init.rc revision 70a163f519db14532b7dcde4bc65d1d658a760e4
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9 10on early-init 11 # Set init and its forked children's oom_adj. 12 write /proc/1/oom_adj -16 13 14 start ueventd 15 16# create mountpoints 17 mkdir /mnt 0775 root system 18 19on init 20 21sysclktz 0 22 23loglevel 3 24 25# setup the global environment 26 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 27 export LD_LIBRARY_PATH /vendor/lib:/system/lib 28 export ANDROID_BOOTLOGO 1 29 export ANDROID_ROOT /system 30 export ANDROID_ASSETS /system/app 31 export ANDROID_DATA /data 32 export ASEC_MOUNTPOINT /mnt/asec 33 export LOOP_MOUNTPOINT /mnt/obb 34 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 35 36# Backward compatibility 37 symlink /system/etc /etc 38 symlink /sys/kernel/debug /d 39 40# Right now vendor lives on the same filesystem as system, 41# but someday that may change. 42 symlink /system/vendor /vendor 43 44# Create cgroup mount point for cpu accounting 45 mkdir /acct 46 mount cgroup none /acct cpuacct 47 mkdir /acct/uid 48 49 mkdir /system 50 mkdir /data 0771 system system 51 mkdir /cache 0770 system cache 52 mkdir /config 0500 root root 53 54 # Directory for putting things only root should see. 55 mkdir /mnt/secure 0700 root root 56 57 # Directory for staging bindmounts 58 mkdir /mnt/secure/staging 0700 root root 59 60 # Directory-target for where the secure container 61 # imagefile directory will be bind-mounted 62 mkdir /mnt/secure/asec 0700 root root 63 64 # Secure container public mount points. 65 mkdir /mnt/asec 0700 root system 66 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 67 68 # Filesystem image public mount points. 69 mkdir /mnt/obb 0700 root system 70 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 71 72 write /proc/sys/kernel/panic_on_oops 1 73 write /proc/sys/kernel/hung_task_timeout_secs 0 74 write /proc/cpu/alignment 4 75 write /proc/sys/kernel/sched_latency_ns 10000000 76 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 77 write /proc/sys/kernel/sched_compat_yield 1 78 write /proc/sys/kernel/sched_child_runs_first 0 79 write /proc/sys/kernel/randomize_va_space 2 80 write /proc/sys/kernel/kptr_restrict 2 81 write /proc/sys/kernel/dmesg_restrict 1 82 write /proc/sys/vm/mmap_min_addr 32768 83 write /proc/sys/kernel/sched_rt_runtime_us 950000 84 write /proc/sys/kernel/sched_rt_period_us 1000000 85 86# Create cgroup mount points for process groups 87 mkdir /dev/cpuctl 88 mount cgroup none /dev/cpuctl cpu 89 chown system system /dev/cpuctl 90 chown system system /dev/cpuctl/tasks 91 chmod 0660 /dev/cpuctl/tasks 92 write /dev/cpuctl/cpu.shares 1024 93 write /dev/cpuctl/cpu.rt_runtime_us 950000 94 write /dev/cpuctl/cpu.rt_period_us 1000000 95 96 mkdir /dev/cpuctl/foreground 97 chown system system /dev/cpuctl/foreground/tasks 98 chmod 0666 /dev/cpuctl/foreground/tasks 99 write /dev/cpuctl/foreground/cpu.shares 1024 100 write /dev/cpuctl/foreground/cpu.rt_runtime_us 0 101 write /dev/cpuctl/foreground/cpu.rt_period_us 1000000 102 103 mkdir /dev/cpuctl/bg_non_interactive 104 chown system system /dev/cpuctl/bg_non_interactive/tasks 105 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 106 # 5.0 % 107 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 108 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 0 109 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 110 111 mkdir /dev/cpuctl/audio_app 112 chown system system /dev/cpuctl/audio_app/tasks 113 chmod 0660 /dev/cpuctl/audio_app/tasks 114 write /dev/cpuctl/audio_app/cpu.shares 10 115 write /dev/cpuctl/audio_app/cpu.rt_runtime_us 100000 116 write /dev/cpuctl/audio_app/cpu.rt_period_us 1000000 117 118 mkdir /dev/cpuctl/audio_sys 119 chown system system /dev/cpuctl/audio_sys/tasks 120 chmod 0660 /dev/cpuctl/audio_sys/tasks 121 write /dev/cpuctl/audio_sys/cpu.shares 10 122 write /dev/cpuctl/audio_sys/cpu.rt_runtime_us 100000 123 write /dev/cpuctl/audio_sys/cpu.rt_period_us 1000000 124 125# Allow everybody to read the xt_qtaguid resource tracking misc dev. 126# This is needed by any process that uses socket tagging. 