init.rc revision 78ef91aa5ec29cc45bf3f0d4b32cd92db000a95a 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.trace.rc
11
12on early-init
13    # Set init and its forked children's oom_adj.
14    write /proc/1/oom_adj -16
15
16    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
17    write /sys/fs/selinux/checkreqprot 0
18
19    # Set the security context for the init process.
20    # This should occur before anything else (e.g. ueventd) is started.
21    setcon u:r:init:s0
22
23    # Set the security context of /adb_keys if present.
24    restorecon /adb_keys
25
26    start ueventd
27
28# create mountpoints
29    mkdir /mnt 0775 root system
30
31on init
32
33sysclktz 0
34
35loglevel 3
36
37# Backward compatibility
38    symlink /system/etc /etc
39    symlink /sys/kernel/debug /d
40
41# Right now vendor lives on the same filesystem as system,
42# but someday that may change.
43    symlink /system/vendor /vendor
44
45# Create cgroup mount point for cpu accounting
46    mkdir /acct
47    mount cgroup none /acct cpuacct
48    mkdir /acct/uid
49
50# Create cgroup mount point for memory
51    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
52    mkdir /sys/fs/cgroup/memory 0750 root system
53    mount cgroup none /sys/fs/cgroup/memory memory
54    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
55    chown root system /sys/fs/cgroup/memory/tasks
56    chmod 0660 /sys/fs/cgroup/memory/tasks
57    mkdir /sys/fs/cgroup/memory/sw 0750 root system
58    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
59    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
60    chown root system /sys/fs/cgroup/memory/sw/tasks
61    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
62
63    mkdir /system
64    mkdir /data 0771 system system
65    mkdir /cache 0770 system cache
66    mkdir /config 0500 root root
67
68    # See storage config details at http://source.android.com/tech/storage/
69    mkdir /mnt/shell 0700 shell shell
70    mkdir /mnt/media_rw 0700 media_rw media_rw
71    mkdir /storage 0751 root sdcard_r
72
73    # Directory for putting things only root should see.
74    mkdir /mnt/secure 0700 root root
75
76    # Directory for staging bindmounts
77    mkdir /mnt/secure/staging 0700 root root
78
79    # Directory-target for where the secure container
80    # imagefile directory will be bind-mounted
81    mkdir /mnt/secure/asec  0700 root root
82
83    # Secure container public mount points.
84    mkdir /mnt/asec  0700 root system
85    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
86
87    # Filesystem image public mount points.
88    mkdir /mnt/obb 0700 root system
89    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
90
91    write /proc/sys/kernel/panic_on_oops 1
92    write /proc/sys/kernel/hung_task_timeout_secs 0
93    write /proc/cpu/alignment 4
94    write /proc/sys/kernel/sched_latency_ns 10000000
95    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
96    write /proc/sys/kernel/sched_compat_yield 1
97    write /proc/sys/kernel/sched_child_runs_first 0
98    write /proc/sys/kernel/randomize_va_space 2
99    write /proc/sys/kernel/kptr_restrict 2
100    write /proc/sys/kernel/dmesg_restrict 1
101    write /proc/sys/vm/mmap_min_addr 32768
102    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
103    write /proc/sys/kernel/sched_rt_runtime_us 950000
104    write /proc/sys/kernel/sched_rt_period_us 1000000
105
106# Create cgroup mount points for process groups
107    mkdir /dev/cpuctl
108    mount cgroup none /dev/cpuctl cpu
109    chown system system /dev/cpuctl
110    chown system system /dev/cpuctl/tasks
111    chmod 0660 /dev/cpuctl/tasks
112    write /dev/cpuctl/cpu.shares 1024
113    write /dev/cpuctl/cpu.rt_runtime_us 950000
114    write /dev/cpuctl/cpu.rt_period_us 1000000
115
116    mkdir /dev/cpuctl/apps
117    chown system system /dev/cpuctl/apps/tasks
118    chmod 0666 /dev/cpuctl/apps/tasks
119    write /dev/cpuctl/apps/cpu.shares 1024
120    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
121    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
122
123    mkdir /dev/cpuctl/apps/bg_non_interactive
124    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
125    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
126    # 5.0 %
127    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
128    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
129    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
130
131# qtaguid will limit access to specific data based on group memberships.
132#   net_bw_acct grants impersonation of socket owners.
133#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
134    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
135    chown root net_bw_stats /proc/net/xt_qtaguid/stats
136
137# Allow everybody to read the xt_qtaguid resource tracking misc dev.
138# This is needed by any process that uses socket tagging.
139    chmod 0644 /dev/xt_qtaguid
140
141# Create location for fs_mgr to store abbreviated output from filesystem
142# checker programs.
