init.rc revision 80c7a5e8a861de42ddade15704f1785953cee345
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29 # create mountpoints 30 mkdir /mnt 0775 root system 31 32on init 33 sysclktz 0 34 35 loglevel 3 36 37 # Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41 # Right now vendor lives on the same filesystem as system, 42 # but someday that may change. 43 symlink /system/vendor /vendor 44 45 # Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50 # Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 # memory control cgroup 92 mkdir /dev/memcg 0700 root system 93 mount cgroup none /dev/memcg memory 94 95 write /proc/sys/kernel/panic_on_oops 1 96 write /proc/sys/kernel/hung_task_timeout_secs 0 97 write /proc/cpu/alignment 4 98 write /proc/sys/kernel/sched_latency_ns 10000000 99 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 100 write /proc/sys/kernel/sched_compat_yield 1 101 write /proc/sys/kernel/sched_child_runs_first 0 102 write /proc/sys/kernel/randomize_va_space 2 103 write /proc/sys/kernel/kptr_restrict 2 104 write /proc/sys/vm/mmap_min_addr 32768 105 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 106 write /proc/sys/net/unix/max_dgram_qlen 300 107 write /proc/sys/kernel/sched_rt_runtime_us 950000 108 write /proc/sys/kernel/sched_rt_period_us 1000000 109 110 # reflect fwmark from incoming packets onto generated replies 111 write /proc/sys/net/ipv4/fwmark_reflect 1 112 write /proc/sys/net/ipv6/fwmark_reflect 1 113 114 # set fwmark on accepted sockets 115 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 116 117 # Create cgroup mount points for process groups 118 mkdir /dev/cpuctl 119 mount cgroup none /dev/cpuctl cpu 120 chown system system /dev/cpuctl 121 chown system system /dev/cpuctl/tasks 122 chmod 0660 /dev/cpuctl/tasks 123 write /dev/cpuctl/cpu.shares 1024 124 write /dev/cpuctl/cpu.rt_runtime_us 950000 125 write /dev/cpuctl/cpu.rt_period_us 1000000 126 127 mkdir /dev/cpuctl/apps 128 chown system system /dev/cpuctl/apps/tasks 129 chmod 0666 /dev/cpuctl/apps/tasks 130 write /dev/cpuctl/apps/cpu.shares 1024 131 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 132 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 133 134 mkdir /dev/cpuctl/apps/bg_non_interactive 135 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 136 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 137 # 5.0 % 138 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 139 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 140 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 141 142 # qtaguid will limit access to specific data based on group memberships. 143 # net_bw_acct grants impersonation of socket owners. 144 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 145 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 146 chown root net_bw_stats /proc/net/xt_qtaguid/stats 147 148 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 149 # This is needed by any process that uses socket tagging. 150 chmod 0644 /dev/xt_qtaguid 151 152 # Create location for fs_mgr to store abbreviated output from filesystem 153 # checker programs. 154 mkdir /dev/fscklogs 0770 root system 155 156 # pstore/ramoops previous console log 157 mount pstore pstore /sys/fs/pstore 158 chown system log /sys/fs/pstore/console-ramoops 159 chmod 0440 /sys/fs/pstore/console-ramoops 160 161# Healthd can trigger a full boot from charger mode by signaling this 162# property when the power button is held. 163on property:sys.boot_from_charger_mode=1 164 class_stop charger 165 trigger late-init 166 167# Load properties from /system/ + /factory after fs mount. 168on load_all_props_action 169 load_all_props 170 171# Indicate to fw loaders that the relevant mounts are up. 172on firmware_mounts_complete 173 rm /dev/.booting 174 175# Mount filesystems and start core system services. 176on late-init 177 trigger early-fs 178 trigger fs 179 trigger post-fs 180 trigger post-fs-data 181 182 # Load properties from /system/ + /factory after fs mount. Place 183 # this in another action so that the load will be scheduled after the prior 184 # issued fs triggers have completed. 