127 chmod 0644 /dev/xt_qtaguid 128 129on fs 130# mount mtd partitions 131 # Mount /system rw first to give the filesystem a chance to save a checkpoint 132 mount yaffs2 mtd@system /system 133 mount yaffs2 mtd@system /system ro remount 134 mount yaffs2 mtd@userdata /data nosuid nodev 135 mount yaffs2 mtd@cache /cache nosuid nodev 136 137on post-fs 138 # once everything is setup, no need to modify / 139 mount rootfs rootfs / ro remount 140 141 # We chown/chmod /cache again so because mount is run as root + defaults 142 chown system cache /cache 143 chmod 0770 /cache 144 145 # This may have been created by the recovery system with odd permissions 146 chown system cache /cache/recovery 147 chmod 0770 /cache/recovery 148 149 #change permissions on vmallocinfo so we can grab it from bugreports 150 chown root log /proc/vmallocinfo 151 chmod 0440 /proc/vmallocinfo 152 153 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 154 chown root system /proc/kmsg 155 chmod 0440 /proc/kmsg 156 chown root system /proc/sysrq-trigger 157 chmod 0220 /proc/sysrq-trigger 158 159 # create the lost+found directories, so as to enforce our permissions 160 mkdir /cache/lost+found 0770 root root 161 162on post-fs-data 163 # We chown/chmod /data again so because mount is run as root + defaults 164 chown system system /data 165 chmod 0771 /data 166 167 # Create dump dir and collect dumps. 168 # Do this before we mount cache so eventually we can use cache for 169 # storing dumps on platforms which do not have a dedicated dump partition. 170 mkdir /data/dontpanic 0750 root log 171 172 # Collect apanic data, free resources and re-arm trigger 173 copy /proc/apanic_console /data/dontpanic/apanic_console 174 chown root log /data/dontpanic/apanic_console 175 chmod 0640 /data/dontpanic/apanic_console 176 177 copy /proc/apanic_threads /data/dontpanic/apanic_threads 178 chown root log /data/dontpanic/apanic_threads 179 chmod 0640 /data/dontpanic/apanic_threads 180 181 write /proc/apanic_console 1 182 183 # create basic filesystem structure 184 mkdir /data/misc 01771 system misc 185 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 186 mkdir /data/misc/bluetooth 0770 system system 187 mkdir /data/misc/keystore 0700 keystore keystore 188 mkdir /data/misc/keychain 0771 system system 189 mkdir /data/misc/vpn 0770 system vpn 190 mkdir /data/misc/systemkeys 0700 system system 191 # give system access to wpa_supplicant.conf for backup and restore 192 mkdir /data/misc/wifi 0770 wifi wifi 193 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 194 mkdir /data/local 0751 root root 195 196 # For security reasons, /data/local/tmp should always be empty. 197 # Do not place files or directories in /data/local/tmp 198 mkdir /data/local/tmp 0771 shell shell 199 mkdir /data/data 0771 system system 200 mkdir /data/app-private 0771 system system 201 mkdir /data/app-asec 0700 root root 202 mkdir /data/app 0771 system system 203 mkdir /data/property 0700 root root 204 mkdir /data/ssh 0750 root shell 205 mkdir /data/ssh/empty 0700 root root 206 207 # create dalvik-cache, so as to enforce our permissions 208 mkdir /data/dalvik-cache 0771 system system 209 210 # create resource-cache and double-check the perms 211 mkdir /data/resource-cache 0771 system system 212 chown system system /data/resource-cache 213 chmod 0771 /data/resource-cache 214 215 # create the lost+found directories, so as to enforce our permissions 216 mkdir /data/lost+found 0770 root root 217 218 # create directory for DRM plug-ins - give drm the read/write access to 219 # the following directory. 220 mkdir /data/drm 0770 drm drm 221 222 # If there is no fs-post-data action in the init.<device>.rc file, you 223 # must uncomment this line, otherwise encrypted filesystems 224 # won't work. 225 # Set indication (checked by vold) that we have finished this action 226 #setprop vold.post_fs_data_done 1 227 228on boot 229# basic network init 230 ifup lo 231 hostname localhost 232 domainname localdomain 233 234# set RLIMIT_NICE to allow priorities from 19 to -20 235 setrlimit 13 40 40 236 237# Memory management. Basic kernel parameters, and allow the high 238# level system server to be able to adjust the kernel OOM driver 239# parameters to match how it is managing things. 