init.rc revision 52ea510f8fa84b634ffff18b75b5a3f95e302ba6
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 # Set the security context of /adb_keys if present. 20 restorecon /adb_keys 21 22 start ueventd 23 24# create mountpoints 25 mkdir /mnt 0775 root system 26 27on init 28 29sysclktz 0 30 31loglevel 3 32 33# setup the global environment 34 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 35 export LD_LIBRARY_PATH /vendor/lib:/system/lib 36 export ANDROID_BOOTLOGO 1 37 export ANDROID_ROOT /system 38 export ANDROID_ASSETS /system/app 39 export ANDROID_DATA /data 40 export ANDROID_STORAGE /storage 41 export ASEC_MOUNTPOINT /mnt/asec 42 export LOOP_MOUNTPOINT /mnt/obb 43 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 44 45# Backward compatibility 46 symlink /system/etc /etc 47 symlink /sys/kernel/debug /d 48 49# Right now vendor lives on the same filesystem as system, 50# but someday that may change. 51 symlink /system/vendor /vendor 52 53# Create cgroup mount point for cpu accounting 54 mkdir /acct 55 mount cgroup none /acct cpuacct 56 mkdir /acct/uid 57 58 mkdir /system 59 mkdir /data 0771 system system 60 mkdir /cache 0770 system cache 61 mkdir /config 0500 root root 62 63 # See storage config details at http://source.android.com/tech/storage/ 64 mkdir /mnt/shell 0700 shell shell 65 mkdir /storage 0050 root sdcard_r 66 67 # Directory for putting things only root should see. 68 mkdir /mnt/secure 0700 root root 69 # Create private mountpoint so we can MS_MOVE from staging 70 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 71 72 # Directory for staging bindmounts 73 mkdir /mnt/secure/staging 0700 root root 74 75 # Directory-target for where the secure container 76 # imagefile directory will be bind-mounted 77 mkdir /mnt/secure/asec 0700 root root 78 79 # Secure container public mount points. 80 mkdir /mnt/asec 0700 root system 81 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 82 83 # Filesystem image public mount points. 84 mkdir /mnt/obb 0700 root system 85 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 86 87 write /proc/sys/kernel/panic_on_oops 1 88 write /proc/sys/kernel/hung_task_timeout_secs 0 89 write /proc/cpu/alignment 4 90 write /proc/sys/kernel/sched_latency_ns 10000000 91 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 92 write /proc/sys/kernel/sched_compat_yield 1 93 write /proc/sys/kernel/sched_child_runs_first 0 94 write /proc/sys/kernel/randomize_va_space 2 95 write /proc/sys/kernel/kptr_restrict 2 96 write /proc/sys/kernel/dmesg_restrict 1 97 write /proc/sys/vm/mmap_min_addr 32768 98 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 99 write /proc/sys/kernel/sched_rt_runtime_us 950000 100 write /proc/sys/kernel/sched_rt_period_us 1000000 101 102# Create cgroup mount points for process groups 103 mkdir /dev/cpuctl 104 mount cgroup none /dev/cpuctl cpu 105 chown system system /dev/cpuctl 106 chown system system /dev/cpuctl/tasks 107 chmod 0660 /dev/cpuctl/tasks 108 write /dev/cpuctl/cpu.shares 1024 109 write /dev/cpuctl/cpu.rt_runtime_us 950000 110 write /dev/cpuctl/cpu.rt_period_us 1000000 111 112 mkdir /dev/cpuctl/apps 113 chown system system /dev/cpuctl/apps/tasks 114 chmod 0666 /dev/cpuctl/apps/tasks 115 write /dev/cpuctl/apps/cpu.shares 1024 116 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 117 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 118 119 mkdir /dev/cpuctl/apps/bg_non_interactive 120 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 121 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 122 # 5.0 % 123 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 124 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 125 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 126 127# qtaguid will limit access to specific data based on group memberships. 128# net_bw_acct grants impersonation of socket owners. 129# net_bw_stats grants access to other apps' detailed tagged-socket stats. 130 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 131 chown root net_bw_stats /proc/net/xt_qtaguid/stats 132 133# Allow everybody to read the xt_qtaguid resource tracking misc dev. 134# This is needed by any process that uses socket tagging. 135 chmod 0644 /dev/xt_qtaguid 136 137on post-fs 138 # once everything is setup, no need to modify / 139 mount rootfs rootfs / ro remount 140 # mount shared so changes propagate into child namespaces 141 mount rootfs rootfs / shared rec 142 mount tmpfs tmpfs /mnt/secure private rec 143 144 # We chown/chmod /cache again so because mount is run as root + defaults 145 chown system cache /cache 146 chmod 0770 /cache 147 # We restorecon /cache in case the cache partition has been reset. 