185 trigger load_all_props_action 186 187 trigger early-boot 188 trigger boot 189 190 # Remove a file to wake up anything waiting for firmware 191 trigger firmware_mounts_complete 192 193on post-fs 194 # once everything is setup, no need to modify / 195 mount rootfs rootfs / ro remount 196 # mount shared so changes propagate into child namespaces 197 mount rootfs rootfs / shared rec 198 199 # We chown/chmod /cache again so because mount is run as root + defaults 200 chown system cache /cache 201 chmod 0770 /cache 202 # We restorecon /cache in case the cache partition has been reset. 203 restorecon_recursive /cache 204 205 # This may have been created by the recovery system with odd permissions 206 chown system cache /cache/recovery 207 chmod 0770 /cache/recovery 208 209 #change permissions on vmallocinfo so we can grab it from bugreports 210 chown root log /proc/vmallocinfo 211 chmod 0440 /proc/vmallocinfo 212 213 chown root log /proc/slabinfo 214 chmod 0440 /proc/slabinfo 215 216 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 217 chown root system /proc/kmsg 218 chmod 0440 /proc/kmsg 219 chown root system /proc/sysrq-trigger 220 chmod 0220 /proc/sysrq-trigger 221 chown system log /proc/last_kmsg 222 chmod 0440 /proc/last_kmsg 223 224 # make the selinux kernel policy world-readable 225 chmod 0444 /sys/fs/selinux/policy 226 227 # create the lost+found directories, so as to enforce our permissions 228 mkdir /cache/lost+found 0770 root root 229 230on post-fs-data 231 # We chown/chmod /data again so because mount is run as root + defaults 232 chown system system /data 233 chmod 0771 /data 234 # We restorecon /data in case the userdata partition has been reset. 235 restorecon /data 236 237 # Avoid predictable entropy pool. Carry over entropy from previous boot. 238 copy /data/system/entropy.dat /dev/urandom 239 240 # Create dump dir and collect dumps. 241 # Do this before we mount cache so eventually we can use cache for 242 # storing dumps on platforms which do not have a dedicated dump partition. 243 mkdir /data/dontpanic 0750 root log 244 245 # Collect apanic data, free resources and re-arm trigger 246 copy /proc/apanic_console /data/dontpanic/apanic_console 247 chown root log /data/dontpanic/apanic_console 248 chmod 0640 /data/dontpanic/apanic_console 249 250 copy /proc/apanic_threads /data/dontpanic/apanic_threads 251 chown root log /data/dontpanic/apanic_threads 252 chmod 0640 /data/dontpanic/apanic_threads 253 254 write /proc/apanic_console 1 255 256 # create basic filesystem structure 257 mkdir /data/misc 01771 system misc 258 mkdir /data/misc/adb 02750 system shell 259 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 260 mkdir /data/misc/bluetooth 0770 system system 261 mkdir /data/misc/keystore 0700 keystore keystore 262 mkdir /data/misc/keychain 0771 system system 263 mkdir /data/misc/net 0750 root shell 264 mkdir /data/misc/radio 0770 system radio 265 mkdir /data/misc/sms 0770 system radio 266 mkdir /data/misc/zoneinfo 0775 system system 267 mkdir /data/misc/vpn 0770 system vpn 268 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 269 mkdir /data/misc/systemkeys 0700 system system 270 mkdir /data/misc/wifi 0770 wifi wifi 271 mkdir /data/misc/wifi/sockets 0770 wifi wifi 272 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 273 mkdir /data/misc/ethernet 0770 system system 274 mkdir /data/misc/dhcp 0770 dhcp dhcp 275 mkdir /data/misc/user 0771 root root 276 # give system access to wpa_supplicant.conf for backup and restore 277 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 278 mkdir /data/local 0751 root root 279 mkdir /data/misc/media 0700 media media 280 281 # For security reasons, /data/local/tmp should always be empty. 