init.rc revision 5822a4af8406fb6e9ecc675297af19852b378ca0 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_adj -16
16
17    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18    write /sys/fs/selinux/checkreqprot 0
19
20    # Set the security context for the init process.
21    # This should occur before anything else (e.g. ueventd) is started.
22    setcon u:r:init:s0
23
24    # Set the security context of /adb_keys if present.
25    restorecon /adb_keys
26
27    start ueventd
28
29# create mountpoints
30    mkdir /mnt 0775 root system
31
32on init
33
34sysclktz 0
35
36loglevel 3
37
38# Backward compatibility
39    symlink /system/etc /etc
40    symlink /sys/kernel/debug /d
41
42# Right now vendor lives on the same filesystem as system,
43# but someday that may change.
44    symlink /system/vendor /vendor
45
46# Create cgroup mount point for cpu accounting
47    mkdir /acct
48    mount cgroup none /acct cpuacct
49    mkdir /acct/uid
50
51# Create cgroup mount point for memory
52    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
53    mkdir /sys/fs/cgroup/memory 0750 root system
54    mount cgroup none /sys/fs/cgroup/memory memory
55    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
56    chown root system /sys/fs/cgroup/memory/tasks
57    chmod 0660 /sys/fs/cgroup/memory/tasks
58    mkdir /sys/fs/cgroup/memory/sw 0750 root system
59    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
60    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
61    chown root system /sys/fs/cgroup/memory/sw/tasks
62    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
63
64    mkdir /system
65    mkdir /data 0771 system system
66    mkdir /cache 0770 system cache
67    mkdir /config 0500 root root
68
69    # See storage config details at http://source.android.com/tech/storage/
70    mkdir /mnt/shell 0700 shell shell
71    mkdir /mnt/media_rw 0700 media_rw media_rw
72    mkdir /storage 0751 root sdcard_r
73
74    # Directory for putting things only root should see.
75    mkdir /mnt/secure 0700 root root
76
77    # Directory for staging bindmounts
78    mkdir /mnt/secure/staging 0700 root root
79
80    # Directory-target for where the secure container
81    # imagefile directory will be bind-mounted
82    mkdir /mnt/secure/asec  0700 root root
83
84    # Secure container public mount points.
85    mkdir /mnt/asec  0700 root system
86    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
87
88    # Filesystem image public mount points.
89    mkdir /mnt/obb 0700 root system
90    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
91
92    write /proc/sys/kernel/panic_on_oops 1
93    write /proc/sys/kernel/hung_task_timeout_secs 0
94    write /proc/cpu/alignment 4
95    write /proc/sys/kernel/sched_latency_ns 10000000
96    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
97    write /proc/sys/kernel/sched_compat_yield 1
98    write /proc/sys/kernel/sched_child_runs_first 0
99    write /proc/sys/kernel/randomize_va_space 2
100    write /proc/sys/kernel/kptr_restrict 2
101    write /proc/sys/kernel/dmesg_restrict 1
102    write /proc/sys/vm/mmap_min_addr 32768
103    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
104    write /proc/sys/net/unix/max_dgram_qlen 300
105    write /proc/sys/kernel/sched_rt_runtime_us 950000
106    write /proc/sys/kernel/sched_rt_period_us 1000000
107
108# Create cgroup mount points for process groups
109    mkdir /dev/cpuctl
110    mount cgroup none /dev/cpuctl cpu
111    chown system system /dev/cpuctl
112    chown system system /dev/cpuctl/tasks
113    chmod 0660 /dev/cpuctl/tasks
114    write /dev/cpuctl/cpu.shares 1024
115    write /dev/cpuctl/cpu.rt_runtime_us 950000
116    write /dev/cpuctl/cpu.rt_period_us 1000000
117
118    mkdir /dev/cpuctl/apps
119    chown system system /dev/cpuctl/apps/tasks
120    chmod 0666 /dev/cpuctl/apps/tasks
121    write /dev/cpuctl/apps/cpu.shares 1024
122    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
123    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
124
125    mkdir /dev/cpuctl/apps/bg_non_interactive
126    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
127    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
128    # 5.0 %
129    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
130    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
131    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
132
133# qtaguid will limit access to specific data based on group memberships.
134#   net_bw_acct grants impersonation of socket owners.
135#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
136    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
137    chown root net_bw_stats /proc/net/xt_qtaguid/stats
138
139# Allow everybody to read the xt_qtaguid resource tracking misc dev.
140# This is needed by any process that uses socket tagging.
141    chmod 0644 /dev/xt_qtaguid
142
143# Create location for fs_mgr to store abbreviated output from filesystem
144# checker programs.
