init.rc revision 78ef91aa5ec29cc45bf3f0d4b32cd92db000a95a
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_adj -16 15 16 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 17 write /sys/fs/selinux/checkreqprot 0 18 19 # Set the security context for the init process. 20 # This should occur before anything else (e.g. ueventd) is started. 21 setcon u:r:init:s0 22 23 # Set the security context of /adb_keys if present. 24 restorecon /adb_keys 25 26 start ueventd 27 28# create mountpoints 29 mkdir /mnt 0775 root system 30 31on init 32 33sysclktz 0 34 35loglevel 3 36 37# Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41# Right now vendor lives on the same filesystem as system, 42# but someday that may change. 43 symlink /system/vendor /vendor 44 45# Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50# Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 write /proc/sys/kernel/panic_on_oops 1 92 write /proc/sys/kernel/hung_task_timeout_secs 0 93 write /proc/cpu/alignment 4 94 write /proc/sys/kernel/sched_latency_ns 10000000 95 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 96 write /proc/sys/kernel/sched_compat_yield 1 97 write /proc/sys/kernel/sched_child_runs_first 0 98 write /proc/sys/kernel/randomize_va_space 2 99 write /proc/sys/kernel/kptr_restrict 2 100 write /proc/sys/kernel/dmesg_restrict 1 101 write /proc/sys/vm/mmap_min_addr 32768 102 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 103 write /proc/sys/kernel/sched_rt_runtime_us 950000 104 write /proc/sys/kernel/sched_rt_period_us 1000000 105 106# Create cgroup mount points for process groups 107 mkdir /dev/cpuctl 108 mount cgroup none /dev/cpuctl cpu 109 chown system system /dev/cpuctl 110 chown system system /dev/cpuctl/tasks 111 chmod 0660 /dev/cpuctl/tasks 112 write /dev/cpuctl/cpu.shares 1024 113 write /dev/cpuctl/cpu.rt_runtime_us 950000 114 write /dev/cpuctl/cpu.rt_period_us 1000000 115 116 mkdir /dev/cpuctl/apps 117 chown system system /dev/cpuctl/apps/tasks 118 chmod 0666 /dev/cpuctl/apps/tasks 119 write /dev/cpuctl/apps/cpu.shares 1024 120 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 121 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 122 123 mkdir /dev/cpuctl/apps/bg_non_interactive 124 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 125 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 126 # 5.0 % 127 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 128 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 129 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 130 131# qtaguid will limit access to specific data based on group memberships. 132# net_bw_acct grants impersonation of socket owners. 133# net_bw_stats grants access to other apps' detailed tagged-socket stats. 134 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 135 chown root net_bw_stats /proc/net/xt_qtaguid/stats 136 137# Allow everybody to read the xt_qtaguid resource tracking misc dev. 138# This is needed by any process that uses socket tagging. 139 chmod 0644 /dev/xt_qtaguid 140 141# Create location for fs_mgr to store abbreviated output from filesystem 142# checker programs. 143 mkdir /dev/fscklogs 0770 root system 144 145on post-fs 146 # once everything is setup, no need to modify / 147 mount rootfs rootfs / ro remount 148 # mount shared so changes propagate into child namespaces 149 mount rootfs rootfs / shared rec 150 151 # We chown/chmod /cache again so because mount is run as root + defaults 152 chown system cache /cache 153 chmod 0770 /cache 154 # We restorecon /cache in case the cache partition has been reset. 155 restorecon /cache 156 157 # This may have been created by the recovery system with odd permissions 158 chown system cache /cache/recovery 159 chmod 0770 /cache/recovery 160 # This may have been created by the recovery system with the wrong context. 161 restorecon /cache/recovery 162 163 #change permissions on vmallocinfo so we can grab it from bugreports 164 chown root log /proc/vmallocinfo 165 chmod 0440 /proc/vmallocinfo 166 167 chown root log /proc/slabinfo 168 chmod 0440 /proc/slabinfo 169 170 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 171 chown root system /proc/kmsg 172 chmod 0440 /proc/kmsg 173 chown root system /proc/sysrq-trigger 174 chmod 0220 /proc/sysrq-trigger 175 chown system log /proc/last_kmsg 176 chmod 0440 /proc/last_kmsg 177 178 # create the lost+found directories, so as to enforce our permissions 179 mkdir /cache/lost+found 0770 root root 180 181on post-fs-data 182 # We chown/chmod /data again so because mount is run as root + defaults 183 chown system system /data 184 chmod 0771 /data 185 # We restorecon /data in case the userdata partition has been reset. 