init.rc revision 885342a0f2c834a6b680284047c47c9d04b32565
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ASEC_MOUNTPOINT /mnt/asec 38 export LOOP_MOUNTPOINT /mnt/obb 39 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 40 41# Backward compatibility 42 symlink /system/etc /etc 43 symlink /sys/kernel/debug /d 44 45# Right now vendor lives on the same filesystem as system, 46# but someday that may change. 47 symlink /system/vendor /vendor 48 49# Create cgroup mount point for cpu accounting 50 mkdir /acct 51 mount cgroup none /acct cpuacct 52 mkdir /acct/uid 53 54 mkdir /system 55 mkdir /data 0771 system system 56 mkdir /cache 0770 system cache 57 mkdir /config 0500 root root 58 59 # Directory for putting things only root should see. 60 mkdir /mnt/secure 0700 root root 61 62 # Directory for staging bindmounts 63 mkdir /mnt/secure/staging 0700 root root 64 65 # Directory-target for where the secure container 66 # imagefile directory will be bind-mounted 67 mkdir /mnt/secure/asec 0700 root root 68 69 # Secure container public mount points. 70 mkdir /mnt/asec 0700 root system 71 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 72 73 # Filesystem image public mount points. 74 mkdir /mnt/obb 0700 root system 75 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 76 77 write /proc/sys/kernel/panic_on_oops 1 78 write /proc/sys/kernel/hung_task_timeout_secs 0 79 write /proc/cpu/alignment 4 80 write /proc/sys/kernel/sched_latency_ns 10000000 81 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 82 write /proc/sys/kernel/sched_compat_yield 1 83 write /proc/sys/kernel/sched_child_runs_first 0 84 write /proc/sys/kernel/randomize_va_space 2 85 write /proc/sys/kernel/kptr_restrict 2 86 write /proc/sys/kernel/dmesg_restrict 1 87 write /proc/sys/vm/mmap_min_addr 32768 88 write /proc/sys/kernel/sched_rt_runtime_us 950000 89 write /proc/sys/kernel/sched_rt_period_us 1000000 90 91# Create cgroup mount points for process groups 92 mkdir /dev/cpuctl 93 mount cgroup none /dev/cpuctl cpu 94 chown system system /dev/cpuctl 95 chown system system /dev/cpuctl/tasks 96 chmod 0660 /dev/cpuctl/tasks 97 write /dev/cpuctl/cpu.shares 1024 98 write /dev/cpuctl/cpu.rt_runtime_us 950000 99 write /dev/cpuctl/cpu.rt_period_us 1000000 100 101 mkdir /dev/cpuctl/apps 102 chown system system /dev/cpuctl/apps/tasks 103 chmod 0666 /dev/cpuctl/apps/tasks 104 write /dev/cpuctl/apps/cpu.shares 1024 105 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 106 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps/bg_non_interactive 109 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 110 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 111 # 5.0 % 112 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 113 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 114 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 115 116# Allow everybody to read the xt_qtaguid resource tracking misc dev. 117# This is needed by any process that uses socket tagging. 118 chmod 0644 /dev/xt_qtaguid 119 120on fs 121# mount mtd partitions 122 # Mount /system rw first to give the filesystem a chance to save a checkpoint 123 mount yaffs2 mtd@system /system 124 mount yaffs2 mtd@system /system ro remount 125 mount yaffs2 mtd@userdata /data nosuid nodev 126 mount yaffs2 mtd@cache /cache nosuid nodev 127 128on post-fs 129 # once everything is setup, no need to modify / 130 mount rootfs rootfs / ro remount 131 # mount shared so changes propagate into child namespaces 132 mount rootfs rootfs / shared rec 133 134 # We chown/chmod /cache again so because mount is run as root + defaults 135 chown system cache /cache 136 chmod 0770 /cache 137 # We restorecon /cache in case the cache partition has been reset. 138 restorecon /cache 139 140 # This may have been created by the recovery system with odd permissions 141 chown system cache /cache/recovery 142 chmod 0770 /cache/recovery 143 # This may have been created by the recovery system with the wrong context. 144 restorecon /cache/recovery 145 146 #change permissions on vmallocinfo so we can grab it from bugreports 147 chown root log /proc/vmallocinfo 148 chmod 0440 /proc/vmallocinfo 149 150 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 151 chown root system /proc/kmsg 152 chmod 0440 /proc/kmsg 153 chown root system /proc/sysrq-trigger 154 chmod 0220 /proc/sysrq-trigger 155 chown system log /proc/last_kmsg 156 chmod 0440 /proc/last_kmsg 157 158 # create the lost+found directories, so as to enforce our permissions 159 mkdir /cache/lost+found 0770 root root 160 161on post-fs-data 162 # We chown/chmod /data again so because mount is run as root + defaults 163 chown system system /data 164 chmod 0771 /data 165 # We restorecon /data in case the userdata partition has been reset. 166 restorecon /data 167 168 # Create dump dir and collect dumps. 169 # Do this before we mount cache so eventually we can use cache for 170 # storing dumps on platforms which do not have a dedicated dump partition. 