240 write /proc/sys/vm/overcommit_memory 1 241 write /proc/sys/vm/min_free_order_shift 4 242 chown root system /sys/module/lowmemorykiller/parameters/adj 243 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 244 chown root system /sys/module/lowmemorykiller/parameters/minfree 245 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 246 247 # Tweak background writeout 248 write /proc/sys/vm/dirty_expire_centisecs 200 249 write /proc/sys/vm/dirty_background_ratio 5 250 251 # Permissions for System Server and daemons. 252 chown radio system /sys/android_power/state 253 chown radio system /sys/android_power/request_state 254 chown radio system /sys/android_power/acquire_full_wake_lock 255 chown radio system /sys/android_power/acquire_partial_wake_lock 256 chown radio system /sys/android_power/release_wake_lock 257 chown system system /sys/power/autosleep 258 chown system system /sys/power/state 259 chown system system /sys/power/wakeup_count 260 chown radio system /sys/power/wake_lock 261 chown radio system /sys/power/wake_unlock 262 chmod 0660 /sys/power/state 263 chmod 0660 /sys/power/wake_lock 264 chmod 0660 /sys/power/wake_unlock 265 266 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 267 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 268 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 269 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 270 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 271 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 272 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 273 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 274 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 275 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 276 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 277 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 278 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 279 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 280 281 # Assume SMP uses shared cpufreq policy for all CPUs 282 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 283 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 284 285 chown system system /sys/class/timed_output/vibrator/enable 286 chown system system /sys/class/leds/keyboard-backlight/brightness 287 chown system system /sys/class/leds/lcd-backlight/brightness 288 chown system system /sys/class/leds/button-backlight/brightness 289 chown system system /sys/class/leds/jogball-backlight/brightness 290 chown system system /sys/class/leds/red/brightness 291 chown system system /sys/class/leds/green/brightness 292 chown system system /sys/class/leds/blue/brightness 293 chown system system /sys/class/leds/red/device/grpfreq 294 chown system system /sys/class/leds/red/device/grppwm 295 chown system system /sys/class/leds/red/device/blink 296 chown system system /sys/class/leds/red/brightness 297 chown system system /sys/class/leds/green/brightness 298 chown system system /sys/class/leds/blue/brightness 299 chown system system /sys/class/leds/red/device/grpfreq 300 chown system system /sys/class/leds/red/device/grppwm 301 chown system system /sys/class/leds/red/device/blink 302 chown system system /sys/class/timed_output/vibrator/enable 303 chown system system /sys/module/sco/parameters/disable_esco 304 chown system system /sys/kernel/ipv4/tcp_wmem_min 305 chown system system /sys/kernel/ipv4/tcp_wmem_def 306 chown system system /sys/kernel/ipv4/tcp_wmem_max 307 chown system system /sys/kernel/ipv4/tcp_rmem_min 308 chown system system /sys/kernel/ipv4/tcp_rmem_def 309 chown system system /sys/kernel/ipv4/tcp_rmem_max 310 chown root radio /proc/cmdline 311 312# Define TCP buffer sizes for various networks 313# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 314 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 315 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 316 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 317 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 318 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 319 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 320 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 321 322# Set this property so surfaceflinger is not started by system_init 323 setprop system_init.startsurfaceflinger 0 324 325 class_start core 326 class_start main 327 328on nonencrypted 329 class_start late_start 330 331on charger 332 class_start charger 333 334on property:vold.decrypt=trigger_reset_main 335 class_reset main 336 337on property:vold.decrypt=trigger_load_persist_props 