282 # Do not place files or directories in /data/local/tmp 283 mkdir /data/local/tmp 0771 shell shell 284 mkdir /data/data 0771 system system 285 mkdir /data/app-private 0771 system system 286 mkdir /data/app-asec 0700 root root 287 mkdir /data/app-lib 0771 system system 288 mkdir /data/app 0771 system system 289 mkdir /data/property 0700 root root 290 291 # create dalvik-cache, so as to enforce our permissions 292 mkdir /data/dalvik-cache 0771 system system 293 mkdir /data/dalvik-cache/profiles 0711 system system 294 295 # create resource-cache and double-check the perms 296 mkdir /data/resource-cache 0771 system system 297 chown system system /data/resource-cache 298 chmod 0771 /data/resource-cache 299 300 # create the lost+found directories, so as to enforce our permissions 301 mkdir /data/lost+found 0770 root root 302 303 # create directory for DRM plug-ins - give drm the read/write access to 304 # the following directory. 305 mkdir /data/drm 0770 drm drm 306 307 # create directory for MediaDrm plug-ins - give drm the read/write access to 308 # the following directory. 309 mkdir /data/mediadrm 0770 mediadrm mediadrm 310 311 # symlink to bugreport storage location 312 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 313 314 # Separate location for storing security policy files on data 315 mkdir /data/security 0711 system system 316 317 # Reload policy from /data/security if present. 318 setprop selinux.reload_policy 1 319 320 # Set SELinux security contexts on upgrade or policy update. 321 restorecon_recursive /data 322 323 # If there is no fs-post-data action in the init.<device>.rc file, you 324 # must uncomment this line, otherwise encrypted filesystems 325 # won't work. 326 # Set indication (checked by vold) that we have finished this action 327 #setprop vold.post_fs_data_done 1 328 329on boot 330 # basic network init 331 ifup lo 332 hostname localhost 333 domainname localdomain 334 335 # set RLIMIT_NICE to allow priorities from 19 to -20 336 setrlimit 13 40 40 337 338 # Memory management. Basic kernel parameters, and allow the high 339 # level system server to be able to adjust the kernel OOM driver 340 # parameters to match how it is managing things. 341 write /proc/sys/vm/overcommit_memory 1 342 write /proc/sys/vm/min_free_order_shift 4 343 chown root system /sys/module/lowmemorykiller/parameters/adj 344 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 345 chown root system /sys/module/lowmemorykiller/parameters/minfree 346 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 347 348 # Tweak background writeout 349 write /proc/sys/vm/dirty_expire_centisecs 200 350 write /proc/sys/vm/dirty_background_ratio 5 351 352 # Permissions for System Server and daemons. 353 chown radio system /sys/android_power/state 354 chown radio system /sys/android_power/request_state 355 chown radio system /sys/android_power/acquire_full_wake_lock 356 chown radio system /sys/android_power/acquire_partial_wake_lock 357 chown radio system /sys/android_power/release_wake_lock 358 chown system system /sys/power/autosleep 359 chown system system /sys/power/state 360 chown system system /sys/power/wakeup_count 361 chown radio system /sys/power/wake_lock 362 chown radio system /sys/power/wake_unlock 363 chmod 0660 /sys/power/state 364 chmod 0660 /sys/power/wake_lock 365 chmod 0660 /sys/power/wake_unlock 366 367 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 368 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 369 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 370 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 371 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 372 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 373 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 374 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 375 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 376 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 377 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 378 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 379 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 380 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 381 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 382 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 383 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 384 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 385 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 386 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 