171 mkdir /data/dontpanic 0750 root log 172 173 # Collect apanic data, free resources and re-arm trigger 174 copy /proc/apanic_console /data/dontpanic/apanic_console 175 chown root log /data/dontpanic/apanic_console 176 chmod 0640 /data/dontpanic/apanic_console 177 178 copy /proc/apanic_threads /data/dontpanic/apanic_threads 179 chown root log /data/dontpanic/apanic_threads 180 chmod 0640 /data/dontpanic/apanic_threads 181 182 write /proc/apanic_console 1 183 184 # create basic filesystem structure 185 mkdir /data/misc 01771 system misc 186 mkdir /data/misc/adb 02750 system shell 187 mkdir /data/misc/bluedroid 0770 bluetooth bluetooth 188 mkdir /data/misc/bluetooth 0770 system system 189 mkdir /data/misc/keystore 0700 keystore keystore 190 mkdir /data/misc/keychain 0771 system system 191 mkdir /data/misc/vpn 0770 system vpn 192 mkdir /data/misc/systemkeys 0700 system system 193 # give system access to wpa_supplicant.conf for backup and restore 194 mkdir /data/misc/wifi 0770 wifi wifi 195 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 196 mkdir /data/local 0751 root root 197 198 # For security reasons, /data/local/tmp should always be empty. 199 # Do not place files or directories in /data/local/tmp 200 mkdir /data/local/tmp 0771 shell shell 201 mkdir /data/data 0771 system system 202 mkdir /data/app-private 0771 system system 203 mkdir /data/app-asec 0700 root root 204 mkdir /data/app 0771 system system 205 mkdir /data/property 0700 root root 206 mkdir /data/ssh 0750 root shell 207 mkdir /data/ssh/empty 0700 root root 208 209 # create dalvik-cache, so as to enforce our permissions 210 mkdir /data/dalvik-cache 0771 system system 211 212 # create resource-cache and double-check the perms 213 mkdir /data/resource-cache 0771 system system 214 chown system system /data/resource-cache 215 chmod 0771 /data/resource-cache 216 217 # create the lost+found directories, so as to enforce our permissions 218 mkdir /data/lost+found 0770 root root 219 220 # create directory for DRM plug-ins - give drm the read/write access to 221 # the following directory. 222 mkdir /data/drm 0770 drm drm 223 224 # If there is no fs-post-data action in the init.<device>.rc file, you 225 # must uncomment this line, otherwise encrypted filesystems 226 # won't work. 227 # Set indication (checked by vold) that we have finished this action 228 #setprop vold.post_fs_data_done 1 229 230on boot 231# basic network init 232 ifup lo 233 hostname localhost 234 domainname localdomain 235 236# set RLIMIT_NICE to allow priorities from 19 to -20 237 setrlimit 13 40 40 238 239# Memory management. Basic kernel parameters, and allow the high 240# level system server to be able to adjust the kernel OOM driver 241# parameters to match how it is managing things. 242 write /proc/sys/vm/overcommit_memory 1 243 write /proc/sys/vm/min_free_order_shift 4 244 chown root system /sys/module/lowmemorykiller/parameters/adj 245 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 246 chown root system /sys/module/lowmemorykiller/parameters/minfree 247 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 248 249 # Tweak background writeout 250 write /proc/sys/vm/dirty_expire_centisecs 200 251 write /proc/sys/vm/dirty_background_ratio 5 252 253 # Permissions for System Server and daemons. 254 chown radio system /sys/android_power/state 255 chown radio system /sys/android_power/request_state 256 chown radio system /sys/android_power/acquire_full_wake_lock 257 chown radio system /sys/android_power/acquire_partial_wake_lock 258 chown radio system /sys/android_power/release_wake_lock 259 chown system system /sys/power/autosleep 260 chown system system /sys/power/state 261 chown system system /sys/power/wakeup_count 262 chown radio system /sys/power/wake_lock 263 chown radio system /sys/power/wake_unlock 264 chmod 0660 /sys/power/state 265 chmod 0660 /sys/power/wake_lock 266 chmod 0660 /sys/power/wake_unlock 267 268 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 269 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 270 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 271 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 272 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 273 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 274 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 275 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 276 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 277 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 278 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 279 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 280 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 281 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 282 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 283 284 # Assume SMP uses shared cpufreq policy for all CPUs 285 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 286 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 287 288 chown system system /sys/class/timed_output/vibrator/enable 289 chown system system /sys/class/leds/keyboard-backlight/brightness 290 chown system system /sys/class/leds/lcd-backlight/brightness 291 chown system system /sys/class/leds/button-backlight/brightness 292 chown system system /sys/class/leds/jogball-backlight/brightness 293 chown system system /sys/class/leds/red/brightness 294 chown system system /sys/class/leds/green/brightness 295 chown system system /sys/class/leds/blue/brightness 296 chown system system /sys/class/leds/red/device/grpfreq 297 chown system system /sys/class/leds/red/device/grppwm 298 chown system system /sys/class/leds/red/device/blink 299 chown system system /sys/class/leds/red/brightness 300 chown system system /sys/class/leds/green/brightness 301 