init.rc revision 67b00d8b2d96e8133c249bcbc0fb63c49e10e022
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_adj -16 15 16 # Set the security context for the init process. 17 # This should occur before anything else (e.g. ueventd) is started. 18 setcon u:r:init:s0 19 20 start ueventd 21 22# create mountpoints 23 mkdir /mnt 0775 root system 24 25on init 26 27sysclktz 0 28 29loglevel 3 30 31# Backward compatibility 32 symlink /system/etc /etc 33 symlink /sys/kernel/debug /d 34 35# Right now vendor lives on the same filesystem as system, 36# but someday that may change. 37 symlink /system/vendor /vendor 38 39# Create cgroup mount point for cpu accounting 40 mkdir /acct 41 mount cgroup none /acct cpuacct 42 mkdir /acct/uid 43 44# Create cgroup mount point for memory 45 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 46 mkdir /sys/fs/cgroup/memory 0750 root system 47 mount cgroup none /sys/fs/cgroup/memory memory 48 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 49 chown root system /sys/fs/cgroup/memory/tasks 50 chmod 0660 /sys/fs/cgroup/memory/tasks 51 mkdir /sys/fs/cgroup/memory/sw 0750 root system 52 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 53 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 54 chown root system /sys/fs/cgroup/memory/sw/tasks 55 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 56 57 mkdir /system 58 mkdir /data 0771 system system 59 mkdir /cache 0770 system cache 60 mkdir /config 0500 root root 61 62 # See storage config details at http://source.android.com/tech/storage/ 63 mkdir /mnt/shell 0700 shell shell 64 mkdir /storage 0050 root sdcard_r 65 66 # Directory for putting things only root should see. 67 mkdir /mnt/secure 0700 root root 68 # Create private mountpoint so we can MS_MOVE from staging 69 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 70 71 # Directory for staging bindmounts 72 mkdir /mnt/secure/staging 0700 root root 73 74 # Directory-target for where the secure container 75 # imagefile directory will be bind-mounted 76 mkdir /mnt/secure/asec 0700 root root 77 78 # Secure container public mount points. 79 mkdir /mnt/asec 0700 root system 80 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 81 82 # Filesystem image public mount points. 83 mkdir /mnt/obb 0700 root system 84 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 85 86 write /proc/sys/kernel/panic_on_oops 1 87 write /proc/sys/kernel/hung_task_timeout_secs 0 88 write /proc/cpu/alignment 4 89 write /proc/sys/kernel/sched_latency_ns 10000000 90 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 91 write /proc/sys/kernel/sched_compat_yield 1 92 write /proc/sys/kernel/sched_child_runs_first 0 93 write /proc/sys/kernel/randomize_va_space 2 94 write /proc/sys/kernel/kptr_restrict 2 95 write /proc/sys/kernel/dmesg_restrict 1 96 write /proc/sys/vm/mmap_min_addr 32768 97 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 98 write /proc/sys/kernel/sched_rt_runtime_us 950000 99 write /proc/sys/kernel/sched_rt_period_us 1000000 100 101# Create cgroup mount points for process groups 102 mkdir /dev/cpuctl 103 mount cgroup none /dev/cpuctl cpu 104 chown system system /dev/cpuctl 105 chown system system /dev/cpuctl/tasks 106 chmod 0660 /dev/cpuctl/tasks 107 write /dev/cpuctl/cpu.shares 1024 108 write /dev/cpuctl/cpu.rt_runtime_us 950000 109 write /dev/cpuctl/cpu.rt_period_us 1000000 110 111 mkdir /dev/cpuctl/apps 112 chown system system /dev/cpuctl/apps/tasks 113 chmod 0666 /dev/cpuctl/apps/tasks 114 write /dev/cpuctl/apps/cpu.shares 1024 115 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 116 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 117 118 mkdir /dev/cpuctl/apps/bg_non_interactive 119 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 120 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 121 # 5.0 % 122 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 123 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 124 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 125 126# qtaguid will limit access to specific data based on group memberships. 127# net_bw_acct grants impersonation of socket owners. 128# net_bw_stats grants access to other apps' detailed tagged-socket stats. 129 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 130 chown root net_bw_stats /proc/net/xt_qtaguid/stats 131 132# Allow everybody to read the xt_qtaguid resource tracking misc dev. 133# This is needed by any process that uses socket tagging. 134 chmod 0644 /dev/xt_qtaguid 135 136on post-fs 137 # once everything is setup, no need to modify / 138 mount rootfs rootfs / ro remount 139 # mount shared so changes propagate into child namespaces 140 mount rootfs rootfs / shared rec 141 mount tmpfs tmpfs /mnt/secure private rec 142 143 # We chown/chmod /cache again so because mount is run as root + defaults 144 chown system cache /cache 145 chmod 0770 /cache 146 # We restorecon /cache in case the cache partition has been reset. 