143    mkdir /dev/fscklogs 0770 root system
144
145on post-fs
146    # once everything is setup, no need to modify /
147    mount rootfs rootfs / ro remount
148    # mount shared so changes propagate into child namespaces
149    mount rootfs rootfs / shared rec
150
151    # We chown/chmod /cache again so because mount is run as root + defaults
152    chown system cache /cache
153    chmod 0770 /cache
154    # We restorecon /cache in case the cache partition has been reset.
155    restorecon /cache
156
157    # This may have been created by the recovery system with odd permissions
158    chown system cache /cache/recovery
159    chmod 0770 /cache/recovery
160    # This may have been created by the recovery system with the wrong context.
161    restorecon /cache/recovery
162
163    #change permissions on vmallocinfo so we can grab it from bugreports
164    chown root log /proc/vmallocinfo
165    chmod 0440 /proc/vmallocinfo
166
167    chown root log /proc/slabinfo
168    chmod 0440 /proc/slabinfo
169
170    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
171    chown root system /proc/kmsg
172    chmod 0440 /proc/kmsg
173    chown root system /proc/sysrq-trigger
174    chmod 0220 /proc/sysrq-trigger
175    chown system log /proc/last_kmsg
176    chmod 0440 /proc/last_kmsg
177
178    # create the lost+found directories, so as to enforce our permissions
179    mkdir /cache/lost+found 0770 root root
180
181on post-fs-data
182    # We chown/chmod /data again so because mount is run as root + defaults
183    chown system system /data
184    chmod 0771 /data
185    # We restorecon /data in case the userdata partition has been reset.
186    restorecon /data
187
188    # Avoid predictable entropy pool. Carry over entropy from previous boot.
189    copy /data/system/entropy.dat /dev/urandom
190
191    # Create dump dir and collect dumps.
192    # Do this before we mount cache so eventually we can use cache for
193    # storing dumps on platforms which do not have a dedicated dump partition.
194    mkdir /data/dontpanic 0750 root log
195
196    # Collect apanic data, free resources and re-arm trigger
197    copy /proc/apanic_console /data/dontpanic/apanic_console
198    chown root log /data/dontpanic/apanic_console
199    chmod 0640 /data/dontpanic/apanic_console
200
201    copy /proc/apanic_threads /data/dontpanic/apanic_threads
202    chown root log /data/dontpanic/apanic_threads
203    chmod 0640 /data/dontpanic/apanic_threads
204
205    write /proc/apanic_console 1
206
207    # create basic filesystem structure
208    mkdir /data/misc 01771 system misc
209    mkdir /data/misc/adb 02750 system shell
210    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
211    mkdir /data/misc/bluetooth 0770 system system
212    mkdir /data/misc/keystore 0700 keystore keystore
213    mkdir /data/misc/keychain 0771 system system
214    mkdir /data/misc/radio 0770 system radio
215    mkdir /data/misc/sms 0770 system radio
216    mkdir /data/misc/zoneinfo 0775 system system
217    restorecon_recursive /data/misc/zoneinfo
218    mkdir /data/misc/vpn 0770 system vpn
219    mkdir /data/misc/systemkeys 0700 system system
220    mkdir /data/misc/wifi 0770 wifi wifi
221    mkdir /data/misc/wifi/sockets 0770 wifi wifi
222    restorecon_recursive /data/misc/wifi/sockets
223    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
224    mkdir /data/misc/dhcp 0770 dhcp dhcp
225    # give system access to wpa_supplicant.conf for backup and restore
226    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
227    mkdir /data/local 0751 root root
228    mkdir /data/misc/media 0700 media media
229    restorecon_recursive /data/misc/media
230
231    # Set security context of any pre-existing /data/misc/adb/adb_keys file.
232    restorecon /data/misc/adb
233    restorecon /data/misc/adb/adb_keys
234
235    # For security reasons, /data/local/tmp should always be empty.
236    # Do not place files or directories in /data/local/tmp
237    mkdir /data/local/tmp 0771 shell shell
238    mkdir /data/data 0771 system system
239    mkdir /data/app-private 0771 system system
240    mkdir /data/app-asec 0700 root root
241    mkdir /data/app-lib 0771 system system
242    mkdir /data/app 0771 system system
243    mkdir /data/property 0700 root root
244    mkdir /data/ssh 0750 root shell
245    mkdir /data/ssh/empty 0700 root root
246
247    # create dalvik-cache, so as to enforce our permissions
248    mkdir /data/dalvik-cache 0771 system system
249
250    # create resource-cache and double-check the perms
251    mkdir /data/resource-cache 0771 system system
252    chown system system /data/resource-cache
253    chmod 0771 /data/resource-cache
254
255    # create the lost+found directories, so as to enforce our permissions
256    mkdir /data/lost+found 0770 root root
257
258    # create directory for DRM plug-ins - give drm the read/write access to
259    # the following directory.