338 load_persist_props 339 340on property:vold.decrypt=trigger_post_fs_data 341 trigger post-fs-data 342 343on property:vold.decrypt=trigger_restart_min_framework 344 class_start main 345 346on property:vold.decrypt=trigger_restart_framework 347 class_start main 348 class_start late_start 349 350on property:vold.decrypt=trigger_shutdown_framework 351 class_reset late_start 352 class_reset main 353 354## Daemon processes to be run by init. 355## 356service ueventd /sbin/ueventd 357 class core 358 critical 359 360service console /system/bin/sh 361 class core 362 console 363 disabled 364 user shell 365 group log 366 367on property:ro.debuggable=1 368 start console 369 370# Allow writing to the kernel trace log. Enabling tracing still requires root. 371on property:ro.debuggable=1 372 chmod 0222 /sys/kernel/debug/tracing/trace_marker 373 374# adbd is controlled via property triggers in init.<platform>.usb.rc 375service adbd /sbin/adbd 376 class core 377 disabled 378 379# adbd on at boot in emulator 380on property:ro.kernel.qemu=1 381 start adbd 382 383service servicemanager /system/bin/servicemanager 384 class core 385 user system 386 group system 387 critical 388 onrestart restart zygote 389 onrestart restart media 390 onrestart restart surfaceflinger 391 onrestart restart drm 392 393service vold /system/bin/vold 394 class core 395 socket vold stream 0660 root mount 396 ioprio be 2 397 398service netd /system/bin/netd 399 class main 400 socket netd stream 0660 root system 401 socket dnsproxyd stream 0660 root inet 402 socket mdns stream 0660 root system 403 404service debuggerd /system/bin/debuggerd 405 class main 406 407service ril-daemon /system/bin/rild 408 class main 409 socket rild stream 660 root radio 410 socket rild-debug stream 660 radio system 411 user root 412 group radio cache inet misc audio sdcard_rw log 413 414service surfaceflinger /system/bin/surfaceflinger 415 class main 416 user system 417 group graphics 418 onrestart restart zygote 419 420service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 421 class main 422 socket zygote stream 660 root system 423 onrestart write /sys/android_power/request_state wake 424 onrestart write /sys/power/state on 425 onrestart restart media 426 onrestart restart netd 427 428service drm /system/bin/drmserver 429 class main 430 user drm 431 group drm system inet drmrpc sdcard_r 432 433service media /system/bin/mediaserver 434 class main 435 user media 436 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 437 ioprio rt 4 438 439service bootanim /system/bin/bootanimation 440 class main 441 user graphics 442 group graphics 443 disabled 444 oneshot 445 446service dbus /system/bin/dbus-daemon --system --nofork 447 class main 448 socket dbus stream 660 bluetooth bluetooth 449 user bluetooth 450 group bluetooth net_bt_admin 451 452service bluetoothd /system/bin/bluetoothd -n 453 class main 454 socket bluetooth stream 660 bluetooth bluetooth 455 socket dbus_bluetooth stream 660 bluetooth bluetooth 456 # init.rc does not yet support applying capabilities, so run as root and 457 # let bluetoothd drop uid to bluetooth with the right linux capabilities 458 group bluetooth net_bt_admin misc 459 disabled 460 461service installd /system/bin/installd 462 class main 463 socket installd stream 600 system system 464 465service flash_recovery /system/etc/install-recovery.sh 466 class main 467 oneshot 468 469service racoon /system/bin/racoon 470 class main 471 socket racoon stream 600 system system 472 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 473 group vpn net_admin inet 474 disabled 475 oneshot 476 477service mtpd /system/bin/mtpd 478 class main 479 socket mtpd stream 600 system system 480 user vpn 481 group vpn net_admin inet net_raw 482 disabled 483 oneshot 484 485service keystore /system/bin/keystore /data/misc/keystore 486 class main 487 user keystore 488 group keystore drmrpc 489 socket keystore stream 666 490 491service dumpstate /system/bin/dumpstate -s 492 class main 493 socket dumpstate stream 0660 shell log 494 disabled 495 oneshot 496 497service sshd /system/bin/start-ssh 498 class main 499 disabled 500 501service mdnsd /system/bin/mdnsd 502 class main 503 user mdnsr 504 group inet net_raw 505 socket mdnsd stream 0660 mdnsr inet 506 disabled 507 oneshot 508 509