148 restorecon /cache 149 150 # This may have been created by the recovery system with odd permissions 151 chown system cache /cache/recovery 152 chmod 0770 /cache/recovery 153 # This may have been created by the recovery system with the wrong context. 154 restorecon /cache/recovery 155 156 #change permissions on vmallocinfo so we can grab it from bugreports 157 chown root log /proc/vmallocinfo 158 chmod 0440 /proc/vmallocinfo 159 160 chown root log /proc/slabinfo 161 chmod 0440 /proc/slabinfo 162 163 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 164 chown root system /proc/kmsg 165 chmod 0440 /proc/kmsg 166 chown root system /proc/sysrq-trigger 167 chmod 0220 /proc/sysrq-trigger 168 chown system log /proc/last_kmsg 169 chmod 0440 /proc/last_kmsg 170 171 # create the lost+found directories, so as to enforce our permissions 172 mkdir /cache/lost+found 0770 root root 173 174on post-fs-data 175 # We chown/chmod /data again so because mount is run as root + defaults 176 chown system system /data 177 chmod 0771 /data 178 # We restorecon /data in case the userdata partition has been reset. 179 restorecon /data 180 181 # Create dump dir and collect dumps. 182 # Do this before we mount cache so eventually we can use cache for 183 # storing dumps on platforms which do not have a dedicated dump partition. 184 mkdir /data/dontpanic 0750 root log 185 186 # Collect apanic data, free resources and re-arm trigger 187 copy /proc/apanic_console /data/dontpanic/apanic_console 188 chown root log /data/dontpanic/apanic_console 189 chmod 0640 /data/dontpanic/apanic_console 190 191 copy /proc/apanic_threads /data/dontpanic/apanic_threads 192 chown root log /data/dontpanic/apanic_threads 193 chmod 0640 /data/dontpanic/apanic_threads 194 195 write /proc/apanic_console 1 196 197 # create basic filesystem structure 198 mkdir /data/misc 01771 system misc 199 mkdir /data/misc/adb 02750 system shell 200 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 201 mkdir /data/misc/bluetooth 0770 system system 202 mkdir /data/misc/keystore 0700 keystore keystore 203 mkdir /data/misc/keychain 0771 system system 204 mkdir /data/misc/sms 0770 system radio 205 mkdir /data/misc/zoneinfo 0775 system system 206 mkdir /data/misc/vpn 0770 system vpn 207 mkdir /data/misc/systemkeys 0700 system system 208 # give system access to wpa_supplicant.conf for backup and restore 209 mkdir /data/misc/wifi 0770 wifi wifi 210 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 211 mkdir /data/local 0751 root root 212 mkdir /data/misc/media 0700 media media 213 214 # Set security context of any pre-existing /data/misc/adb/adb_keys file. 215 restorecon /data/misc/adb 216 restorecon /data/misc/adb/adb_keys 217 218 # For security reasons, /data/local/tmp should always be empty. 219 # Do not place files or directories in /data/local/tmp 220 mkdir /data/local/tmp 0771 shell shell 221 mkdir /data/data 0771 system system 222 mkdir /data/app-private 0771 system system 223 mkdir /data/app-asec 0700 root root 224 mkdir /data/app-lib 0771 system system 225 mkdir /data/app 0771 system system 226 mkdir /data/property 0700 root root 227 mkdir /data/ssh 0750 root shell 228 mkdir /data/ssh/empty 0700 root root 229 230 # create dalvik-cache, so as to enforce our permissions 231 mkdir /data/dalvik-cache 0771 system system 232 233 # create resource-cache and double-check the perms 234 mkdir /data/resource-cache 0771 system system 235 chown system system /data/resource-cache 236 chmod 0771 /data/resource-cache 237 238 # create the lost+found directories, so as to enforce our permissions 239 mkdir /data/lost+found 0770 root root 240 241 # create directory for DRM plug-ins - give drm the read/write access to 242 # the following directory. 243 mkdir /data/drm 0770 drm drm 244 245 # create directory for MediaDrm plug-ins - give drm the read/write access to 246 # the following directory. 247 mkdir /data/mediadrm 0770 mediadrm mediadrm 248 249 # symlink to bugreport storage location 250 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 251 252 # Separate location for storing security policy files on data 253 mkdir /data/security 0711 system system 254 255 # Reload policy from /data/security if present. 256 setprop selinux.reload_policy 1 257 258 # If there is no fs-post-data action in the init.