186 restorecon /data 187 188 # Avoid predictable entropy pool. Carry over entropy from previous boot. 189 copy /data/system/entropy.dat /dev/urandom 190 191 # Create dump dir and collect dumps. 192 # Do this before we mount cache so eventually we can use cache for 193 # storing dumps on platforms which do not have a dedicated dump partition. 194 mkdir /data/dontpanic 0750 root log 195 196 # Collect apanic data, free resources and re-arm trigger 197 copy /proc/apanic_console /data/dontpanic/apanic_console 198 chown root log /data/dontpanic/apanic_console 199 chmod 0640 /data/dontpanic/apanic_console 200 201 copy /proc/apanic_threads /data/dontpanic/apanic_threads 202 chown root log /data/dontpanic/apanic_threads 203 chmod 0640 /data/dontpanic/apanic_threads 204 205 write /proc/apanic_console 1 206 207 # create basic filesystem structure 208 mkdir /data/misc 01771 system misc 209 mkdir /data/misc/adb 02750 system shell 210 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 211 mkdir /data/misc/bluetooth 0770 system system 212 mkdir /data/misc/keystore 0700 keystore keystore 213 mkdir /data/misc/keychain 0771 system system 214 mkdir /data/misc/radio 0770 system radio 215 mkdir /data/misc/sms 0770 system radio 216 mkdir /data/misc/zoneinfo 0775 system system 217 restorecon_recursive /data/misc/zoneinfo 218 mkdir /data/misc/vpn 0770 system vpn 219 mkdir /data/misc/systemkeys 0700 system system 220 mkdir /data/misc/wifi 0770 wifi wifi 221 mkdir /data/misc/wifi/sockets 0770 wifi wifi 222 restorecon_recursive /data/misc/wifi/sockets 223 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 224 mkdir /data/misc/dhcp 0770 dhcp dhcp 225 # give system access to wpa_supplicant.conf for backup and restore 226 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 227 mkdir /data/local 0751 root root 228 mkdir /data/misc/media 0700 media media 229 restorecon_recursive /data/misc/media 230 231 # Set security context of any pre-existing /data/misc/adb/adb_keys file. 232 restorecon /data/misc/adb 233 restorecon /data/misc/adb/adb_keys 234 235 # For security reasons, /data/local/tmp should always be empty. 236 # Do not place files or directories in /data/local/tmp 237 mkdir /data/local/tmp 0771 shell shell 238 mkdir /data/data 0771 system system 239 mkdir /data/app-private 0771 system system 240 mkdir /data/app-asec 0700 root root 241 mkdir /data/app-lib 0771 system system 242 mkdir /data/app 0771 system system 243 mkdir /data/property 0700 root root 244 mkdir /data/ssh 0750 root shell 245 mkdir /data/ssh/empty 0700 root root 246 247 # create dalvik-cache, so as to enforce our permissions 248 mkdir /data/dalvik-cache 0771 system system 249 250 # create resource-cache and double-check the perms 251 mkdir /data/resource-cache 0771 system system 252 chown system system /data/resource-cache 253 chmod 0771 /data/resource-cache 254 255 # create the lost+found directories, so as to enforce our permissions 256 mkdir /data/lost+found 0770 root root 257 258 # create directory for DRM plug-ins - give drm the read/write access to 259 # the following directory. 260 mkdir /data/drm 0770 drm drm 261 262 # create directory for MediaDrm plug-ins - give drm the read/write access to 263 # the following directory. 264 mkdir /data/mediadrm 0770 mediadrm mediadrm 265 restorecon_recursive /data/mediadrm 266 267 # symlink to bugreport storage location 268 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 269 270 # Separate location for storing security policy files on data 271 mkdir /data/security 0711 system system 272 273 # Reload policy from /data/security if present. 274 setprop selinux.reload_policy 1 275 276 # If there is no fs-post-data action in the init.<device>.rc file, you 277 # must uncomment this line, otherwise encrypted filesystems 278 # won't work. 279 # Set indication (checked by vold) that we have finished this action 280 #setprop vold.post_fs_data_done 1 281 282on boot 283# basic network init 284 ifup lo 285 hostname localhost 286 domainname localdomain 287 288# set RLIMIT_NICE to allow priorities from 19 to -20 289 setrlimit 13 40 40 290 291# Memory management. Basic kernel parameters, and allow the high 292# level system server to be able to adjust the kernel OOM driver 293# parameters to match how it is managing things. 