init.rc revision 837135a64fff9f9d5ae630642cfba41cc95d07f8
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Set the security context of /adb_keys if present. 18 restorecon /adb_keys 19 20 # Shouldn't be necessary, but sdcard won't start without it. http://b/22568628. 21 mkdir /mnt 0775 root system 22 23 start ueventd 24 25on init 26 sysclktz 0 27 28 # Backward compatibility. 29 symlink /system/etc /etc 30 symlink /sys/kernel/debug /d 31 32 # Link /vendor to /system/vendor for devices without a vendor partition. 33 symlink /system/vendor /vendor 34 35 # Mount cgroup mount point for cpu accounting 36 mount cgroup none /acct cpuacct 37 mkdir /acct/uid 38 39 # Create cgroup mount point for memory 40 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 41 mkdir /sys/fs/cgroup/memory 0750 root system 42 mount cgroup none /sys/fs/cgroup/memory memory 43 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 44 chown root system /sys/fs/cgroup/memory/tasks 45 chmod 0660 /sys/fs/cgroup/memory/tasks 46 mkdir /sys/fs/cgroup/memory/sw 0750 root system 47 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 48 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 49 chown root system /sys/fs/cgroup/memory/sw/tasks 50 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 51 52 # See storage config details at http://source.android.com/tech/storage/ 53 mkdir /mnt/shell 0700 shell shell 54 mkdir /mnt/media_rw 0700 media_rw media_rw 55 mkdir /storage 0751 root sdcard_r 56 57 # Directory for putting things only root should see. 58 mkdir /mnt/secure 0700 root root 59 60 # Directory for staging bindmounts 61 mkdir /mnt/secure/staging 0700 root root 62 63 # Directory-target for where the secure container 64 # imagefile directory will be bind-mounted 65 mkdir /mnt/secure/asec 0700 root root 66 67 # Secure container public mount points. 68 mkdir /mnt/asec 0700 root system 69 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 70 71 # Filesystem image public mount points. 72 mkdir /mnt/obb 0700 root system 73 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 74 75 # memory control cgroup 76 mkdir /dev/memcg 0700 root system 77 mount cgroup none /dev/memcg memory 78 79 write /proc/sys/kernel/panic_on_oops 1 80 write /proc/sys/kernel/hung_task_timeout_secs 0 81 write /proc/cpu/alignment 4 82 write /proc/sys/kernel/sched_latency_ns 10000000 83 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 84 write /proc/sys/kernel/sched_compat_yield 1 85 write /proc/sys/kernel/sched_child_runs_first 0 86 write /proc/sys/kernel/randomize_va_space 2 87 write /proc/sys/kernel/kptr_restrict 2 88 write /proc/sys/vm/mmap_min_addr 32768 89 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 90 write /proc/sys/net/unix/max_dgram_qlen 300 91 write /proc/sys/kernel/sched_rt_runtime_us 950000 92 write /proc/sys/kernel/sched_rt_period_us 1000000 93 94 # reflect fwmark from incoming packets onto generated replies 95 write /proc/sys/net/ipv4/fwmark_reflect 1 96 write /proc/sys/net/ipv6/fwmark_reflect 1 97 98 # set fwmark on accepted sockets 99 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 100 101 # Create cgroup mount points for process groups 102 mkdir /dev/cpuctl 103 mount cgroup none /dev/cpuctl cpu 104 chown system system /dev/cpuctl 105 chown system system /dev/cpuctl/tasks 106 chmod 0666 /dev/cpuctl/tasks 107 write /dev/cpuctl/cpu.shares 1024 108 write /dev/cpuctl/cpu.rt_runtime_us 800000 109 write /dev/cpuctl/cpu.rt_period_us 1000000 110 111 mkdir /dev/cpuctl/bg_non_interactive 112 chown system system /dev/cpuctl/bg_non_interactive/tasks 113 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 114 # 5.0 % 115 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 116 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000 117 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 118 119 # qtaguid will limit access to specific data based on group memberships. 120 # net_bw_acct grants impersonation of socket owners. 121 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 122 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 123 chown root net_bw_stats /proc/net/xt_qtaguid/stats 124 125 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 126 # This is needed by any process that uses socket tagging. 127 chmod 0644 /dev/xt_qtaguid 128 129 # Create location for fs_mgr to store abbreviated output from filesystem 130 # checker programs. 