init.rc revision 71513567dc0249af1b304e458ceac391ffcbeff5
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8 9on early-init 10 # Set init and its forked children's oom_adj. 11 write /proc/1/oom_adj -16 12 13 start ueventd 14 15# create mountpoints 16 mkdir /mnt 0775 root system 17 18on init 19 20sysclktz 0 21 22loglevel 3 23 24# setup the global environment 25 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 26 export LD_LIBRARY_PATH /vendor/lib:/system/lib 27 export ANDROID_BOOTLOGO 1 28 export ANDROID_ROOT /system 29 export ANDROID_ASSETS /system/app 30 export ANDROID_DATA /data 31 export ASEC_MOUNTPOINT /mnt/asec 32 export LOOP_MOUNTPOINT /mnt/obb 33 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 34 35# Backward compatibility 36 symlink /system/etc /etc 37 symlink /sys/kernel/debug /d 38 39# Right now vendor lives on the same filesystem as system, 40# but someday that may change. 41 symlink /system/vendor /vendor 42 43# Create cgroup mount point for cpu accounting 44 mkdir /acct 45 mount cgroup none /acct cpuacct 46 mkdir /acct/uid 47 48 mkdir /system 49 mkdir /data 0771 system system 50 mkdir /cache 0770 system cache 51 mkdir /config 0500 root root 52 53 # Directory for putting things only root should see. 54 mkdir /mnt/secure 0700 root root 55 56 # Directory for staging bindmounts 57 mkdir /mnt/secure/staging 0700 root root 58 59 # Directory-target for where the secure container 60 # imagefile directory will be bind-mounted 61 mkdir /mnt/secure/asec 0700 root root 62 63 # Secure container public mount points. 64 mkdir /mnt/asec 0700 root system 65 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 66 67 # Filesystem image public mount points. 68 mkdir /mnt/obb 0700 root system 69 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 70 71 write /proc/sys/kernel/panic_on_oops 1 72 write /proc/sys/kernel/hung_task_timeout_secs 0 73 write /proc/cpu/alignment 4 74 write /proc/sys/kernel/sched_latency_ns 10000000 75 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 76 write /proc/sys/kernel/sched_compat_yield 1 77 write /proc/sys/kernel/sched_child_runs_first 0 78 write /proc/sys/kernel/randomize_va_space 2 79 write /proc/sys/kernel/kptr_restrict 2 80 write /proc/sys/kernel/dmesg_restrict 1 81 write /proc/sys/vm/mmap_min_addr 32768 82 83# Create cgroup mount points for process groups 84 mkdir /dev/cpuctl 85 mount cgroup none /dev/cpuctl cpu 86 chown system system /dev/cpuctl 87 chown system system /dev/cpuctl/tasks 88 chmod 0777 /dev/cpuctl/tasks 89 write /dev/cpuctl/cpu.shares 1024 90 91 mkdir /dev/cpuctl/fg_boost 92 chown system system /dev/cpuctl/fg_boost/tasks 93 chmod 0777 /dev/cpuctl/fg_boost/tasks 94 write /dev/cpuctl/fg_boost/cpu.shares 1024 95 96 mkdir /dev/cpuctl/bg_non_interactive 97 chown system system /dev/cpuctl/bg_non_interactive/tasks 98 chmod 0777 /dev/cpuctl/bg_non_interactive/tasks 99 # 5.0 % 100 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 101 102# Allow everybody to read the xt_qtaguid resource tracking misc dev. 103# This is needed by any process that uses socket tagging. 104 chmod 0644 /dev/xt_qtaguid 105 106on fs 107# mount mtd partitions 108 # Mount /system rw first to give the filesystem a chance to save a checkpoint 109 mount yaffs2 mtd@system /system 110 mount yaffs2 mtd@system /system ro remount 111 mount yaffs2 mtd@userdata /data nosuid nodev 112 mount yaffs2 mtd@cache /cache nosuid nodev 113 114on post-fs 115 # once everything is setup, no need to modify / 116 mount rootfs rootfs / ro remount 117 118 # We chown/chmod /cache again so because mount is run as root + defaults 119 chown system cache /cache 120 chmod 0770 /cache 121 122 # This may have been created by the recovery system with odd permissions 123 chown system cache /cache/recovery 124 chmod 0770 /cache/recovery 125 126 #change permissions on vmallocinfo so we can grab it from bugreports 127 chown root log /proc/vmallocinfo 128 chmod 0440 /proc/vmallocinfo 129 130 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 131 chown root system /proc/kmsg 132 chmod 0440 /proc/kmsg 133 chown root system /proc/sysrq-trigger 134 chmod 0220 /proc/sysrq-trigger 135 136 # create the lost+found directories, so as to enforce our permissions 137 mkdir /cache/lost+found 0770 root root 138 139on post-fs-data 140 # We chown/chmod /data again so because mount is run as root + defaults 141 chown system system /data 142 chmod 0771 /data 143 144 # Create dump dir and collect dumps. 