260    mkdir /data/drm 0770 drm drm
261
262    # create directory for MediaDrm plug-ins - give drm the read/write access to
263    # the following directory.
264    mkdir /data/mediadrm 0770 mediadrm mediadrm
265    restorecon_recursive /data/mediadrm
266
267    # symlink to bugreport storage location
268    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
269
270    # Separate location for storing security policy files on data
271    mkdir /data/security 0711 system system
272
273    # Reload policy from /data/security if present.
274    setprop selinux.reload_policy 1
275
276    # If there is no fs-post-data action in the init.<device>.rc file, you
277    # must uncomment this line, otherwise encrypted filesystems
278    # won't work.
279    # Set indication (checked by vold) that we have finished this action
280    #setprop vold.post_fs_data_done 1
281
282on boot
283# basic network init
284    ifup lo
285    hostname localhost
286    domainname localdomain
287
288# set RLIMIT_NICE to allow priorities from 19 to -20
289    setrlimit 13 40 40
290
291# Memory management.  Basic kernel parameters, and allow the high
292# level system server to be able to adjust the kernel OOM driver
293# parameters to match how it is managing things.
294    write /proc/sys/vm/overcommit_memory 1
295    write /proc/sys/vm/min_free_order_shift 4
296    chown root system /sys/module/lowmemorykiller/parameters/adj
297    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
298    chown root system /sys/module/lowmemorykiller/parameters/minfree
299    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
300
301    # Tweak background writeout
302    write /proc/sys/vm/dirty_expire_centisecs 200
303    write /proc/sys/vm/dirty_background_ratio  5
304
305    # Permissions for System Server and daemons.
306    chown radio system /sys/android_power/state
307    chown radio system /sys/android_power/request_state
308    chown radio system /sys/android_power/acquire_full_wake_lock
309    chown radio system /sys/android_power/acquire_partial_wake_lock
310    chown radio system /sys/android_power/release_wake_lock
311    chown system system /sys/power/autosleep
312    chown system system /sys/power/state
313    chown system system /sys/power/wakeup_count
314    chown radio system /sys/power/wake_lock
315    chown radio system /sys/power/wake_unlock
316    chmod 0660 /sys/power/state
317    chmod 0660 /sys/power/wake_lock
318    chmod 0660 /sys/power/wake_unlock
319
320    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
321    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
322    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
323    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
324    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
325    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
326    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
327    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
328    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
329    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
330    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
331    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
332    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
333    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
334    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
335    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
336    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
337    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
338    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
339    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
340    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
341    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
342    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
343
344    # Assume SMP uses shared cpufreq policy for all CPUs
345    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
346    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
347
348    chown system system /sys/class/timed_output/vibrator/enable
349    chown system system /sys/class/leds/keyboard-backlight/brightness
350    chown system system /sys/class/leds/lcd-backlight/brightness
351    chown system system /sys/class/leds/button-backlight/brightness
352    chown system system /sys/class/leds/jogball-backlight/brightness
353    chown system system /sys/class/leds/red/brightness
354    chown system system /sys/class/leds/green/brightness
355    chown system system /sys/class/leds/blue/brightness
356    chown system system /sys/class/leds/red/device/grpfreq
357    chown system system /sys/class/leds/red/device/grppwm
358    chown system system /sys/class/leds/red/device/blink
359    chown system system /sys/class/timed_output/vibrator/enable
360    chown system system /sys/module/sco/parameters/disable_esco
361    chown system system /sys/kernel/ipv4/tcp_wmem_min
362    chown system system /sys/kernel/ipv4/tcp_wmem_def
363    chown system system /sys/kernel/ipv4/tcp_wmem_max
364    chown system system /sys/kernel/ipv4/tcp_rmem_min
365    chown system system /sys/kernel/ipv4/tcp_rmem_def
366    chown system system /sys/kernel/ipv4/tcp_rmem_max
367    chown root radio /proc/cmdline
368
369# Define TCP buffer sizes for various networks
370#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
371    setprop net.tcp.buffersize.default  4096,87380,110208,4096,16384,110208
372    setprop net.tcp.buffersize.wifi     524288,1048576,2097152,262144,524288,1048576
373    setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152
374    setprop net.tcp.buffersize.lte      524288,1048576,2097152,262144,524288,1048576
375    setprop net.tcp.buffersize.umts     4094,87380,110208,4096,16384,110208
376    setprop net.tcp.buffersize.hspa     4094,87380,262144,4096,16384,262144
377    setprop net.tcp.buffersize.hsupa    4094,87380,262144,4096,16384,262144
378    setprop net.tcp.buffersize.hsdpa    4094,87380,262144,4096,16384,262144
379    setprop net.tcp.buffersize.hspap    4094,87380,1220608,4096,16384,1220608
380    setprop net.tcp.buffersize.edge     4093,26280,35040,4096,16384,35040
381    setprop net.tcp.buffersize.gprs     4092,8760,11680,4096,8760,11680
382    setprop net.tcp.buffersize.evdo     4094,87380,262144,4096,16384,262144
383
384    class_start core
385    class_start main
386
387on nonencrypted
388    class_start late_start
389
390on charger
391    class_start charger
392
393on property:vold.decrypt=trigger_reset_main
394    class_reset main
395
396on property:vold.decrypt=trigger_load_persist_props
397    load_persist_props
398
399on property:vold.decrypt=trigger_post_fs_data
400    trigger post-fs-data
401
402on property:vold.decrypt=trigger_restart_min_framework
403    class_start main
404
405on property:vold.decrypt=trigger_restart_framework
406    class_start main
407    class_start late_start
408
409on property:vold.decrypt=trigger_shutdown_framework
410    class_reset late_start
411    class_reset main
412
413on property:sys.powerctl=*
414    powerctl ${sys.powerctl}
415
416# system server cannot write to /proc/sys files, so proxy it through init
417on property:sys.sysctl.extra_free_kbytes=*
418    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
419
420## Daemon processes to be run by init.
