init.rc revision 5822a4af8406fb6e9ecc675297af19852b378ca0
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_adj -16 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29# create mountpoints 30 mkdir /mnt 0775 root system 31 32on init 33 34sysclktz 0 35 36loglevel 3 37 38# Backward compatibility 39 symlink /system/etc /etc 40 symlink /sys/kernel/debug /d 41 42# Right now vendor lives on the same filesystem as system, 43# but someday that may change. 44 symlink /system/vendor /vendor 45 46# Create cgroup mount point for cpu accounting 47 mkdir /acct 48 mount cgroup none /acct cpuacct 49 mkdir /acct/uid 50 51# Create cgroup mount point for memory 52 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 53 mkdir /sys/fs/cgroup/memory 0750 root system 54 mount cgroup none /sys/fs/cgroup/memory memory 55 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 56 chown root system /sys/fs/cgroup/memory/tasks 57 chmod 0660 /sys/fs/cgroup/memory/tasks 58 mkdir /sys/fs/cgroup/memory/sw 0750 root system 59 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 60 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 61 chown root system /sys/fs/cgroup/memory/sw/tasks 62 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 63 64 mkdir /system 65 mkdir /data 0771 system system 66 mkdir /cache 0770 system cache 67 mkdir /config 0500 root root 68 69 # See storage config details at http://source.android.com/tech/storage/ 70 mkdir /mnt/shell 0700 shell shell 71 mkdir /mnt/media_rw 0700 media_rw media_rw 72 mkdir /storage 0751 root sdcard_r 73 74 # Directory for putting things only root should see. 75 mkdir /mnt/secure 0700 root root 76 77 # Directory for staging bindmounts 78 mkdir /mnt/secure/staging 0700 root root 79 80 # Directory-target for where the secure container 81 # imagefile directory will be bind-mounted 82 mkdir /mnt/secure/asec 0700 root root 83 84 # Secure container public mount points. 85 mkdir /mnt/asec 0700 root system 86 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 87 88 # Filesystem image public mount points. 89 mkdir /mnt/obb 0700 root system 90 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 91 92 write /proc/sys/kernel/panic_on_oops 1 93 write /proc/sys/kernel/hung_task_timeout_secs 0 94 write /proc/cpu/alignment 4 95 write /proc/sys/kernel/sched_latency_ns 10000000 96 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 97 write /proc/sys/kernel/sched_compat_yield 1 98 write /proc/sys/kernel/sched_child_runs_first 0 99 write /proc/sys/kernel/randomize_va_space 2 100 write /proc/sys/kernel/kptr_restrict 2 101 write /proc/sys/kernel/dmesg_restrict 1 102 write /proc/sys/vm/mmap_min_addr 32768 103 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 104 write /proc/sys/net/unix/max_dgram_qlen 300 105 write /proc/sys/kernel/sched_rt_runtime_us 950000 106 write /proc/sys/kernel/sched_rt_period_us 1000000 107 108# Create cgroup mount points for process groups 109 mkdir /dev/cpuctl 110 mount cgroup none /dev/cpuctl cpu 111 chown system system /dev/cpuctl 112 chown system system /dev/cpuctl/tasks 113 chmod 0660 /dev/cpuctl/tasks 114 write /dev/cpuctl/cpu.shares 1024 115 write /dev/cpuctl/cpu.rt_runtime_us 950000 116 write /dev/cpuctl/cpu.rt_period_us 1000000 117 118 mkdir /dev/cpuctl/apps 119 chown system system /dev/cpuctl/apps/tasks 120 chmod 0666 /dev/cpuctl/apps/tasks 121 write /dev/cpuctl/apps/cpu.shares 1024 122 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 123 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 124 125 mkdir /dev/cpuctl/apps/bg_non_interactive 126 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 127 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 128 # 5.0 % 129 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 130 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 131 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 132 133# qtaguid will limit access to specific data based on group memberships. 134# net_bw_acct grants impersonation of socket owners. 135# net_bw_stats grants access to other apps' detailed tagged-socket stats. 136 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 137 chown root net_bw_stats /proc/net/xt_qtaguid/stats 138 139# Allow everybody to read the xt_qtaguid resource tracking misc dev. 140# This is needed by any process that uses socket tagging. 141 chmod 0644 /dev/xt_qtaguid 142 143# Create location for fs_mgr to store abbreviated output from filesystem 144# checker programs. 145 mkdir /dev/fscklogs 0770 root system 146 147on post-fs 148 # once everything is setup, no need to modify / 149 mount rootfs rootfs / ro remount 150 # mount shared so changes propagate into child namespaces 151 mount rootfs rootfs / shared rec 152 153 # We chown/chmod /cache again so because mount is run as root + defaults 154 chown system cache /cache 155 chmod 0770 /cache 156 # We restorecon /cache in case the cache partition has been reset. 