145    mkdir /dev/fscklogs 0770 root system
146
147on post-fs
148    # once everything is setup, no need to modify /
149    mount rootfs rootfs / ro remount
150    # mount shared so changes propagate into child namespaces
151    mount rootfs rootfs / shared rec
152
153    # We chown/chmod /cache again so because mount is run as root + defaults
154    chown system cache /cache
155    chmod 0770 /cache
156    # We restorecon /cache in case the cache partition has been reset.
157    restorecon /cache
158
159    # This may have been created by the recovery system with odd permissions
160    chown system cache /cache/recovery
161    chmod 0770 /cache/recovery
162    # This may have been created by the recovery system with the wrong context.
163    restorecon /cache/recovery
164
165    #change permissions on vmallocinfo so we can grab it from bugreports
166    chown root log /proc/vmallocinfo
167    chmod 0440 /proc/vmallocinfo
168
169    chown root log /proc/slabinfo
170    chmod 0440 /proc/slabinfo
171
172    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
173    chown root system /proc/kmsg
174    chmod 0440 /proc/kmsg
175    chown root system /proc/sysrq-trigger
176    chmod 0220 /proc/sysrq-trigger
177    chown system log /proc/last_kmsg
178    chmod 0440 /proc/last_kmsg
179
180    # make the selinux kernel policy world-readable
181    chmod 0444 /sys/fs/selinux/policy
182
183    # create the lost+found directories, so as to enforce our permissions
184    mkdir /cache/lost+found 0770 root root
185
186on post-fs-data
187    # We chown/chmod /data again so because mount is run as root + defaults
188    chown system system /data
189    chmod 0771 /data
190    # We restorecon /data in case the userdata partition has been reset.
191    restorecon /data
192
193    # Avoid predictable entropy pool. Carry over entropy from previous boot.
194    copy /data/system/entropy.dat /dev/urandom
195
196    # Create dump dir and collect dumps.
197    # Do this before we mount cache so eventually we can use cache for
198    # storing dumps on platforms which do not have a dedicated dump partition.
199    mkdir /data/dontpanic 0750 root log
200
201    # Collect apanic data, free resources and re-arm trigger
202    copy /proc/apanic_console /data/dontpanic/apanic_console
203    chown root log /data/dontpanic/apanic_console
204    chmod 0640 /data/dontpanic/apanic_console
205
206    copy /proc/apanic_threads /data/dontpanic/apanic_threads
207    chown root log /data/dontpanic/apanic_threads
208    chmod 0640 /data/dontpanic/apanic_threads
209
210    write /proc/apanic_console 1
211
212    # create basic filesystem structure
213    mkdir /data/misc 01771 system misc
214    mkdir /data/misc/adb 02750 system shell
215    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
216    mkdir /data/misc/bluetooth 0770 system system
217    mkdir /data/misc/keystore 0700 keystore keystore
218    mkdir /data/misc/keychain 0771 system system
219    mkdir /data/misc/radio 0770 system radio
220    mkdir /data/misc/sms 0770 system radio
221    mkdir /data/misc/zoneinfo 0775 system system
222    mkdir /data/misc/vpn 0770 system vpn
223    mkdir /data/misc/systemkeys 0700 system system
224    mkdir /data/misc/wifi 0770 wifi wifi
225    mkdir /data/misc/wifi/sockets 0770 wifi wifi
226    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
227    mkdir /data/misc/dhcp 0770 dhcp dhcp
228    # give system access to wpa_supplicant.conf for backup and restore
229    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
230    mkdir /data/local 0751 root root
231    mkdir /data/misc/media 0700 media media
232
233    # For security reasons, /data/local/tmp should always be empty.
234    # Do not place files or directories in /data/local/tmp
235    mkdir /data/local/tmp 0771 shell shell
236    mkdir /data/data 0771 system system
237    mkdir /data/app-private 0771 system system
238    mkdir /data/app-asec 0700 root root
239    mkdir /data/app-lib 0771 system system
240    mkdir /data/app 0771 system system
241    mkdir /data/property 0700 root root
242    mkdir /data/ssh 0750 root shell
243    mkdir /data/ssh/empty 0700 root root
244
245    # create dalvik-cache, so as to enforce our permissions
246    mkdir /data/dalvik-cache 0771 system system
247
248    # create resource-cache and double-check the perms
249    mkdir /data/resource-cache 0771 system system
250    chown system system /data/resource-cache
251    chmod 0771 /data/resource-cache
252
253    # create the lost+found directories, so as to enforce our permissions
254    mkdir /data/lost+found 0770 root root
255
256    # create directory for DRM plug-ins - give drm the read/write access to
257    # the following directory.
258    mkdir /data/drm 0770 drm drm
259
260    # create directory for MediaDrm plug-ins - give drm the read/write access to
261    # the following directory.
