init.rc revision 837135a64fff9f9d5ae630642cfba41cc95d07f8 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_score_adj -1000
16
17    # Set the security context of /adb_keys if present.
18    restorecon /adb_keys
19
20    # Shouldn't be necessary, but sdcard won't start without it. http://b/22568628.
21    mkdir /mnt 0775 root system
22
23    start ueventd
24
25on init
26    sysclktz 0
27
28    # Backward compatibility.
29    symlink /system/etc /etc
30    symlink /sys/kernel/debug /d
31
32    # Link /vendor to /system/vendor for devices without a vendor partition.
33    symlink /system/vendor /vendor
34
35    # Mount cgroup mount point for cpu accounting
36    mount cgroup none /acct cpuacct
37    mkdir /acct/uid
38
39    # Create cgroup mount point for memory
40    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
41    mkdir /sys/fs/cgroup/memory 0750 root system
42    mount cgroup none /sys/fs/cgroup/memory memory
43    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
44    chown root system /sys/fs/cgroup/memory/tasks
45    chmod 0660 /sys/fs/cgroup/memory/tasks
46    mkdir /sys/fs/cgroup/memory/sw 0750 root system
47    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
48    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
49    chown root system /sys/fs/cgroup/memory/sw/tasks
50    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
51
52    # See storage config details at http://source.android.com/tech/storage/
53    mkdir /mnt/shell 0700 shell shell
54    mkdir /mnt/media_rw 0700 media_rw media_rw
55    mkdir /storage 0751 root sdcard_r
56
57    # Directory for putting things only root should see.
58    mkdir /mnt/secure 0700 root root
59
60    # Directory for staging bindmounts
61    mkdir /mnt/secure/staging 0700 root root
62
63    # Directory-target for where the secure container
64    # imagefile directory will be bind-mounted
65    mkdir /mnt/secure/asec  0700 root root
66
67    # Secure container public mount points.
68    mkdir /mnt/asec  0700 root system
69    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
70
71    # Filesystem image public mount points.
72    mkdir /mnt/obb 0700 root system
73    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
74
75    # memory control cgroup
76    mkdir /dev/memcg 0700 root system
77    mount cgroup none /dev/memcg memory
78
79    write /proc/sys/kernel/panic_on_oops 1
80    write /proc/sys/kernel/hung_task_timeout_secs 0
81    write /proc/cpu/alignment 4
82    write /proc/sys/kernel/sched_latency_ns 10000000
83    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
84    write /proc/sys/kernel/sched_compat_yield 1
85    write /proc/sys/kernel/sched_child_runs_first 0
86    write /proc/sys/kernel/randomize_va_space 2
87    write /proc/sys/kernel/kptr_restrict 2
88    write /proc/sys/vm/mmap_min_addr 32768
89    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
90    write /proc/sys/net/unix/max_dgram_qlen 300
91    write /proc/sys/kernel/sched_rt_runtime_us 950000
92    write /proc/sys/kernel/sched_rt_period_us 1000000
93
94    # reflect fwmark from incoming packets onto generated replies
95    write /proc/sys/net/ipv4/fwmark_reflect 1
96    write /proc/sys/net/ipv6/fwmark_reflect 1
97
98    # set fwmark on accepted sockets
99    write /proc/sys/net/ipv4/tcp_fwmark_accept 1
100
101    # Create cgroup mount points for process groups
102    mkdir /dev/cpuctl
103    mount cgroup none /dev/cpuctl cpu
104    chown system system /dev/cpuctl
105    chown system system /dev/cpuctl/tasks
106    chmod 0666 /dev/cpuctl/tasks
107    write /dev/cpuctl/cpu.shares 1024
108    write /dev/cpuctl/cpu.rt_runtime_us 800000
109    write /dev/cpuctl/cpu.rt_period_us 1000000
110
111    mkdir /dev/cpuctl/bg_non_interactive
112    chown system system /dev/cpuctl/bg_non_interactive/tasks
113    chmod 0666 /dev/cpuctl/bg_non_interactive/tasks
114    # 5.0 %
115    write /dev/cpuctl/bg_non_interactive/cpu.shares 52
116    write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000
117    write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000
118
119    # qtaguid will limit access to specific data based on group memberships.
120    #   net_bw_acct grants impersonation of socket owners.
121    #   net_bw_stats grants access to other apps' detailed tagged-socket stats.