145 # Do this before we mount cache so eventually we can use cache for 146 # storing dumps on platforms which do not have a dedicated dump partition. 147 mkdir /data/dontpanic 0750 root log 148 149 # Collect apanic data, free resources and re-arm trigger 150 copy /proc/apanic_console /data/dontpanic/apanic_console 151 chown root log /data/dontpanic/apanic_console 152 chmod 0640 /data/dontpanic/apanic_console 153 154 copy /proc/apanic_threads /data/dontpanic/apanic_threads 155 chown root log /data/dontpanic/apanic_threads 156 chmod 0640 /data/dontpanic/apanic_threads 157 158 write /proc/apanic_console 1 159 160 # create basic filesystem structure 161 mkdir /data/misc 01771 system misc 162 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 163 mkdir /data/misc/bluetooth 0770 system system 164 mkdir /data/misc/keystore 0700 keystore keystore 165 mkdir /data/misc/keychain 0771 system system 166 mkdir /data/misc/vpn 0770 system vpn 167 mkdir /data/misc/systemkeys 0700 system system 168 # give system access to wpa_supplicant.conf for backup and restore 169 mkdir /data/misc/wifi 0770 wifi wifi 170 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 171 mkdir /data/local 0751 root root 172 173 # For security reasons, /data/local/tmp should always be empty. 174 # Do not place files or directories in /data/local/tmp 175 mkdir /data/local/tmp 0771 shell shell 176 mkdir /data/data 0771 system system 177 mkdir /data/app-private 0771 system system 178 mkdir /data/app 0771 system system 179 mkdir /data/property 0700 root root 180 mkdir /data/ssh 0750 root shell 181 mkdir /data/ssh/empty 0700 root root 182 183 # create dalvik-cache, so as to enforce our permissions 184 mkdir /data/dalvik-cache 0771 system system 185 186 # create resource-cache and double-check the perms 187 mkdir /data/resource-cache 0771 system system 188 chown system system /data/resource-cache 189 chmod 0771 /data/resource-cache 190 191 # create the lost+found directories, so as to enforce our permissions 192 mkdir /data/lost+found 0770 root root 193 194 # create directory for DRM plug-ins - give drm the read/write access to 195 # the following directory. 196 mkdir /data/drm 0770 drm drm 197 198 # If there is no fs-post-data action in the init.<device>.rc file, you 199 # must uncomment this line, otherwise encrypted filesystems 200 # won't work. 201 # Set indication (checked by vold) that we have finished this action 202 #setprop vold.post_fs_data_done 1 203 204 chown system system /sys/class/android_usb/android0/f_mass_storage/lun/file 205 chmod 0660 /sys/class/android_usb/android0/f_mass_storage/lun/file 206 chown system system /sys/class/android_usb/android0/f_rndis/ethaddr 207 chmod 0660 /sys/class/android_usb/android0/f_rndis/ethaddr 208 209on boot 210# basic network init 211 ifup lo 212 hostname localhost 213 domainname localdomain 214 215# set RLIMIT_NICE to allow priorities from 19 to -20 216 setrlimit 13 40 40 217 218# Memory management. Basic kernel parameters, and allow the high 219# level system server to be able to adjust the kernel OOM driver 220# paramters to match how it is managing things. 221 write /proc/sys/vm/overcommit_memory 1 222 write /proc/sys/vm/min_free_order_shift 4 223 chown root system /sys/module/lowmemorykiller/parameters/adj 224 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 225 chown root system /sys/module/lowmemorykiller/parameters/minfree 226 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 227 228 # Tweak background writeout 229 write /proc/sys/vm/dirty_expire_centisecs 200 230 write /proc/sys/vm/dirty_background_ratio 5 231 232 # Permissions for System Server and daemons. 