147 restorecon /cache 148 149 # This may have been created by the recovery system with odd permissions 150 chown system cache /cache/recovery 151 chmod 0770 /cache/recovery 152 # This may have been created by the recovery system with the wrong context. 153 restorecon /cache/recovery 154 155 #change permissions on vmallocinfo so we can grab it from bugreports 156 chown root log /proc/vmallocinfo 157 chmod 0440 /proc/vmallocinfo 158 159 chown root log /proc/slabinfo 160 chmod 0440 /proc/slabinfo 161 162 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 163 chown root system /proc/kmsg 164 chmod 0440 /proc/kmsg 165 chown root system /proc/sysrq-trigger 166 chmod 0220 /proc/sysrq-trigger 167 chown system log /proc/last_kmsg 168 chmod 0440 /proc/last_kmsg 169 170 # create the lost+found directories, so as to enforce our permissions 171 mkdir /cache/lost+found 0770 root root 172 173on post-fs-data 174 # We chown/chmod /data again so because mount is run as root + defaults 175 chown system system /data 176 chmod 0771 /data 177 # We restorecon /data in case the userdata partition has been reset. 178 restorecon /data 179 180 # Create dump dir and collect dumps. 181 # Do this before we mount cache so eventually we can use cache for 182 # storing dumps on platforms which do not have a dedicated dump partition. 183 mkdir /data/dontpanic 0750 root log 184 185 # Collect apanic data, free resources and re-arm trigger 186 copy /proc/apanic_console /data/dontpanic/apanic_console 187 chown root log /data/dontpanic/apanic_console 188 chmod 0640 /data/dontpanic/apanic_console 189 190 copy /proc/apanic_threads /data/dontpanic/apanic_threads 191 chown root log /data/dontpanic/apanic_threads 192 chmod 0640 /data/dontpanic/apanic_threads 193 194 write /proc/apanic_console 1 195 196 # create basic filesystem structure 197 mkdir /data/misc 01771 system misc 198 mkdir /data/misc/adb 02750 system shell 199 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 200 mkdir /data/misc/bluetooth 0770 system system 201 mkdir /data/misc/keystore 0700 keystore keystore 202 mkdir /data/misc/keychain 0771 system system 203 mkdir /data/misc/radio 0770 system radio 204 mkdir /data/misc/sms 0770 system radio 205 mkdir /data/misc/zoneinfo 0775 system system 206 mkdir /data/misc/vpn 0770 system vpn 207 mkdir /data/misc/systemkeys 0700 system system 208 # give system access to wpa_supplicant.conf for backup and restore 209 mkdir /data/misc/wifi 0770 wifi wifi 210 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 211 mkdir /data/local 0751 root root 212 mkdir /data/misc/media 0700 media media 213 214 # For security reasons, /data/local/tmp should always be empty. 215 # Do not place files or directories in /data/local/tmp 216 mkdir /data/local/tmp 0771 shell shell 217 mkdir /data/data 0771 system system 218 mkdir /data/app-private 0771 system system 219 mkdir /data/app-asec 0700 root root 220 mkdir /data/app-lib 0771 system system 221 mkdir /data/app 0771 system system 222 mkdir /data/property 0700 root root 223 mkdir /data/ssh 0750 root shell 224 mkdir /data/ssh/empty 0700 root root 225 226 # create dalvik-cache, so as to enforce our permissions 227 mkdir /data/dalvik-cache 0771 system system 228 229 # create resource-cache and double-check the perms 230 mkdir /data/resource-cache 0771 system system 231 chown system system /data/resource-cache 232 chmod 0771 /data/resource-cache 233 234 # create the lost+found directories, so as to enforce our permissions 235 mkdir /data/lost+found 0770 root root 236 237 # create directory for DRM plug-ins - give drm the read/write access to 238 # the following directory. 239 mkdir /data/drm 0770 drm drm 240 241 # create directory for MediaDrm plug-ins - give drm the read/write access to 242 # the following directory. 243 mkdir /data/mediadrm 0770 mediadrm mediadrm 244 245 # symlink to bugreport storage location 246 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 247 248 # Separate location for storing security policy files on data 249 mkdir /data/security 0711 system system 250 251 # If there is no fs-post-data action in the init.<device>.rc file, you 252 # must uncomment this line, otherwise encrypted filesystems 253 # won't work. 254 # Set indication (checked by vold) that we have finished this action 255 #setprop vold.post_fs_data_done 1 256 257on boot 258# basic network init 259 ifup lo 260 hostname localhost 261 domainname localdomain 262 263# set RLIMIT_NICE to allow priorities from 19 to -20 264 setrlimit 13 40 40 265 266# Memory management. Basic kernel parameters, and allow the high 267# level system server to be able to adjust the kernel OOM driver 268# parameters to match how it is managing things. 