystore /system/bin/keystore /data/misc/keystore 490 class main 491 user keystore 492 group keystore drmrpc 493 socket keystore stream 666 494 495service dumpstate /system/bin/dumpstate -s 496 class main 497 socket dumpstate stream 0660 shell log 498 disabled 499 oneshot 500 501service sshd /system/bin/start-ssh 502 class main 503 disabled 504 505service mdnsd /system/bin/mdnsd 506 class main 507 user mdnsr 508 group inet net_raw 509 socket mdnsd stream 0660 mdnsr inet 510 disabled 511 oneshot 512