233 chown radio system /sys/android_power/state 234 chown radio system /sys/android_power/request_state 235 chown radio system /sys/android_power/acquire_full_wake_lock 236 chown radio system /sys/android_power/acquire_partial_wake_lock 237 chown radio system /sys/android_power/release_wake_lock 238 chown system system /sys/power/state 239 chown system system /sys/power/wakeup_count 240 chown radio system /sys/power/wake_lock 241 chown radio system /sys/power/wake_unlock 242 chmod 0660 /sys/power/state 243 chmod 0660 /sys/power/wake_lock 244 chmod 0660 /sys/power/wake_unlock 245 chown system system /sys/class/timed_output/vibrator/enable 246 chown system system /sys/class/leds/keyboard-backlight/brightness 247 chown system system /sys/class/leds/lcd-backlight/brightness 248 chown system system /sys/class/leds/button-backlight/brightness 249 chown system system /sys/class/leds/jogball-backlight/brightness 250 chown system system /sys/class/leds/red/brightness 251 chown system system /sys/class/leds/green/brightness 252 chown system system /sys/class/leds/blue/brightness 253 chown system system /sys/class/leds/red/device/grpfreq 254 chown system system /sys/class/leds/red/device/grppwm 255 chown system system /sys/class/leds/red/device/blink 256 chown system system /sys/class/leds/red/brightness 257 chown system system /sys/class/leds/green/brightness 258 chown system system /sys/class/leds/blue/brightness 259 chown system system /sys/class/leds/red/device/grpfreq 260 chown system system /sys/class/leds/red/device/grppwm 261 chown system system /sys/class/leds/red/device/blink 262 chown system system /sys/class/timed_output/vibrator/enable 263 chown system system /sys/module/sco/parameters/disable_esco 264 chown system system /sys/kernel/ipv4/tcp_wmem_min 265 chown system system /sys/kernel/ipv4/tcp_wmem_def 266 chown system system /sys/kernel/ipv4/tcp_wmem_max 267 chown system system /sys/kernel/ipv4/tcp_rmem_min 268 chown system system /sys/kernel/ipv4/tcp_rmem_def 269 chown system system /sys/kernel/ipv4/tcp_rmem_max 270 chown root radio /proc/cmdline 271 272# Define TCP buffer sizes for various networks 273# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 274 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 275 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 276 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 277 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 278 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 279 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 280 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 281 282# Set this property so surfaceflinger is not started by system_init 283 setprop system_init.startsurfaceflinger 0 284 285 class_start core 286 class_start main 287 288on nonencrypted 289 class_start late_start 290 291on charger 292 class_start charger 293 294on property:vold.decrypt=trigger_reset_main 295 class_reset main 296 297on property:vold.decrypt=trigger_load_persist_props 298 load_persist_props 299 300on property:vold.decrypt=trigger_post_fs_data 301 trigger post-fs-data 302 303on property:vold.decrypt=trigger_restart_min_framework 304 class_start main 305 306on property:vold.decrypt=trigger_restart_framework 307 class_start main 308 class_start late_start 309 310on property:vold.decrypt=trigger_shutdown_framework 311 class_reset late_start 312 class_reset main 313 314# Used to disable USB when switching states 315on property:sys.usb.config=none 316 stop adbd 317 write /sys/class/android_usb/android0/enable 0 318 write /sys/class/android_usb/android0/bDeviceClass 0 319 setprop sys.usb.state ${sys.usb.config} 320 321# adb only USB configuration 322# This should only be used during device bringup 323# and as a fallback if the USB manager fails to set a standard configuration 324on property:sys.usb.config=adb 325 write /sys/class/android_usb/android0/enable 0 326 write /sys/class/android_usb/android0/idVendor 18d1 327 write /sys/class/android_usb/android0/idProduct D002 328 write /sys/class/android_usb/android0/functions ${sys.usb.config} 329 write /sys/class/android_usb/android0/enable 1 330 start adbd 331 setprop sys.usb.state ${sys.usb.config} 332 333# USB accessory configuration 334on property:sys.usb.config=accessory 335 write /sys/class/android_usb/android0/enable 0 336 write /sys/class/android_usb/android0/idVendor 18d1 337 write /sys/class/android_usb/android0/idProduct 2d00 338 write /sys/class/android_usb/android0/functions ${sys.usb.config} 339 write /sys/class/android_usb/android0/enable 