122    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
123    chown root net_bw_stats /proc/net/xt_qtaguid/stats
124
125    # Allow everybody to read the xt_qtaguid resource tracking misc dev.
126    # This is needed by any process that uses socket tagging.
127    chmod 0644 /dev/xt_qtaguid
128
129    # Create location for fs_mgr to store abbreviated output from filesystem
130    # checker programs.
131    mkdir /dev/fscklogs 0770 root system
132
133    # pstore/ramoops previous console log
134    mount pstore pstore /sys/fs/pstore
135    chown system log /sys/fs/pstore/console-ramoops
136    chmod 0440 /sys/fs/pstore/console-ramoops
137    chown system log /sys/fs/pstore/pmsg-ramoops-0
138    chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
139
140    # enable armv8_deprecated instruction hooks
141    write /proc/sys/abi/swp 1
142
143# Healthd can trigger a full boot from charger mode by signaling this
144# property when the power button is held.
145on property:sys.boot_from_charger_mode=1
146    class_stop charger
147    trigger late-init
148
149# Load properties from /system/ + /factory after fs mount.
150on load_all_props_action
151    load_all_props
152    start logd
153    start logd-reinit
154
155# Indicate to fw loaders that the relevant mounts are up.
156on firmware_mounts_complete
157    rm /dev/.booting
158
159# Mount filesystems and start core system services.
160on late-init
161    trigger early-fs
162    trigger fs
163    trigger post-fs
164    trigger post-fs-data
165
166    # Load properties from /system/ + /factory after fs mount. Place
167    # this in another action so that the load will be scheduled after the prior
168    # issued fs triggers have completed.
169    trigger load_all_props_action
170
171    # Remove a file to wake up anything waiting for firmware.
172    trigger firmware_mounts_complete
173
174    trigger early-boot
175    trigger boot
176
177
178on post-fs
179    start logd
180    # once everything is setup, no need to modify /
181    mount rootfs rootfs / ro remount
182    # mount shared so changes propagate into child namespaces
183    mount rootfs rootfs / shared rec
184
185    # We chown/chmod /cache again so because mount is run as root + defaults
186    chown system cache /cache
187    chmod 0770 /cache
188    # We restorecon /cache in case the cache partition has been reset.
189    restorecon_recursive /cache
190
191    # Create /cache/recovery in case it's not there. It'll also fix the odd
192    # permissions if created by the recovery system.
193    mkdir /cache/recovery 0770 system cache
194
195    #change permissions on vmallocinfo so we can grab it from bugreports
196    chown root log /proc/vmallocinfo
197    chmod 0440 /proc/vmallocinfo
198
199    chown root log /proc/slabinfo
200    chmod 0440 /proc/slabinfo
201
202    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
203    chown root system /proc/kmsg
204    chmod 0440 /proc/kmsg
205    chown root system /proc/sysrq-trigger
206    chmod 0220 /proc/sysrq-trigger
207    chown system log /proc/last_kmsg
208    chmod 0440 /proc/last_kmsg
209
210    # make the selinux kernel policy world-readable
211    chmod 0444 /sys/fs/selinux/policy
212
213    # create the lost+found directories, so as to enforce our permissions
214    mkdir /cache/lost+found 0770 root root
215
216on post-fs-data
217    # We chown/chmod /data again so because mount is run as root + defaults
218    chown system system /data
219    chmod 0771 /data
220    # We restorecon /data in case the userdata partition has been reset.
221    restorecon /data
222
223    # Make sure we have the device encryption key
224    start logd
225    start vold
226    installkey /data
227
228    # Start bootcharting as soon as possible after the data partition is
229    # mounted to collect more data.
230    mkdir /data/bootchart 0755 shell shell
231    bootchart_init
232
233    # Avoid predictable entropy pool. Carry over entropy from previous boot.