269 write /proc/sys/vm/overcommit_memory 1 270 write /proc/sys/vm/min_free_order_shift 4 271 chown root system /sys/module/lowmemorykiller/parameters/adj 272 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 273 chown root system /sys/module/lowmemorykiller/parameters/minfree 274 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 275 276 # Tweak background writeout 277 write /proc/sys/vm/dirty_expire_centisecs 200 278 write /proc/sys/vm/dirty_background_ratio 5 279 280 # Permissions for System Server and daemons. 281 chown radio system /sys/android_power/state 282 chown radio system /sys/android_power/request_state 283 chown radio system /sys/android_power/acquire_full_wake_lock 284 chown radio system /sys/android_power/acquire_partial_wake_lock 285 chown radio system /sys/android_power/release_wake_lock 286 chown system system /sys/power/autosleep 287 chown system system /sys/power/state 288 chown system system /sys/power/wakeup_count 289 chown radio system /sys/power/wake_lock 290 chown radio system /sys/power/wake_unlock 291 chmod 0660 /sys/power/state 292 chmod 0660 /sys/power/wake_lock 293 chmod 0660 /sys/power/wake_unlock 294 295 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 296 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 297 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 298 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 299 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 300 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 301 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 302 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 303 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 304 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 305 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 306 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 307 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 308 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 309 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 310 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 311 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 312 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 313 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 314 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 315 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 316 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 317 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 318 319 # Assume SMP uses shared cpufreq policy for all CPUs 320 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 321 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 322 323 chown system system /sys/class/timed_output/vibrator/enable 324 chown system system /sys/class/leds/keyboard-backlight/brightness 325 chown system system /sys/class/leds/lcd-backlight/brightness 326 chown system system /sys/class/leds/button-backlight/brightness 327 chown system system /sys/class/leds/jogball-backlight/brightness 328 chown system system /sys/class/leds/red/brightness 329 chown system system /sys/class/leds/green/brightness 330 chown system system /sys/class/leds/blue/brightness 331 chown system system /sys/class/leds/red/device/grpfreq 332 chown system system /sys/class/leds/red/device/grppwm 333 chown system system /sys/class/leds/red/device/blink 334 chown system system /sys/class/timed_output/vibrator/enable 335 chown system system /sys/module/sco/parameters/disable_esco 336 chown system system /sys/kernel/ipv4/tcp_wmem_min 337 chown system system /sys/kernel/ipv4/tcp_wmem_def 338 chown system system /sys/kernel/ipv4/tcp_wmem_max 339 chown system system /sys/kernel/ipv4/tcp_rmem_min 340 chown system system /sys/kernel/ipv4/tcp_rmem_def 341 chown system system /sys/kernel/ipv4/tcp_rmem_max 342 chown root radio /proc/cmdline 343 344# Set these so we can remotely update SELinux policy 345 chown system system /sys/fs/selinux/load 346 chown system system /sys/fs/selinux/enforce 347 348# Define TCP buffer sizes for various networks 349# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 350 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 351 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 352 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 353 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 354 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 355 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 356 