294 write /proc/sys/vm/overcommit_memory 1 295 write /proc/sys/vm/min_free_order_shift 4 296 chown root system /sys/module/lowmemorykiller/parameters/adj 297 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 298 chown root system /sys/module/lowmemorykiller/parameters/minfree 299 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 300 301 # Tweak background writeout 302 write /proc/sys/vm/dirty_expire_centisecs 200 303 write /proc/sys/vm/dirty_background_ratio 5 304 305 # Permissions for System Server and daemons. 306 chown radio system /sys/android_power/state 307 chown radio system /sys/android_power/request_state 308 chown radio system /sys/android_power/acquire_full_wake_lock 309 chown radio system /sys/android_power/acquire_partial_wake_lock 310 chown radio system /sys/android_power/release_wake_lock 311 chown system system /sys/power/autosleep 312 chown system system /sys/power/state 313 chown system system /sys/power/wakeup_count 314 chown radio system /sys/power/wake_lock 315 chown radio system /sys/power/wake_unlock 316 chmod 0660 /sys/power/state 317 chmod 0660 /sys/power/wake_lock 318 chmod 0660 /sys/power/wake_unlock 319 320 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 321 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 322 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 323 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 324 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 325 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 326 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 327 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 328 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 329 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 330 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 331 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 332 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 333 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 334 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 335 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 336 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 338 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 339 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 340 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 341 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 342 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 343 344 # Assume SMP uses shared cpufreq policy for all CPUs 345 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 346 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 347 348 chown system system /sys/class/timed_output/vibrator/enable 349 chown system system /sys/class/leds/keyboard-backlight/brightness 350 chown system system /sys/class/leds/lcd-backlight/brightness 351 chown system system /sys/class/leds/button-backlight/brightness 352 chown system system /sys/class/leds/jogball-backlight/brightness 353 chown system system /sys/class/leds/red/brightness 354 chown system system /sys/class/leds/green/brightness 355 chown system system /sys/class/leds/blue/brightness 356 chown system system /sys/class/leds/red/device/grpfreq 357 chown system system /sys/class/leds/red/device/grppwm 358 chown system system /sys/class/leds/red/device/blink 359 chown system system /sys/class/timed_output/vibrator/enable 360 chown system system /sys/module/sco/parameters/disable_esco 361 chown system system /sys/kernel/ipv4/tcp_wmem_min 362 chown system system /sys/kernel/ipv4/tcp_wmem_def 363 chown system system /sys/kernel/ipv4/tcp_wmem_max 364 chown system system /sys/kernel/ipv4/tcp_rmem_min 365 chown system system /sys/kernel/ipv4/tcp_rmem_def 366 chown system system /sys/kernel/ipv4/tcp_rmem_max 367 chown root radio /proc/cmdline 368 369# Define TCP buffer sizes for various networks 370# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 371 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 372 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 373 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 374 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 375 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 376 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 377 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 378 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 379 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 380 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 381 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 382 