<device>.rc file, you 259 # must uncomment this line, otherwise encrypted filesystems 260 # won't work. 261 # Set indication (checked by vold) that we have finished this action 262 #setprop vold.post_fs_data_done 1 263 264on boot 265# basic network init 266 ifup lo 267 hostname localhost 268 domainname localdomain 269 270# set RLIMIT_NICE to allow priorities from 19 to -20 271 setrlimit 13 40 40 272 273# Memory management. Basic kernel parameters, and allow the high 274# level system server to be able to adjust the kernel OOM driver 275# parameters to match how it is managing things. 276 write /proc/sys/vm/overcommit_memory 1 277 write /proc/sys/vm/min_free_order_shift 4 278 chown root system /sys/module/lowmemorykiller/parameters/adj 279 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 280 chown root system /sys/module/lowmemorykiller/parameters/minfree 281 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 282 283 # Tweak background writeout 284 write /proc/sys/vm/dirty_expire_centisecs 200 285 write /proc/sys/vm/dirty_background_ratio 5 286 287 # Permissions for System Server and daemons. 288 chown radio system /sys/android_power/state 289 chown radio system /sys/android_power/request_state 290 chown radio system /sys/android_power/acquire_full_wake_lock 291 chown radio system /sys/android_power/acquire_partial_wake_lock 292 chown radio system /sys/android_power/release_wake_lock 293 chown system system /sys/power/autosleep 294 chown system system /sys/power/state 295 chown system system /sys/power/wakeup_count 296 chown radio system /sys/power/wake_lock 297 chown radio system /sys/power/wake_unlock 298 chmod 0660 /sys/power/state 299 chmod 0660 /sys/power/wake_lock 300 chmod 0660 /sys/power/wake_unlock 301 302 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 303 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 304 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 305 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 306 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 307 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 308 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 309 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 310 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 311 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 312 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 313 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 314 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 315 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 316 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 317 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 318 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 319 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 320 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 321 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 322 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 323 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 324 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 325 326 # Assume SMP uses shared cpufreq policy for all CPUs 327 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 328 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 329 330 chown system system /sys/class/timed_output/vibrator/enable 331 chown system system /sys/class/leds/keyboard-backlight/brightness 332 chown system system /sys/class/leds/lcd-backlight/brightness 333 chown system system /sys/class/leds/button-backlight/brightness 334 chown system system /sys/class/leds/jogball-backlight/brightness 335 chown system system /sys/class/leds/red/brightness 336 chown system system /sys/class/leds/green/brightness 337 chown system system /sys/class/leds/blue/brightness 338 chown system system /sys/class/leds/red/device/grpfreq 339 chown system system /sys/class/leds/red/device/grppwm 340 chown system system /sys/class/leds/red/device/blink 341 chown system system /sys/class/timed_output/vibrator/enable 342 chown system system /sys/module/sco/parameters/disable_esco 343 chown system system /sys/kernel/ipv4/tcp_wmem_min 344 chown system system /sys/kernel/ipv4/tcp_wmem_def 345 chown system system /sys/kernel/ipv4/tcp_wmem_max 346 chown system system /sys/kernel/ipv4/tcp_rmem_min 347 chown system system /sys/kernel/ipv4/tcp_rmem_def 348 chown system system /sys/kernel/ipv4/tcp_rmem_max 349 chown root radio /proc/cmdline 350 351# Set these so we can remotely update SELinux policy 352 chown system system /sys/fs/selinux/enforce 353 354# Define TCP buffer sizes for various networks 355# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 356 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 357 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 358 