chown system system /sys/class/leds/blue/brightness 302 chown system system /sys/class/leds/red/device/grpfreq 303 chown system system /sys/class/leds/red/device/grppwm 304 chown system system /sys/class/leds/red/device/blink 305 chown system system /sys/class/timed_output/vibrator/enable 306 chown system system /sys/module/sco/parameters/disable_esco 307 chown system system /sys/kernel/ipv4/tcp_wmem_min 308 chown system system /sys/kernel/ipv4/tcp_wmem_def 309 chown system system /sys/kernel/ipv4/tcp_wmem_max 310 chown system system /sys/kernel/ipv4/tcp_rmem_min 311 chown system system /sys/kernel/ipv4/tcp_rmem_def 312 chown system system /sys/kernel/ipv4/tcp_rmem_max 313 chown root radio /proc/cmdline 314 315# Define TCP buffer sizes for various networks 316# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 317 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 318 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 319 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 320 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 321 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 322 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 323 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 324 325# Set this property so surfaceflinger is not started by system_init 326 setprop system_init.startsurfaceflinger 0 327 328 class_start core 329 class_start main 330 331on nonencrypted 332 class_start late_start 333 334on charger 335 class_start charger 336 337on property:vold.decrypt=trigger_reset_main 338 class_reset main 339 340on property:vold.decrypt=trigger_load_persist_props 341 load_persist_props 342 343on property:vold.decrypt=trigger_post_fs_data 344 trigger post-fs-data 345 346on property:vold.decrypt=trigger_restart_min_framework 347 class_start main 348 349on property:vold.decrypt=trigger_restart_framework 350 class_start main 351 class_start late_start 352 353on property:vold.decrypt=trigger_shutdown_framework 354 class_reset late_start 355 class_reset main 356 357## Daemon processes to be run by init. 358## 359service ueventd /sbin/ueventd 360 class core 361 critical 362 seclabel u:r:ueventd:s0 363 364on property:selinux.reload_policy=1 365 restart ueventd 366 restart installd 367 368service console /system/bin/sh 369 class core 370 console 371 disabled 372 user shell 373 group log 374 375on property:ro.debuggable=1 376 start console 377 378# adbd is controlled via property triggers in init.<platform>.usb.rc 379service adbd /sbin/adbd 380 class core 381 socket adbd stream 660 system system 382 disabled 383 seclabel u:r:adbd:s0 384 385# adbd on at boot in emulator 386on property:ro.kernel.qemu=1 387 start adbd 388 389service servicemanager /system/bin/servicemanager 390 class core 391 user system 392 group system 393 critical 394 onrestart restart zygote 395 onrestart restart media 396 onrestart restart surfaceflinger 397 onrestart restart drm 398 399service vold /system/bin/vold 400 class core 401 socket vold stream 0660 root mount 402 ioprio be 2 403 404service netd /system/bin/netd 405 class main 406 socket netd stream 0660 root system 407 socket dnsproxyd stream 0660 root inet 408 socket mdns stream 0660 root system 409 410service debuggerd /system/bin/debuggerd 411 class main 412 413service ril-daemon /system/bin/rild 414 class main 415 socket rild stream 660 root radio 416 socket rild-debug stream 660 radio system 417 user root 418 group radio cache inet misc audio sdcard_r sdcard_rw log 419 420service surfaceflinger /system/bin/surfaceflinger 421 class main 422 user system 423 group graphics 424 onrestart restart zygote 425 426service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 427 class main 428 socket zygote stream 660 root system 429 onrestart write /sys/android_power/request_state wake 430 onrestart write /sys/power/state on 431 onrestart restart media 432 onrestart restart netd 433 434service drm /system/bin/drmserver 435 class main 436 user drm 437 group drm system inet drmrpc sdcard_r 438 439service media /system/bin/mediaserver 440 class main 441 user media 442 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 443 ioprio rt 4 444 445service bootanim /system/bin/bootanimation 446 class main 447 user graphics 448 group graphics 449 disabled 450 oneshot 451 452service installd /system/bin/installd 453 class main 454 socket installd stream 600 system system 455 456service flash_recovery /system/etc/install-recovery.sh 457 class main 458 oneshot 459 460service racoon /system/bin/racoon 461 class main 462 socket racoon stream 600 system system 463 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 464 group vpn net_admin inet 465 disabled 466 oneshot 467 468service mtpd /system/bin/mtpd 469 class main 470 socket mtpd stream 600 system system 471 user vpn 472 group vpn net_admin inet net_raw 473 disabled 474 oneshot 475 476service keystore /system/bin/keystore /data/misc/keystore 477 class main 478 user keystore 479 group keystore drmrpc 480 socket keystore stream 666 481 482service dumpstate /system/bin/dumpstate -s 483 class main 484 socket dumpstate stream 0660 shell log 485 disabled 486 oneshot 487 488service sshd /system/bin/start-ssh 489 class main 490 disabled 491 492service mdnsd /system/bin/mdnsd 493 class main 494 user mdnsr 495 group inet net_raw 496 socket mdnsd stream 0660 mdnsr inet 497 disabled 498 oneshot 499