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 383 384 class_start core 385 class_start main 386 387on nonencrypted 388 class_start late_start 389 390on charger 391 class_start charger 392 393on property:vold.decrypt=trigger_reset_main 394 class_reset main 395 396on property:vold.decrypt=trigger_load_persist_props 397 load_persist_props 398 399on property:vold.decrypt=trigger_post_fs_data 400 trigger post-fs-data 401 402on property:vold.decrypt=trigger_restart_min_framework 403 class_start main 404 405on property:vold.decrypt=trigger_restart_framework 406 class_start main 407 class_start late_start 408 409on property:vold.decrypt=trigger_shutdown_framework 410 class_reset late_start 411 class_reset main 412 413on property:sys.powerctl=* 414 powerctl ${sys.powerctl} 415 416# system server cannot write to /proc/sys files, so proxy it through init 417on property:sys.sysctl.extra_free_kbytes=* 418 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 419 420## Daemon processes to be run by init. 421## 422service ueventd /sbin/ueventd 423 class core 424 critical 425 seclabel u:r:ueventd:s0 426 427service healthd /sbin/healthd 428 class core 429 critical 430 seclabel u:r:healthd:s0 431 432service healthd-charger /sbin/healthd -n 433 class charger 434 critical 435 seclabel u:r:healthd:s0 436 437service console /system/bin/sh 438 class core 439 console 440 disabled 441 user shell 442 group log 443 seclabel u:r:shell:s0 444 445on property:ro.debuggable=1 446 start console 447 448# adbd is controlled via property triggers in init.<platform>.usb.rc 449service adbd /sbin/adbd --root_seclabel=u:r:su:s0 450 class core 451 socket adbd stream 660 system system 452 disabled 453 seclabel u:r:adbd:s0 454 455# adbd on at boot in emulator 456on property:ro.kernel.qemu=1 457 start adbd 458 459service servicemanager /system/bin/servicemanager 460 class core 461 user system 462 group system 463 critical 464 onrestart restart healthd 465 onrestart restart zygote 466 onrestart restart media 467 onrestart restart surfaceflinger 468 onrestart restart drm 469 470service vold /system/bin/vold 471 class core 472 socket vold stream 0660 root mount 473 ioprio be 2 474 475service netd /system/bin/netd 476 class main 477 socket netd stream 0660 root system 478 socket dnsproxyd stream 0660 root inet 479 socket mdns stream 0660 root system 480 481service debuggerd /system/bin/debuggerd 482 class main 483 484service debuggerd64 /system/bin/debuggerd64 485 class main 486 487service ril-daemon /system/bin/rild 488 class main 489 socket rild stream 660 root radio 490 socket rild-debug stream 660 radio system 491 user root 492 group radio cache inet misc audio log 493 494service surfaceflinger /system/bin/surfaceflinger 495 class main 496 user system 497 group graphics drmrpc 498 onrestart restart zygote 499 500service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 501 class main 502 socket zygote stream 660 root system 503 onrestart write /sys/android_power/request_state wake 504 onrestart write /sys/power/state on 505 onrestart restart media 506 onrestart restart netd 507 508service drm /system/bin/drmserver 509 class main 510 user drm 511 group drm system inet drmrpc 512 513service media /system/bin/mediaserver 514 class main 515 user media 516 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 517 ioprio rt 4 518 519service bootanim /system/bin/bootanimation 520 class main 521 user graphics 522 group graphics 523 disabled 524 oneshot 525 526service installd /system/bin/installd 527 class main 528 socket installd stream 600 system system 529 530service flash_recovery /system/etc/install-recovery.sh 531 class main 532 oneshot 533 534service racoon /system/bin/racoon 535 class main 536 socket racoon stream 600 system system 537 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 538 group vpn net_admin inet 539 disabled 540 oneshot 541 542service mtpd /system/bin/mtpd 543 class main 544 socket mtpd stream 600 system system 545 user vpn 546 group vpn net_admin inet net_raw 547 disabled 548 oneshot 549 550service keystore /system/bin/keystore /data/misc/keystore 551 class main 552 user keystore 553 group keystore drmrpc 554 555service dumpstate /system/bin/dumpstate -s 556 class main 557 socket dumpstate stream 0660 shell log 558 disabled 559 oneshot 560 561service sshd /system/bin/start-ssh 562 class main 563 disabled 564 565service mdnsd /system/bin/mdnsd 566 class main 567 user mdnsr 568 group inet net_raw 569 socket mdnsd stream 0660 mdnsr inet 570 disabled 571 oneshot 572