131 mkdir /dev/fscklogs 0770 root system 132 133 # pstore/ramoops previous console log 134 mount pstore pstore /sys/fs/pstore 135 chown system log /sys/fs/pstore/console-ramoops 136 chmod 0440 /sys/fs/pstore/console-ramoops 137 chown system log /sys/fs/pstore/pmsg-ramoops-0 138 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 139 140 # enable armv8_deprecated instruction hooks 141 write /proc/sys/abi/swp 1 142 143# Healthd can trigger a full boot from charger mode by signaling this 144# property when the power button is held. 145on property:sys.boot_from_charger_mode=1 146 class_stop charger 147 trigger late-init 148 149# Load properties from /system/ + /factory after fs mount. 150on load_all_props_action 151 load_all_props 152 start logd 153 start logd-reinit 154 155# Indicate to fw loaders that the relevant mounts are up. 156on firmware_mounts_complete 157 rm /dev/.booting 158 159# Mount filesystems and start core system services. 160on late-init 161 trigger early-fs 162 trigger fs 163 trigger post-fs 164 trigger post-fs-data 165 166 # Load properties from /system/ + /factory after fs mount. Place 167 # this in another action so that the load will be scheduled after the prior 168 # issued fs triggers have completed. 169 trigger load_all_props_action 170 171 # Remove a file to wake up anything waiting for firmware. 172 trigger firmware_mounts_complete 173 174 trigger early-boot 175 trigger boot 176 177 178on post-fs 179 start logd 180 # once everything is setup, no need to modify / 181 mount rootfs rootfs / ro remount 182 # mount shared so changes propagate into child namespaces 183 mount rootfs rootfs / shared rec 184 185 # We chown/chmod /cache again so because mount is run as root + defaults 186 chown system cache /cache 187 chmod 0770 /cache 188 # We restorecon /cache in case the cache partition has been reset. 189 restorecon_recursive /cache 190 191 # Create /cache/recovery in case it's not there. It'll also fix the odd 192 # permissions if created by the recovery system. 193 mkdir /cache/recovery 0770 system cache 194 195 #change permissions on vmallocinfo so we can grab it from bugreports 196 chown root log /proc/vmallocinfo 197 chmod 0440 /proc/vmallocinfo 198 199 chown root log /proc/slabinfo 200 chmod 0440 /proc/slabinfo 201 202 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 203 chown root system /proc/kmsg 204 chmod 0440 /proc/kmsg 205 chown root system /proc/sysrq-trigger 206 chmod 0220 /proc/sysrq-trigger 207 chown system log /proc/last_kmsg 208 chmod 0440 /proc/last_kmsg 209 210 # make the selinux kernel policy world-readable 211 chmod 0444 /sys/fs/selinux/policy 212 213 # create the lost+found directories, so as to enforce our permissions 214 mkdir /cache/lost+found 0770 root root 215 216on post-fs-data 217 # We chown/chmod /data again so because mount is run as root + defaults 218 chown system system /data 219 chmod 0771 /data 220 # We restorecon /data in case the userdata partition has been reset. 221 restorecon /data 222 223 # Make sure we have the device encryption key 224 start logd 225 start vold 226 installkey /data 227 228 # Start bootcharting as soon as possible after the data partition is 229 # mounted to collect more data. 230 mkdir /data/bootchart 0755 shell shell 231 bootchart_init 232 233 # Avoid predictable entropy pool. Carry over entropy from previous boot. 234 copy /data/system/entropy.dat /dev/urandom 235 236 # create basic filesystem structure 237 mkdir /data/misc 01771 system misc 238 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 239 mkdir /data/misc/bluetooth 0770 system system 240 mkdir /data/misc/keystore 0700 keystore keystore 241 mkdir /data/misc/gatekeeper 0700 system system 242 mkdir /data/misc/keychain 0771 system system 243 mkdir /data/misc/net 0750 root shell 244 mkdir /data/misc/radio 0770 system radio 245 mkdir /data/misc/sms 0770 system radio 246 mkdir /data/misc/zoneinfo 0775 system system 247 mkdir /data/misc/vpn 0770 system vpn 248 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 249 mkdir /data/misc/systemkeys 0700 system system 250 mkdir /data/misc/wifi 0770 wifi wifi 251 mkdir /data/misc/wifi/sockets 0770 wifi wifi 252 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 253 mkdir /data/misc/ethernet 0770 system system 254 mkdir /data/misc/dhcp 0770 dhcp dhcp 255 mkdir /data/misc/user 0771 root root 256 mkdir /data/misc/perfprofd 0775 root root 257 # give system access to wpa_supplicant.conf for backup and restore 258 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 259 mkdir /data/local 0751 root root 260 mkdir /data/misc/media 0700 media media 261 mkdir /data/misc/boottrace 0771 system shell 262 263 # For security reasons, /data/local/tmp should always be empty. 