157 restorecon /cache 158 159 # This may have been created by the recovery system with odd permissions 160 chown system cache /cache/recovery 161 chmod 0770 /cache/recovery 162 # This may have been created by the recovery system with the wrong context. 163 restorecon /cache/recovery 164 165 #change permissions on vmallocinfo so we can grab it from bugreports 166 chown root log /proc/vmallocinfo 167 chmod 0440 /proc/vmallocinfo 168 169 chown root log /proc/slabinfo 170 chmod 0440 /proc/slabinfo 171 172 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 173 chown root system /proc/kmsg 174 chmod 0440 /proc/kmsg 175 chown root system /proc/sysrq-trigger 176 chmod 0220 /proc/sysrq-trigger 177 chown system log /proc/last_kmsg 178 chmod 0440 /proc/last_kmsg 179 180 # make the selinux kernel policy world-readable 181 chmod 0444 /sys/fs/selinux/policy 182 183 # create the lost+found directories, so as to enforce our permissions 184 mkdir /cache/lost+found 0770 root root 185 186on post-fs-data 187 # We chown/chmod /data again so because mount is run as root + defaults 188 chown system system /data 189 chmod 0771 /data 190 # We restorecon /data in case the userdata partition has been reset. 191 restorecon /data 192 193 # Avoid predictable entropy pool. Carry over entropy from previous boot. 194 copy /data/system/entropy.dat /dev/urandom 195 196 # Create dump dir and collect dumps. 197 # Do this before we mount cache so eventually we can use cache for 198 # storing dumps on platforms which do not have a dedicated dump partition. 199 mkdir /data/dontpanic 0750 root log 200 201 # Collect apanic data, free resources and re-arm trigger 202 copy /proc/apanic_console /data/dontpanic/apanic_console 203 chown root log /data/dontpanic/apanic_console 204 chmod 0640 /data/dontpanic/apanic_console 205 206 copy /proc/apanic_threads /data/dontpanic/apanic_threads 207 chown root log /data/dontpanic/apanic_threads 208 chmod 0640 /data/dontpanic/apanic_threads 209 210 write /proc/apanic_console 1 211 212 # create basic filesystem structure 213 mkdir /data/misc 01771 system misc 214 mkdir /data/misc/adb 02750 system shell 215 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 216 mkdir /data/misc/bluetooth 0770 system system 217 mkdir /data/misc/keystore 0700 keystore keystore 218 mkdir /data/misc/keychain 0771 system system 219 mkdir /data/misc/radio 0770 system radio 220 mkdir /data/misc/sms 0770 system radio 221 mkdir /data/misc/zoneinfo 0775 system system 222 mkdir /data/misc/vpn 0770 system vpn 223 mkdir /data/misc/systemkeys 0700 system system 224 mkdir /data/misc/wifi 0770 wifi wifi 225 mkdir /data/misc/wifi/sockets 0770 wifi wifi 226 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 227 mkdir /data/misc/dhcp 0770 dhcp dhcp 228 # give system access to wpa_supplicant.conf for backup and restore 229 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 230 mkdir /data/local 0751 root root 231 mkdir /data/misc/media 0700 media media 232 233 # For security reasons, /data/local/tmp should always be empty. 234 # Do not place files or directories in /data/local/tmp 235 mkdir /data/local/tmp 0771 shell shell 236 mkdir /data/data 0771 system system 237 mkdir /data/app-private 0771 system system 238 mkdir /data/app-asec 0700 root root 239 mkdir /data/app-lib 0771 system system 240 mkdir /data/app 0771 system system 241 mkdir /data/property 0700 root root 242 mkdir /data/ssh 0750 root shell 243 mkdir /data/ssh/empty 0700 root root 244 245 # create dalvik-cache, so as to enforce our permissions 246 mkdir /data/dalvik-cache 0771 system system 247 248 # create resource-cache and double-check the perms 249 mkdir /data/resource-cache 0771 system system 250 chown system system /data/resource-cache 251 chmod 0771 /data/resource-cache 252 253 # create the lost+found directories, so as to enforce our permissions 254 mkdir /data/lost+found 0770 root root 255 256 # create directory for DRM plug-ins - give drm the read/write access to 257 # the following directory. 258 mkdir /data/drm 0770 drm drm 259 260 # create directory for MediaDrm plug-ins - give drm the read/write access to 261 # the following directory. 262 mkdir /data/mediadrm 0770 mediadrm mediadrm 263 264 # symlink to bugreport storage location 265 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 266 267 # Separate location for storing security policy files on data 268 mkdir /data/security 0711 system system 269 270 # Reload policy from /data/security if present. 271 setprop selinux.reload_policy 1 272 273 # Set SELinux security contexts on upgrade or policy update. 274 restorecon_recursive /data 275 276 # If there is no fs-post-data action in the init.