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 357 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 358 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 359 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 360 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 361 362 class_start core 363 class_start main 364 365on nonencrypted 366 class_start late_start 367 368on charger 369 class_start charger 370 371on property:vold.decrypt=trigger_reset_main 372 class_reset main 373 374on property:vold.decrypt=trigger_load_persist_props 375 load_persist_props 376 377on property:vold.decrypt=trigger_post_fs_data 378 trigger post-fs-data 379 380on property:vold.decrypt=trigger_restart_min_framework 381 class_start main 382 383on property:vold.decrypt=trigger_restart_framework 384 class_start main 385 class_start late_start 386 387on property:vold.decrypt=trigger_shutdown_framework 388 class_reset late_start 389 class_reset main 390 391on property:sys.powerctl=* 392 powerctl ${sys.powerctl} 393 394# system server cannot write to /proc/sys files, so proxy it through init 395on property:sys.sysctl.extra_free_kbytes=* 396 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 397 398## Daemon processes to be run by init. 399## 400service ueventd /sbin/ueventd 401 class core 402 critical 403 seclabel u:r:ueventd:s0 404 405service healthd /sbin/healthd 406 class core 407 critical 408 seclabel u:r:healthd:s0 409 410service healthd-charger /sbin/healthd -n 411 class charger 412 critical 413 seclabel u:r:healthd:s0 414 415on property:selinux.reload_policy=1 416 restart ueventd 417 restart installd 418 419service console /system/bin/sh 420 class core 421 console 422 disabled 423 user shell 424 group log 425 426on property:ro.debuggable=1 427 start console 428 429# adbd is controlled via property triggers in init.<platform>.usb.rc 430service adbd /sbin/adbd 431 class core 432 socket adbd stream 660 system system 433 disabled 434 seclabel u:r:adbd:s0 435 436# adbd on at boot in emulator 437on property:ro.kernel.qemu=1 438 start adbd 439 440service servicemanager /system/bin/servicemanager 441 class core 442 user system 443 group system 444 critical 445 onrestart restart healthd 446 onrestart restart zygote 447 onrestart restart media 448 onrestart restart surfaceflinger 449 onrestart restart drm 450 451service vold /system/bin/vold 452 class core 453 socket vold stream 0660 root mount 454 ioprio be 2 455 456service netd /system/bin/netd 457 class main 458 socket netd stream 0660 root system 459 socket dnsproxyd stream 0660 root inet 460 socket mdns stream 0660 root system 461 462service debuggerd /system/bin/debuggerd 463 class main 464 465service ril-daemon /system/bin/rild 466 class main 467 socket rild stream 660 root radio 468 socket rild-debug stream 660 radio system 469 user root 470 group radio cache inet misc audio log 471 472service surfaceflinger /system/bin/surfaceflinger 473 class main 474 user system 475 group graphics drmrpc 476 onrestart restart zygote 477 478service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 479 class main 480 socket zygote stream 660 root system 481 onrestart write /sys/android_power/request_state wake 482 onrestart write /sys/power/state on 483 onrestart restart media 484 onrestart restart netd 485 486service drm /system/bin/drmserver 487 class main 488 user drm 489 group drm system inet drmrpc 490 491service media /system/bin/mediaserver 492 class main 493 user media 494 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 495 ioprio rt 4 496 497service bootanim /system/bin/bootanimation 498 class main 499 user graphics 500 group graphics 501 disabled 502 oneshot 503 504service installd /system/bin/installd 505 class main 506 socket installd stream 600 system system 507 508service flash_recovery /system/etc/install-recovery.sh 509 class main 510 oneshot 511 512service racoon /system/bin/racoon 513 class main 514 socket racoon stream 600 system system 515 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 516 group vpn net_admin inet 517 disabled 518 oneshot 519 520service mtpd /system/bin/mtpd 521 class main 522 socket mtpd stream 600 system system 523 user vpn 524 group vpn net_admin inet net_raw 525 disabled 526 oneshot 527 528service keystore /system/bin/keystore /data/misc/keystore 529 class main 530 user keystore 531 group keystore drmrpc 532 533service dumpstate /system/bin/dumpstate -s 534 class main 535 socket dumpstate stream 0660 shell log 536 disabled 537 oneshot 538 539service sshd /system/bin/start-ssh 540 class main 541 disabled 542 543service mdnsd /system/bin/mdnsd 544 class main 545 user mdnsr 546 group inet net_raw 547 socket mdnsd stream 0660 mdnsr inet 548 disabled 549 oneshot 550