264 # Do not place files or directories in /data/local/tmp 265 mkdir /data/local/tmp 0771 shell shell 266 mkdir /data/data 0771 system system 267 mkdir /data/app-private 0771 system system 268 mkdir /data/app-asec 0700 root root 269 mkdir /data/app-lib 0771 system system 270 mkdir /data/app 0771 system system 271 mkdir /data/property 0700 root root 272 mkdir /data/tombstones 0771 system system 273 274 # create dalvik-cache, so as to enforce our permissions 275 mkdir /data/dalvik-cache 0771 root root 276 mkdir /data/dalvik-cache/profiles 0711 system system 277 278 # create resource-cache and double-check the perms 279 mkdir /data/resource-cache 0771 system system 280 chown system system /data/resource-cache 281 chmod 0771 /data/resource-cache 282 283 # create the lost+found directories, so as to enforce our permissions 284 mkdir /data/lost+found 0770 root root 285 286 # create directory for DRM plug-ins - give drm the read/write access to 287 # the following directory. 288 mkdir /data/drm 0770 drm drm 289 290 # create directory for MediaDrm plug-ins - give drm the read/write access to 291 # the following directory. 292 mkdir /data/mediadrm 0770 mediadrm mediadrm 293 294 mkdir /data/anr 0775 system system 295 296 # symlink to bugreport storage location 297 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 298 299 # Separate location for storing security policy files on data 300 mkdir /data/security 0711 system system 301 302 # Create all remaining /data root dirs so that they are made through init 303 # and get proper encryption policy installed 304 mkdir /data/backup 0700 system system 305 mkdir /data/media 0770 media_rw media_rw 306 mkdir /data/ss 0700 system system 307 mkdir /data/system 0775 system system 308 mkdir /data/system/heapdump 0700 system system 309 mkdir /data/user 0711 system system 310 311 # Reload policy from /data/security if present. 312 setprop selinux.reload_policy 1 313 314 # Set SELinux security contexts on upgrade or policy update. 315 restorecon_recursive /data 316 317 # Check any timezone data in /data is newer than the copy in /system, delete if not. 318 exec - system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo 319 320 # If there is no fs-post-data action in the init.<device>.rc file, you 321 # must uncomment this line, otherwise encrypted filesystems 322 # won't work. 323 # Set indication (checked by vold) that we have finished this action 324 #setprop vold.post_fs_data_done 1 325 326on boot 327 # basic network init 328 ifup lo 329 hostname localhost 330 domainname localdomain 331 332 # set RLIMIT_NICE to allow priorities from 19 to -20 333 setrlimit 13 40 40 334 335 # Memory management. Basic kernel parameters, and allow the high 336 # level system server to be able to adjust the kernel OOM driver 337 # parameters to match how it is managing things. 338 write /proc/sys/vm/overcommit_memory 1 339 write /proc/sys/vm/min_free_order_shift 4 340 chown root system /sys/module/lowmemorykiller/parameters/adj 341 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 342 chown root system /sys/module/lowmemorykiller/parameters/minfree 343 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 344 345 # Tweak background writeout 346 write /proc/sys/vm/dirty_expire_centisecs 200 347 write /proc/sys/vm/dirty_background_ratio 5 348 349 # Permissions for System Server and daemons. 350 chown radio system /sys/android_power/state 351 chown radio system /sys/android_power/request_state 352 chown radio system /sys/android_power/acquire_full_wake_lock 353 chown radio system /sys/android_power/acquire_partial_wake_lock 354 chown radio system /sys/android_power/release_wake_lock 355 chown system system /sys/power/autosleep 356 chown system system /sys/power/state 357 chown system system /sys/power/wakeup_count 358 chown radio system /sys/power/wake_lock 359 chown radio system /sys/power/wake_unlock 360 chmod 0660 /sys/power/state 361 chmod 0660 /sys/power/wake_lock 362 chmod 0660 /sys/power/wake_unlock 363 364 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 365 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 366 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 367 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 368 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 369 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 370 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 