<device>.rc file, you 277 # must uncomment this line, otherwise encrypted filesystems 278 # won't work. 279 # Set indication (checked by vold) that we have finished this action 280 #setprop vold.post_fs_data_done 1 281 282on boot 283# basic network init 284 ifup lo 285 hostname localhost 286 domainname localdomain 287 288# set RLIMIT_NICE to allow priorities from 19 to -20 289 setrlimit 13 40 40 290 291# Memory management. Basic kernel parameters, and allow the high 292# level system server to be able to adjust the kernel OOM driver 293# parameters to match how it is managing things. 294 write /proc/sys/vm/overcommit_memory 1 295 write /proc/sys/vm/min_free_order_shift 4 296 chown root system /sys/module/lowmemorykiller/parameters/adj 297 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 298 chown root system /sys/module/lowmemorykiller/parameters/minfree 299 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 300 301 # Tweak background writeout 302 write /proc/sys/vm/dirty_expire_centisecs 200 303 write /proc/sys/vm/dirty_background_ratio 5 304 305 # Permissions for System Server and daemons. 306 chown radio system /sys/android_power/state 307 chown radio system /sys/android_power/request_state 308 chown radio system /sys/android_power/acquire_full_wake_lock 309 chown radio system /sys/android_power/acquire_partial_wake_lock 310 chown radio system /sys/android_power/release_wake_lock 311 chown system system /sys/power/autosleep 312 chown system system /sys/power/state 313 chown system system /sys/power/wakeup_count 314 chown radio system /sys/power/wake_lock 315 chown radio system /sys/power/wake_unlock 316 chmod 0660 /sys/power/state 317 chmod 0660 /sys/power/wake_lock 318 chmod 0660 /sys/power/wake_unlock 319 320 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 321 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 322 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 323 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 324 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 325 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 326 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 327 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 328 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 329 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 330 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 331 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 332 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 333 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 334 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 335 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 336 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 338 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 339 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 340 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 341 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 342 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 343 344 # Assume SMP uses shared cpufreq policy for all CPUs 345 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 346 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 347 348 chown system system /sys/class/timed_output/vibrator/enable 349 chown system system /sys/class/leds/keyboard-backlight/brightness 350 chown system system /sys/class/leds/lcd-backlight/brightness 351 chown system system /sys/class/leds/button-backlight/brightness 352 chown system system /sys/class/leds/jogball-backlight/brightness 353 chown system system /sys/class/leds/red/brightness 354 chown system system /sys/class/leds/green/brightness 355 chown system system /sys/class/leds/blue/brightness 356 chown system system /sys/class/leds/red/device/grpfreq 357 chown system system /sys/class/leds/red/device/grppwm 358 chown system system /sys/class/leds/red/device/blink 359 chown system system /sys/class/timed_output/vibrator/enable 360 chown system system /sys/module/sco/parameters/disable_esco 361 chown system system /sys/kernel/ipv4/tcp_wmem_min 362 chown system system /sys/kernel/ipv4/tcp_wmem_def 363 chown system system /sys/kernel/ipv4/tcp_wmem_max 364 chown system system /sys/kernel/ipv4/tcp_rmem_min 365 chown system system /sys/kernel/ipv4/tcp_rmem_def 366 chown system system /sys/kernel/ipv4/tcp_rmem_max 367 chown root radio /proc/cmdline 368 369# Define TCP buffer sizes for various networks 370# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 371 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 372 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 373 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 374 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 375 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 376 