234    copy /data/system/entropy.dat /dev/urandom
235
236    # create basic filesystem structure
237    mkdir /data/misc 01771 system misc
238    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
239    mkdir /data/misc/bluetooth 0770 system system
240    mkdir /data/misc/keystore 0700 keystore keystore
241    mkdir /data/misc/gatekeeper 0700 system system
242    mkdir /data/misc/keychain 0771 system system
243    mkdir /data/misc/net 0750 root shell
244    mkdir /data/misc/radio 0770 system radio
245    mkdir /data/misc/sms 0770 system radio
246    mkdir /data/misc/zoneinfo 0775 system system
247    mkdir /data/misc/vpn 0770 system vpn
248    mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
249    mkdir /data/misc/systemkeys 0700 system system
250    mkdir /data/misc/wifi 0770 wifi wifi
251    mkdir /data/misc/wifi/sockets 0770 wifi wifi
252    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
253    mkdir /data/misc/ethernet 0770 system system
254    mkdir /data/misc/dhcp 0770 dhcp dhcp
255    mkdir /data/misc/user 0771 root root
256    mkdir /data/misc/perfprofd 0775 root root
257    # give system access to wpa_supplicant.conf for backup and restore
258    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
259    mkdir /data/local 0751 root root
260    mkdir /data/misc/media 0700 media media
261    mkdir /data/misc/boottrace 0771 system shell
262
263    # For security reasons, /data/local/tmp should always be empty.
264    # Do not place files or directories in /data/local/tmp
265    mkdir /data/local/tmp 0771 shell shell
266    mkdir /data/data 0771 system system
267    mkdir /data/app-private 0771 system system
268    mkdir /data/app-asec 0700 root root
269    mkdir /data/app-lib 0771 system system
270    mkdir /data/app 0771 system system
271    mkdir /data/property 0700 root root
272    mkdir /data/tombstones 0771 system system
273
274    # create dalvik-cache, so as to enforce our permissions
275    mkdir /data/dalvik-cache 0771 root root
276    mkdir /data/dalvik-cache/profiles 0711 system system
277
278    # create resource-cache and double-check the perms
279    mkdir /data/resource-cache 0771 system system
280    chown system system /data/resource-cache
281    chmod 0771 /data/resource-cache
282
283    # create the lost+found directories, so as to enforce our permissions
284    mkdir /data/lost+found 0770 root root
285
286    # create directory for DRM plug-ins - give drm the read/write access to
287    # the following directory.
288    mkdir /data/drm 0770 drm drm
289
290    # create directory for MediaDrm plug-ins - give drm the read/write access to
291    # the following directory.
292    mkdir /data/mediadrm 0770 mediadrm mediadrm
293
294    mkdir /data/anr 0775 system system
295
296    # symlink to bugreport storage location
297    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
298
299    # Separate location for storing security policy files on data
300    mkdir /data/security 0711 system system
301
302    # Create all remaining /data root dirs so that they are made through init
303    # and get proper encryption policy installed
304    mkdir /data/backup 0700 system system
305    mkdir /data/media 0770 media_rw media_rw
306    mkdir /data/ss 0700 system system
307    mkdir /data/system 0775 system system
308    mkdir /data/system/heapdump 0700 system system
309    mkdir /data/user 0711 system system
310
311    # Reload policy from /data/security if present.
312    setprop selinux.reload_policy 1
313
314    # Set SELinux security contexts on upgrade or policy update.
315    restorecon_recursive /data
316
317    # Check any timezone data in /data is newer than the copy in /system, delete if not.
318    exec - system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo
319
320    # If there is no fs-post-data action in the init.<device>.rc file, you
321    # must uncomment this line, otherwise encrypted filesystems
322    # won't work.
323    # Set indication (checked by vold) that we have finished this action
324    #setprop vold.post_fs_data_done 1
325
326on boot
327    # basic network init
328    ifup lo
329    hostname localhost
330    domainname localdomain
331
332    # set RLIMIT_NICE to allow priorities from 19 to -20
333    setrlimit 13 40 40
334
335    # Memory management.  Basic kernel parameters, and allow the high
336    # level system server to be able to adjust the kernel OOM driver
337    # parameters to match how it is managing things.
338    write /proc/sys/vm/overcommit_memory 1
339    write /proc/sys/vm/min_free_order_shift 4
340    chown root system /sys/module/lowmemorykiller/parameters/adj
341    chmod 0220 /sys/module/lowmemorykiller/parameters/adj
342    chown root system /sys/module/lowmemorykiller/parameters/minfree
343    chmod 0220 /sys/module/lowmemorykiller/parameters/minfree
344
345    # Tweak background writeout
346    write /proc/sys/vm/dirty_expire_centisecs 200
347    write /proc/sys/vm/dirty_background_ratio  5
348
349    # Permissions for System Server and daemons.