371 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 372 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 373 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 374 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 375 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 376 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 377 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 378 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 379 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 380 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 381 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 382 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 383 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 384 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 385 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 386 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 387 388 # Assume SMP uses shared cpufreq policy for all CPUs 389 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 390 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 391 392 chown system system /sys/class/timed_output/vibrator/enable 393 chown system system /sys/class/leds/keyboard-backlight/brightness 394 chown system system /sys/class/leds/lcd-backlight/brightness 395 chown system system /sys/class/leds/button-backlight/brightness 396 chown system system /sys/class/leds/jogball-backlight/brightness 397 chown system system /sys/class/leds/red/brightness 398 chown system system /sys/class/leds/green/brightness 399 chown system system /sys/class/leds/blue/brightness 400 chown system system /sys/class/leds/red/device/grpfreq 401 chown system system /sys/class/leds/red/device/grppwm 402 chown system system /sys/class/leds/red/device/blink 403 chown system system /sys/class/timed_output/vibrator/enable 404 chown system system /sys/module/sco/parameters/disable_esco 405 chown system system /sys/kernel/ipv4/tcp_wmem_min 406 chown system system /sys/kernel/ipv4/tcp_wmem_def 407 chown system system /sys/kernel/ipv4/tcp_wmem_max 408 chown system system /sys/kernel/ipv4/tcp_rmem_min 409 chown system system /sys/kernel/ipv4/tcp_rmem_def 410 chown system system /sys/kernel/ipv4/tcp_rmem_max 411 chown root radio /proc/cmdline 412 413 # Define default initial receive window size in segments. 414 setprop net.tcp.default_init_rwnd 60 415 416 class_start core 417 418on nonencrypted 419 class_start main 420 class_start late_start 421 422on property:vold.decrypt=trigger_default_encryption 423 start defaultcrypto 424 425on property:vold.decrypt=trigger_encryption 426 start surfaceflinger 427 start encrypt 428 429on property:sys.init_log_level=* 430 loglevel ${sys.init_log_level} 431 432on charger 433 class_start charger 434 435on property:vold.decrypt=trigger_reset_main 436 class_reset main 437 438on property:vold.decrypt=trigger_load_persist_props 439 load_persist_props 440 start logd 441 start logd-reinit 442 443on property:vold.decrypt=trigger_post_fs_data 444 trigger post-fs-data 445 446on property:vold.decrypt=trigger_restart_min_framework 447 class_start main 448 449on property:vold.decrypt=trigger_restart_framework 450 class_start main 451 class_start late_start 452 453on property:vold.decrypt=trigger_shutdown_framework 454 class_reset late_start 455 class_reset main 456 457on property:sys.powerctl=* 458 powerctl ${sys.powerctl} 459 460# system server cannot write to /proc/sys files, 461# and chown/chmod does not work for /proc/sys/ entries. 462# So proxy writes through init. 463on property:sys.sysctl.extra_free_kbytes=* 464 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 465 466# "tcp_default_init_rwnd" Is too long! 467on property:sys.sysctl.tcp_def_init_rwnd=* 468 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 469 470 471## Daemon processes to be run by init. 472## 473service ueventd /sbin/ueventd 474 class core 475 critical 476 seclabel u:r:ueventd:s0 477 478service healthd /sbin/healthd 479 class core 480 critical 481 seclabel u:r:healthd:s0 482 483service console /system/bin/sh 484 class core 485 console 486 disabled 487 user shell 488 group shell log 489 seclabel u:r:shell:s0 490 491on property:ro.debuggable=1 492 start console 493 494service flash_recovery /system/bin/install-recovery.sh 495 class main 496 oneshot 497 498service uncrypt /system/bin/uncrypt 499 class main 500 disabled 501 oneshot 502 503service pre-recovery /system/bin/uncrypt --reboot 504 class main 505 disabled 506 oneshot 507