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 377 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 378 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 379 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 380 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 381 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 382 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 383 384 class_start core 385 class_start main 386 387on nonencrypted 388 class_start late_start 389 390on charger 391 class_start charger 392 393on property:vold.decrypt=trigger_reset_main 394 class_reset main 395 396on property:vold.decrypt=trigger_load_persist_props 397 load_persist_props 398 399on property:vold.decrypt=trigger_post_fs_data 400 trigger post-fs-data 401 402on property:vold.decrypt=trigger_restart_min_framework 403 class_start main 404 405on property:vold.decrypt=trigger_restart_framework 406 class_start main 407 class_start late_start 408 409on property:vold.decrypt=trigger_shutdown_framework 410 class_reset late_start 411 class_reset main 412 413on property:sys.powerctl=* 414 powerctl ${sys.powerctl} 415 416# system server cannot write to /proc/sys files, so proxy it through init 417on property:sys.sysctl.extra_free_kbytes=* 418 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 419 420## Daemon processes to be run by init. 421## 422service ueventd /sbin/ueventd 423 class core 424 critical 425 seclabel u:r:ueventd:s0 426 427service logd /system/bin/logd 428 class core 429 socket logd stream 0666 logd logd 430 socket logdr seqpacket 0666 logd logd 431 socket logdw dgram 0222 logd logd 432 seclabel u:r:logd:s0 433 434service healthd /sbin/healthd 435 class core 436 critical 437 seclabel u:r:healthd:s0 438 439service healthd-charger /sbin/healthd -n 440 class charger 441 critical 442 seclabel u:r:healthd:s0 443 444service console /system/bin/sh 445 class core 446 console 447 disabled 448 user shell 449 group log 450 seclabel u:r:shell:s0 451 452on property:ro.debuggable=1 453 start console 454 455# adbd is controlled via property triggers in init.<platform>.usb.rc 456service adbd /sbin/adbd --root_seclabel=u:r:su:s0 457 class core 458 socket adbd stream 660 system system 459 disabled 460 seclabel u:r:adbd:s0 461 462# adbd on at boot in emulator 463on property:ro.kernel.qemu=1 464 start adbd 465 466service servicemanager /system/bin/servicemanager 467 class core 468 user system 469 group system 470 critical 471 onrestart restart healthd 472 onrestart restart zygote 473 onrestart restart media 474 onrestart restart surfaceflinger 475 onrestart restart drm 476 477service vold /system/bin/vold 478 class core 479 socket vold stream 0660 root mount 480 ioprio be 2 481 482service netd /system/bin/netd 483 class main 484 socket netd stream 0660 root system 485 socket dnsproxyd stream 0660 root inet 486 socket mdns stream 0660 root system 487 488service debuggerd /system/bin/debuggerd 489 class main 490 491service debuggerd64 /system/bin/debuggerd64 492 class main 493 494service ril-daemon /system/bin/rild 495 class main 496 socket rild stream 660 root radio 497 socket rild-debug stream 660 radio system 498 user root 499 group radio cache inet misc audio log 500 501service surfaceflinger /system/bin/surfaceflinger 502 class main 503 user system 504 group graphics drmrpc 505 onrestart restart zygote 506 507service drm /system/bin/drmserver 508 class main 509 user drm 510 group drm system inet drmrpc 511 512service media /system/bin/mediaserver 513 class main 514 user media 515 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 516 ioprio rt 4 517 518service bootanim /system/bin/bootanimation 519 class main 520 user graphics 521 group graphics 522 disabled 523 oneshot 524 525service installd /system/bin/installd 526 class main 527 socket installd stream 600 system system 528 529service flash_recovery /system/etc/install-recovery.sh 530 class main 531 oneshot 532 533service racoon /system/bin/racoon 534 class main 535 socket racoon stream 600 system system 536 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 537 group vpn net_admin inet 538 disabled 539 oneshot 540 541service mtpd /system/bin/mtpd 542 class main 543 socket mtpd stream 600 system system 544 user vpn 545 group vpn net_admin inet net_raw 546 disabled 547 oneshot 548 549service keystore /system/bin/keystore /data/misc/keystore 550 class main 551 user keystore 552 group keystore drmrpc 553 554service dumpstate /system/bin/dumpstate -s 555 class main 556 socket dumpstate stream 0660 shell log 557 disabled 558 oneshot 559 560service sshd /system/bin/start-ssh 561 class main 562 disabled 563 564service mdnsd /system/bin/mdnsd 565 class main 566 user mdnsr 567 group inet net_raw 568 socket mdnsd stream 0660 mdnsr inet 569 disabled 570 oneshot 571