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 359 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 360 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 361 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 362 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 363 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 364 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 365 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 366 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 367 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 368 369# Set this property so surfaceflinger is not started by system_init 370 setprop system_init.startsurfaceflinger 0 371 372 class_start core 373 class_start main 374 375on nonencrypted 376 class_start late_start 377 378on charger 379 class_start charger 380 381on property:vold.decrypt=trigger_reset_main 382 class_reset main 383 384on property:vold.decrypt=trigger_load_persist_props 385 load_persist_props 386 387on property:vold.decrypt=trigger_post_fs_data 388 trigger post-fs-data 389 390on property:vold.decrypt=trigger_restart_min_framework 391 class_start main 392 393on property:vold.decrypt=trigger_restart_framework 394 class_start main 395 class_start late_start 396 397on property:vold.decrypt=trigger_shutdown_framework 398 class_reset late_start 399 class_reset main 400 401## Daemon processes to be run by init. 402## 403service ueventd /sbin/ueventd 404 class core 405 critical 406 seclabel u:r:ueventd:s0 407 408service console /system/bin/sh 409 class core 410 console 411 disabled 412 user shell 413 group log 414 415on property:ro.debuggable=1 416 start console 417 418# adbd is controlled via property triggers in init.<platform>.usb.rc 419service adbd /sbin/adbd 420 class core 421 socket adbd stream 660 system system 422 disabled 423 seclabel u:r:adbd:s0 424 425# adbd on at boot in emulator 426on property:ro.kernel.qemu=1 427 start adbd 428 429service servicemanager /system/bin/servicemanager 430 class core 431 user system 432 group system 433 critical 434 onrestart restart zygote 435 onrestart restart media 436 onrestart restart surfaceflinger 437 onrestart restart drm 438 439service vold /system/bin/vold 440 class core 441 socket vold stream 0660 root mount 442 ioprio be 2 443 444service netd /system/bin/netd 445 class main 446 socket netd stream 0660 root system 447 socket dnsproxyd stream 0660 root inet 448 socket mdns stream 0660 root system 449 450service debuggerd /system/bin/debuggerd 451 class main 452 453service ril-daemon /system/bin/rild 454 class main 455 socket rild stream 660 root radio 456 socket rild-debug stream 660 radio system 457 user root 458 group radio cache inet misc audio log 459 460service surfaceflinger /system/bin/surfaceflinger 461 class main 462 user system 463 group graphics drmrpc 464 onrestart restart zygote 465 466service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 467 class main 468 socket zygote stream 660 root system 469 onrestart write /sys/android_power/request_state wake 470 onrestart write /sys/power/state on 471 onrestart restart media 472 onrestart restart netd 473 474service drm /system/bin/drmserver 475 class main 476 user drm 477 group drm system inet drmrpc 478 479service media /system/bin/mediaserver 480 class main 481 user media 482 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 483 ioprio rt 4 484 485service bootanim /system/bin/bootanimation 486 class main 487 user graphics 488 group graphics 489 disabled 490 oneshot 491 492service installd /system/bin/installd 493 class main 494 socket installd stream 600 system system 495 496service flash_recovery /system/etc/install-recovery.sh 497 class main 498 oneshot 499 500service racoon /system/bin/racoon 501 class main 502 socket racoon stream 600 system system 503 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 504 group vpn net_admin inet 505 disabled 506 oneshot 507 508service mtpd /system/bin/mtpd 509 class main 510 socket mtpd stream 600 system system 511 user vpn 512 group vpn net_admin inet net_raw 513 disabled 514 oneshot 515 516service keystore /system/bin/keystore /data/misc/keystore 517 class main 518 user keystore 519 group keystore drmrpc 520 521service dumpstate /system/bin/dumpstate -s 522 class main 523 socket dumpstate stream 0660 shell log 524 disabled 525 oneshot 526 527service sshd /system/bin/start-ssh 528 class main 529 disabled 530 531service mdnsd /system/bin/mdnsd 532 class main 533 user mdnsr 534 group inet net_raw 535 socket mdnsd stream 0660 mdnsr inet 536 disabled 537 oneshot 538