421##
422service ueventd /sbin/ueventd
423    class core
424    critical
425    seclabel u:r:ueventd:s0
426
427service healthd /sbin/healthd
428    class core
429    critical
430    seclabel u:r:healthd:s0
431
432service healthd-charger /sbin/healthd -n
433    class charger
434    critical
435    seclabel u:r:healthd:s0
436
437service console /system/bin/sh
438    class core
439    console
440    disabled
441    user shell
442    group log
443    seclabel u:r:shell:s0
444
445on property:ro.debuggable=1
446    start console
447
448# adbd is controlled via property triggers in init.<platform>.usb.rc
449service adbd /sbin/adbd --root_seclabel=u:r:su:s0
450    class core
451    socket adbd stream 660 system system
452    disabled
453    seclabel u:r:adbd:s0
454
455# adbd on at boot in emulator
456on property:ro.kernel.qemu=1
457    start adbd
458
459service servicemanager /system/bin/servicemanager
460    class core
461    user system
462    group system
463    critical
464    onrestart restart healthd
465    onrestart restart zygote
466    onrestart restart media
467    onrestart restart surfaceflinger
468    onrestart restart drm
469
470service vold /system/bin/vold
471    class core
472    socket vold stream 0660 root mount
473    ioprio be 2
474
475service netd /system/bin/netd
476    class main
477    socket netd stream 0660 root system
478    socket dnsproxyd stream 0660 root inet
479    socket mdns stream 0660 root system
480
481service debuggerd /system/bin/debuggerd
482    class main
483
484service debuggerd64 /system/bin/debuggerd64
485    class main
486
487service ril-daemon /system/bin/rild
488    class main
489    socket rild stream 660 root radio
490    socket rild-debug stream 660 radio system
491    user root
492    group radio cache inet misc audio log
493
494service surfaceflinger /system/bin/surfaceflinger
495    class main
496    user system
497    group graphics drmrpc
498    onrestart restart zygote
499
500service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
501    class main
502    socket zygote stream 660 root system
503    onrestart write /sys/android_power/request_state wake
504    onrestart write /sys/power/state on
505    onrestart restart media
506    onrestart restart netd
507
508service drm /system/bin/drmserver
509    class main
510    user drm
511    group drm system inet drmrpc
512
513service media /system/bin/mediaserver
514    class main
515    user media
516    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
517    ioprio rt 4
518
519service bootanim /system/bin/bootanimation
520    class main
521    user graphics
522    group graphics
523    disabled
524    oneshot
525
526service installd /system/bin/installd
527    class main
528    socket installd stream 600 system system
529
530service flash_recovery /system/etc/install-recovery.sh
531    class main
532    oneshot
533
534service racoon /system/bin/racoon
535    class main
536    socket racoon stream 600 system system
537    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
538    group vpn net_admin inet
539    disabled
540    oneshot
541
542service mtpd /system/bin/mtpd
543    class main
544    socket mtpd stream 600 system system
545    user vpn
546    group vpn net_admin inet net_raw
547    disabled
548    oneshot
549
550service keystore /system/bin/keystore /data/misc/keystore
551    class main
552    user keystore
553    group keystore drmrpc
554
555service dumpstate /system/bin/dumpstate -s
556    class main
557    socket dumpstate stream 0660 shell log
558    disabled
559    oneshot
560
561service sshd /system/bin/start-ssh
562    class main
563    disabled
564
565service mdnsd /system/bin/mdnsd
566    class main
567    user mdnsr
568    group inet net_raw
569    socket mdnsd stream 0660 mdnsr inet
570    disabled
571    oneshot
572