262    mkdir /data/mediadrm 0770 mediadrm mediadrm
263
264    # symlink to bugreport storage location
265    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
266
267    # Separate location for storing security policy files on data
268    mkdir /data/security 0711 system system
269
270    # Reload policy from /data/security if present.
271    setprop selinux.reload_policy 1
272
273    # Set SELinux security contexts on upgrade or policy update.
274    restorecon_recursive /data
275
276    # If there is no fs-post-data action in the init.<device>.rc file, you
277    # must uncomment this line, otherwise encrypted filesystems
278    # won't work.
279    # Set indication (checked by vold) that we have finished this action
280    #setprop vold.post_fs_data_done 1
281
282on boot
283# basic network init
284    ifup lo
285    hostname localhost
286    domainname localdomain
287
288# set RLIMIT_NICE to allow priorities from 19 to -20
289    setrlimit 13 40 40
290
291# Memory management.  Basic kernel parameters, and allow the high
292# level system server to be able to adjust the kernel OOM driver
293# parameters to match how it is managing things.
294    write /proc/sys/vm/overcommit_memory 1
295    write /proc/sys/vm/min_free_order_shift 4
296    chown root system /sys/module/lowmemorykiller/parameters/adj
297    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
298    chown root system /sys/module/lowmemorykiller/parameters/minfree
299    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
300
301    # Tweak background writeout
302    write /proc/sys/vm/dirty_expire_centisecs 200
303    write /proc/sys/vm/dirty_background_ratio  5
304
305    # Permissions for System Server and daemons.
306    chown radio system /sys/android_power/state
307    chown radio system /sys/android_power/request_state
308    chown radio system /sys/android_power/acquire_full_wake_lock
309    chown radio system /sys/android_power/acquire_partial_wake_lock
310    chown radio system /sys/android_power/release_wake_lock
311    chown system system /sys/power/autosleep
312    chown system system /sys/power/state
313    chown system system /sys/power/wakeup_count
314    chown radio system /sys/power/wake_lock
315    chown radio system /sys/power/wake_unlock
316    chmod 0660 /sys/power/state
317    chmod 0660 /sys/power/wake_lock
318    chmod 0660 /sys/power/wake_unlock
319
320    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
321    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
322    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
323    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
324    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
325    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
326    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
327    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
328    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
329    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
330    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
331    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
332    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
333    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
334    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
335    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
336    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
337    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
338    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
339    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
340    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
341    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
342    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
343
344    # Assume SMP uses shared cpufreq policy for all CPUs
345    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
346    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
347
348    chown system system /sys/class/timed_output/vibrator/enable
349    chown system system /sys/class/leds/keyboard-backlight/brightness
350    chown system system /sys/class/leds/lcd-backlight/brightness
351    chown system system /sys/class/leds/button-backlight/brightness
352    chown system system /sys/class/leds/jogball-backlight/brightness
353    chown system system /sys/class/leds/red/brightness
354    chown system system /sys/class/leds/green/brightness
355    chown system system /sys/class/leds/blue/brightness
356    chown system system /sys/class/leds/red/device/grpfreq
357    chown system system /sys/class/leds/red/device/grppwm
358    chown system system /sys/class/leds/red/device/blink
359    chown system system /sys/class/timed_output/vibrator/enable
360    chown system system /sys/module/sco/parameters/disable_esco
361    chown system system /sys/kernel/ipv4/tcp_wmem_min
362    chown system system /sys/kernel/ipv4/tcp_wmem_def
363    chown system system /sys/kernel/ipv4/tcp_wmem_max
364    chown system system /sys/kernel/ipv4/tcp_rmem_min
365    chown system system /sys/kernel/ipv4/tcp_rmem_def
366    chown system system /sys/kernel/ipv4/tcp_rmem_max
367    chown root radio /proc/cmdline
368
369# Define TCP buffer sizes for various networks
370#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
371    setprop net.tcp.buffersize.default  4096,87380,110208,4096,16384,110208
372    setprop net.tcp.buffersize.wifi     524288,1048576,2097152,262144,524288,1048576
373    setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152
374    setprop net.tcp.buffersize.lte      524288,1048576,2097152,262144,524288,1048576
375    setprop net.tcp.buffersize.umts     4094,87380,110208,4096,16384,110208
376    setprop net.tcp.buffersize.hspa     4094,87380,262144,4096,16384,262144
377    setprop net.tcp.buffersize.hsupa    4094,87380,262144,4096,16384,262144
378    setprop net.tcp.buffersize.hsdpa    4094,87380,262144,4096,16384,262144
379    setprop net.tcp.buffersize.hspap    4094,87380,1220608,4096,16384,1220608
380    setprop net.tcp.buffersize.edge     4093,26280,35040,4096,16384,35040
381    setprop net.tcp.buffersize.gprs     4092,8760,11680,4096,8760,11680
382    setprop net.tcp.buffersize.evdo     4094,87380,262144,4096,16384,262144
383
384    class_start core
385    class_start main
386
387on nonencrypted
388    class_start late_start
389
390on charger
391    class_start charger
392
393on property:vold.decrypt=trigger_reset_main
394    class_reset main
395
396on property:vold.decrypt=trigger_load_persist_props
397    load_persist_props
398
399on property:vold.decrypt=trigger_post_fs_data
400    trigger post-fs-data
401
402on property:vold.decrypt=trigger_restart_min_framework
403    class_start main
404
405on property:vold.decrypt=trigger_restart_framework
406    class_start main
407    class_start late_start
408
409on property:vold.decrypt=trigger_shutdown_framework
410    class_reset late_start
411    class_reset main
412
413on property:sys.powerctl=*
414    powerctl ${sys.powerctl}
415
416# system server cannot write to /proc/sys files, so proxy it through init
417on property:sys.sysctl.extra_free_kbytes=*
418    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
419
420## Daemon processes to be run by init.