1 340 setprop sys.usb.state ${sys.usb.config} 341 342# USB accessory configuration, with adb 343on property:sys.usb.config=accessory,adb 344 write /sys/class/android_usb/android0/enable 0 345 write /sys/class/android_usb/android0/idVendor 18d1 346 write /sys/class/android_usb/android0/idProduct 2d01 347 write /sys/class/android_usb/android0/functions ${sys.usb.config} 348 write /sys/class/android_usb/android0/enable 1 349 start adbd 350 setprop sys.usb.state ${sys.usb.config} 351 352# Used to set USB configuration at boot and to switch the configuration 353# when changing the default configuration 354on property:persist.sys.usb.config=* 355 setprop sys.usb.config ${persist.sys.usb.config} 356 357## Daemon processes to be run by init. 358## 359service ueventd /sbin/ueventd 360 class core 361 critical 362 363service console /system/bin/sh 364 class core 365 console 366 disabled 367 user shell 368 group log 369 370on property:ro.debuggable=1 371 start console 372 373# adbd is controlled via property triggers in init.<platform>.usb.rc 374service adbd /sbin/adbd 375 class core 376 disabled 377 378# adbd on at boot in emulator 379on property:ro.kernel.qemu=1 380 start adbd 381 382service servicemanager /system/bin/servicemanager 383 class core 384 user system 385 group system 386 critical 387 onrestart restart zygote 388 onrestart restart media 389 onrestart restart surfaceflinger 390 onrestart restart drm 391 392service vold /system/bin/vold 393 class core 394 socket vold stream 0660 root mount 395 ioprio be 2 396 397service netd /system/bin/netd 398 class main 399 socket netd stream 0660 root system 400 socket dnsproxyd stream 0660 root inet 401 402service debuggerd /system/bin/debuggerd 403 class main 404 405service ril-daemon /system/bin/rild 406 class main 407 socket rild stream 660 root radio 408 socket rild-debug stream 660 radio system 409 user root 410 group radio cache inet misc audio sdcard_rw log 411 412service surfaceflinger /system/bin/surfaceflinger 413 class main 414 user system 415 group graphics 416 onrestart restart zygote 417 418service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 419 class main 420 socket zygote stream 660 root system 421 onrestart write /sys/android_power/request_state wake 422 onrestart write /sys/power/state on 423 onrestart restart media 424 onrestart restart netd 425 426service drm /system/bin/drmserver 427 class main 428 user drm 429 group drm system inet drmrpc 430 431service media /system/bin/mediaserver 432 class main 433 user media 434 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 435 ioprio rt 4 436 437service bootanim /system/bin/bootanimation 438 class main 439 user graphics 440 group graphics 441 disabled 442 oneshot 443 444service dbus /system/bin/dbus-daemon --system --nofork 445 class main 446 socket dbus stream 660 bluetooth bluetooth 447 user bluetooth 448 group bluetooth net_bt_admin 449 450service bluetoothd /system/bin/bluetoothd -n 451 class main 452 socket bluetooth stream 660 bluetooth bluetooth 453 socket dbus_bluetooth stream 660 bluetooth bluetooth 454 # init.rc does not yet support applying capabilities, so run as root and 455 # let bluetoothd drop uid to bluetooth with the right linux capabilities 456 group bluetooth net_bt_admin misc 457 disabled 458 459service installd /system/bin/installd 460 class main 461 socket installd stream 600 system system 462 463service flash_recovery /system/etc/install-recovery.sh 464 class main 465 oneshot 466 467service racoon /system/bin/racoon 468 class main 469 socket racoon stream 600 system system 470 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 471 group vpn net_admin inet 472 disabled 473 oneshot 474 475service mtpd /system/bin/mtpd 476 class main 477 socket mtpd stream 600 system system 478 user vpn 479 group vpn net_admin inet net_raw 480 disabled 481 oneshot 482 483service keystore /system/bin/keystore /data/misc/keystore 484 class main 485 user keystore 486 group keystore drmrpc 487 socket keystore stream 666 488 489service dumpstate /system/bin/dumpstate -s 490 class main 491 socket dumpstate stream 0660 shell log 492 disabled 493 oneshot 494 495service sshd /system/bin/start-ssh 496 class main 497 disabled 498