387 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 388 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 389 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 390 391 # Assume SMP uses shared cpufreq policy for all CPUs 392 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 393 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 394 395 chown system system /sys/class/timed_output/vibrator/enable 396 chown system system /sys/class/leds/keyboard-backlight/brightness 397 chown system system /sys/class/leds/lcd-backlight/brightness 398 chown system system /sys/class/leds/button-backlight/brightness 399 chown system system /sys/class/leds/jogball-backlight/brightness 400 chown system system /sys/class/leds/red/brightness 401 chown system system /sys/class/leds/green/brightness 402 chown system system /sys/class/leds/blue/brightness 403 chown system system /sys/class/leds/red/device/grpfreq 404 chown system system /sys/class/leds/red/device/grppwm 405 chown system system /sys/class/leds/red/device/blink 406 chown system system /sys/class/timed_output/vibrator/enable 407 chown system system /sys/module/sco/parameters/disable_esco 408 chown system system /sys/kernel/ipv4/tcp_wmem_min 409 chown system system /sys/kernel/ipv4/tcp_wmem_def 410 chown system system /sys/kernel/ipv4/tcp_wmem_max 411 chown system system /sys/kernel/ipv4/tcp_rmem_min 412 chown system system /sys/kernel/ipv4/tcp_rmem_def 413 chown system system /sys/kernel/ipv4/tcp_rmem_max 414 chown root radio /proc/cmdline 415 416 # Define TCP buffer sizes for various networks 417 # ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 418 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 419 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 420 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 421 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 422 setprop net.tcp.buffersize.umts 58254,349525,1048576,58254,349525,1048576 423 setprop net.tcp.buffersize.hspa 40778,244668,734003,16777,100663,301990 424 setprop net.tcp.buffersize.hsupa 40778,244668,734003,16777,100663,301990 425 setprop net.tcp.buffersize.hsdpa 61167,367002,1101005,8738,52429,262114 426 setprop net.tcp.buffersize.hspap 122334,734003,2202010,32040,192239,576717 427 setprop net.tcp.buffersize.edge 4093,26280,70800,4096,16384,70800 428 setprop net.tcp.buffersize.gprs 4092,8760,48000,4096,8760,48000 429 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 430 431 # Define default initial receive window size in segments. 432 setprop net.tcp.default_init_rwnd 60 433 434 class_start core 435 436on nonencrypted 437 class_start main 438 class_start late_start 439 440on property:vold.decrypt=trigger_default_encryption 441 start defaultcrypto 442 443on property:vold.decrypt=trigger_encryption 444 start surfaceflinger 445 start encrypt 446 class_start main 447 448on property:sys.init_log_level=* 449 loglevel ${sys.init_log_level} 450 451on charger 452 class_start charger 453 454on property:vold.decrypt=trigger_reset_main 455 class_reset main 456 457on property:vold.decrypt=trigger_load_persist_props 458 load_persist_props 459 460on property:vold.decrypt=trigger_post_fs_data 461 trigger post-fs-data 462 463on property:vold.decrypt=trigger_restart_min_framework 464 class_start main 465 466on property:vold.decrypt=trigger_restart_framework 467 class_start main 468 class_start late_start 469 470on property:vold.decrypt=trigger_shutdown_framework 471 class_reset late_start 472 class_reset main 473 474on property:sys.powerctl=* 475 powerctl ${sys.powerctl} 476 477# system server cannot write to /proc/sys files, 478# and chown/chmod does not work for /proc/sys/ entries. 