421##
422service ueventd /sbin/ueventd
423    class core
424    critical
425    seclabel u:r:ueventd:s0
426
427service logd /system/bin/logd
428    class core
429    socket logd stream 0666 logd logd
430    socket logdr seqpacket 0666 logd logd
431    socket logdw dgram 0222 logd logd
432    seclabel u:r:logd:s0
433
434service healthd /sbin/healthd
435    class core
436    critical
437    seclabel u:r:healthd:s0
438
439service healthd-charger /sbin/healthd -n
440    class charger
441    critical
442    seclabel u:r:healthd:s0
443
444service console /system/bin/sh
445    class core
446    console
447    disabled
448    user shell
449    group log
450    seclabel u:r:shell:s0
451
452on property:ro.debuggable=1
453    start console
454
455# adbd is controlled via property triggers in init.<platform>.usb.rc
456service adbd /sbin/adbd --root_seclabel=u:r:su:s0
457    class core
458    socket adbd stream 660 system system
459    disabled
460    seclabel u:r:adbd:s0
461
462# adbd on at boot in emulator
463on property:ro.kernel.qemu=1
464    start adbd
465
466service servicemanager /system/bin/servicemanager
467    class core
468    user system
469    group system
470    critical
471    onrestart restart healthd
472    onrestart restart zygote
473    onrestart restart media
474    onrestart restart surfaceflinger
475    onrestart restart drm
476
477service vold /system/bin/vold
478    class core
479    socket vold stream 0660 root mount
480    ioprio be 2
481
482service netd /system/bin/netd
483    class main
484    socket netd stream 0660 root system
485    socket dnsproxyd stream 0660 root inet
486    socket mdns stream 0660 root system
487
488service debuggerd /system/bin/debuggerd
489    class main
490
491service debuggerd64 /system/bin/debuggerd64
492    class main
493
494service ril-daemon /system/bin/rild
495    class main
496    socket rild stream 660 root radio
497    socket rild-debug stream 660 radio system
498    user root
499    group radio cache inet misc audio log
500
501service surfaceflinger /system/bin/surfaceflinger
502    class main
503    user system
504    group graphics drmrpc
505    onrestart restart zygote
506
507service drm /system/bin/drmserver
508    class main
509    user drm
510    group drm system inet drmrpc
511
512service media /system/bin/mediaserver
513    class main
514    user media
515    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
516    ioprio rt 4
517
518service bootanim /system/bin/bootanimation
519    class main
520    user graphics
521    group graphics
522    disabled
523    oneshot
524
525service installd /system/bin/installd
526    class main
527    socket installd stream 600 system system
528
529service flash_recovery /system/etc/install-recovery.sh
530    class main
531    oneshot
532
533service racoon /system/bin/racoon
534    class main
535    socket racoon stream 600 system system
536    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
537    group vpn net_admin inet
538    disabled
539    oneshot
540
541service mtpd /system/bin/mtpd
542    class main
543    socket mtpd stream 600 system system
544    user vpn
545    group vpn net_admin inet net_raw
546    disabled
547    oneshot
548
549service keystore /system/bin/keystore /data/misc/keystore
550    class main
551    user keystore
552    group keystore drmrpc
553
554service dumpstate /system/bin/dumpstate -s
555    class main
556    socket dumpstate stream 0660 shell log
557    disabled
558    oneshot
559
560service sshd /system/bin/start-ssh
561    class main
562    disabled
563
564service mdnsd /system/bin/mdnsd
565    class main
566    user mdnsr
567    group inet net_raw
568    socket mdnsd stream 0660 mdnsr inet
569    disabled
570    oneshot
571