350    chown radio system /sys/android_power/state
351    chown radio system /sys/android_power/request_state
352    chown radio system /sys/android_power/acquire_full_wake_lock
353    chown radio system /sys/android_power/acquire_partial_wake_lock
354    chown radio system /sys/android_power/release_wake_lock
355    chown system system /sys/power/autosleep
356    chown system system /sys/power/state
357    chown system system /sys/power/wakeup_count
358    chown radio system /sys/power/wake_lock
359    chown radio system /sys/power/wake_unlock
360    chmod 0660 /sys/power/state
361    chmod 0660 /sys/power/wake_lock
362    chmod 0660 /sys/power/wake_unlock
363
364    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
365    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
366    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
367    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
368    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
369    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
370    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
371    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
372    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
373    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
374    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
375    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
376    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
377    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
378    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
379    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
380    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
381    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
382    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
383    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
384    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
385    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
386    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
387
388    # Assume SMP uses shared cpufreq policy for all CPUs
389    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
390    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
391
392    chown system system /sys/class/timed_output/vibrator/enable
393    chown system system /sys/class/leds/keyboard-backlight/brightness
394    chown system system /sys/class/leds/lcd-backlight/brightness
395    chown system system /sys/class/leds/button-backlight/brightness
396    chown system system /sys/class/leds/jogball-backlight/brightness
397    chown system system /sys/class/leds/red/brightness
398    chown system system /sys/class/leds/green/brightness
399    chown system system /sys/class/leds/blue/brightness
400    chown system system /sys/class/leds/red/device/grpfreq
401    chown system system /sys/class/leds/red/device/grppwm
402    chown system system /sys/class/leds/red/device/blink
403    chown system system /sys/class/timed_output/vibrator/enable
404    chown system system /sys/module/sco/parameters/disable_esco
405    chown system system /sys/kernel/ipv4/tcp_wmem_min
406    chown system system /sys/kernel/ipv4/tcp_wmem_def
407    chown system system /sys/kernel/ipv4/tcp_wmem_max
408    chown system system /sys/kernel/ipv4/tcp_rmem_min
409    chown system system /sys/kernel/ipv4/tcp_rmem_def
410    chown system system /sys/kernel/ipv4/tcp_rmem_max
411    chown root radio /proc/cmdline
412
413    # Define default initial receive window size in segments.
414    setprop net.tcp.default_init_rwnd 60
415
416    class_start core
417
418on nonencrypted
419    class_start main
420    class_start late_start
421
422on property:vold.decrypt=trigger_default_encryption
423    start defaultcrypto
424
425on property:vold.decrypt=trigger_encryption
426    start surfaceflinger
427    start encrypt
428
429on property:sys.init_log_level=*
430    loglevel ${sys.init_log_level}
431
432on charger
433    class_start charger
434
435on property:vold.decrypt=trigger_reset_main
436    class_reset main
437
438on property:vold.decrypt=trigger_load_persist_props
439    load_persist_props
440    start logd
441    start logd-reinit
442
443on property:vold.decrypt=trigger_post_fs_data
444    trigger post-fs-data
445
446on property:vold.decrypt=trigger_restart_min_framework
447    class_start main
448
449on property:vold.decrypt=trigger_restart_framework
450    class_start main
451    class_start late_start
452
453on property:vold.decrypt=trigger_shutdown_framework
454    class_reset late_start
455    class_reset main
456
457on property:sys.powerctl=*
458    powerctl ${sys.powerctl}
459
460# system server cannot write to /proc/sys files,
461# and chown/chmod does not work for /proc/sys/ entries.
462# So proxy writes through init.
463on property:sys.sysctl.extra_free_kbytes=*
464    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
465
466# "tcp_default_init_rwnd" Is too long!
467on property:sys.sysctl.tcp_def_init_rwnd=*
468    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
469
470
471## Daemon processes to be run by init.
472##
473service ueventd /sbin/ueventd
474    class core
475    critical
476    seclabel u:r:ueventd:s0
477
478service healthd /sbin/healthd
479    class core
480    critical
481    seclabel u:r:healthd:s0
482
483service console /system/bin/sh
484    class core
485    console
486    disabled
487    user shell
488    group shell log
489    seclabel u:r:shell:s0
490
491on property:ro.debuggable=1
492    start console
493
494service flash_recovery /system/bin/install-recovery.sh
495    class main
496    oneshot
497
498service uncrypt /system/bin/uncrypt
499    class main
500    disabled
501    oneshot
502
503service pre-recovery /system/bin/uncrypt --reboot
504    class main
505    disabled
506    oneshot
507