479# So proxy writes through init. 480on property:sys.sysctl.extra_free_kbytes=* 481 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 482 483# "tcp_default_init_rwnd" Is too long! 484on property:sys.sysctl.tcp_def_init_rwnd=* 485 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 486 487 488## Daemon processes to be run by init. 489## 490service ueventd /sbin/ueventd 491 class core 492 critical 493 seclabel u:r:ueventd:s0 494 495service logd /system/bin/logd 496 class core 497 socket logd stream 0666 logd logd 498 socket logdr seqpacket 0666 logd logd 499 socket logdw dgram 0222 logd logd 500 seclabel u:r:logd:s0 501 502service healthd /sbin/healthd 503 class core 504 critical 505 seclabel u:r:healthd:s0 506 507service console /system/bin/sh 508 class core 509 console 510 disabled 511 user shell 512 group shell log 513 seclabel u:r:shell:s0 514 515on property:ro.debuggable=1 516 start console 517 518# adbd is controlled via property triggers in init.<platform>.usb.rc 519service adbd /sbin/adbd --root_seclabel=u:r:su:s0 520 class core 521 socket adbd stream 660 system system 522 disabled 523 seclabel u:r:adbd:s0 524 525# adbd on at boot in emulator 526on property:ro.kernel.qemu=1 527 start adbd 528 529service lmkd /system/bin/lmkd 530 class core 531 critical 532 socket lmkd seqpacket 0660 system system 533 534service servicemanager /system/bin/servicemanager 535 class core 536 user system 537 group system 538 critical 539 onrestart restart healthd 540 onrestart restart zygote 541 onrestart restart media 542 onrestart restart surfaceflinger 543 onrestart restart inputflinger 544 onrestart restart drm 545 546service vold /system/bin/vold 547 class core 548 socket vold stream 0660 root mount 549 ioprio be 2 550 551service netd /system/bin/netd 552 class main 553 socket netd stream 0660 root system 554 socket dnsproxyd stream 0660 root inet 555 socket mdns stream 0660 root system 556 socket fwmarkd stream 0660 root inet 557 558service debuggerd /system/bin/debuggerd 559 class main 560 561service debuggerd64 /system/bin/debuggerd64 562 class main 563 564service ril-daemon /system/bin/rild 565 class main 566 socket rild stream 660 root radio 567 socket rild-debug stream 660 radio system 568 user root 569 group radio cache inet misc audio log 570 571service surfaceflinger /system/bin/surfaceflinger 572 class main 573 user system 574 group graphics drmrpc 575 onrestart restart zygote 576 577service inputflinger /system/bin/inputflinger 578 class main 579 user system 580 group input 581 onrestart restart zygote 582 583service drm /system/bin/drmserver 584 class main 585 user drm 586 group drm system inet drmrpc 587 588service media /system/bin/mediaserver 589 class main 590 user media 591 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 592 ioprio rt 4 593 594# One shot invocation to deal with encrypted volume. 595service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 596 disabled 597 oneshot 598 # vold will set vold.decrypt to trigger_restart_framework (default 599 # encryption) or trigger_restart_min_framework (other encryption) 600 601# One shot invocation to encrypt unencrypted volumes 602service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 603 disabled 604 oneshot 605 # vold will set vold.decrypt to trigger_restart_framework (default 606 # encryption) 607 608service bootanim /system/bin/bootanimation 609 class main 610 user graphics 611 group graphics 612 disabled 613 oneshot 614 615service installd /system/bin/installd 616 class main 617 socket installd stream 600 system system 618 619service flash_recovery /system/bin/install-recovery.sh 620 class main 621 seclabel u:r:install_recovery:s0 622 oneshot 623 624service racoon /system/bin/racoon 625 class main 626 socket racoon stream 600 system system 627 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 628 group vpn net_admin inet 629 disabled 630 oneshot 631 632service mtpd /system/bin/mtpd 633 class main 634 socket mtpd stream 600 system system 635 user vpn 636 group vpn net_admin inet net_raw 637 disabled 638 oneshot 639 640service keystore /system/bin/keystore /data/misc/keystore 641 class main 642 user keystore 643 group keystore drmrpc 644 645service dumpstate /system/bin/dumpstate -s 646 class main 647 socket dumpstate stream 0660 shell log 648 disabled 649 oneshot 650 651service mdnsd /system/bin/mdnsd 652 class main 653 user mdnsr 654 group inet net_raw 655 socket mdnsd stream 0660 mdnsr inet 656 disabled 657 oneshot 658 659service pre-recovery /system/bin/uncrypt 660 class main 661 disabled 662 oneshot 663