init.rc revision 92781808bab8f045752aa1824a57956ddd52fcbd
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/kernel/sched_rt_runtime_us 950000 96 write /proc/sys/kernel/sched_rt_period_us 1000000 97 98# Create cgroup mount points for process groups 99 mkdir /dev/cpuctl 100 mount cgroup none /dev/cpuctl cpu 101 chown system system /dev/cpuctl 102 chown system system /dev/cpuctl/tasks 103 chmod 0660 /dev/cpuctl/tasks 104 write /dev/cpuctl/cpu.shares 1024 105 write /dev/cpuctl/cpu.rt_runtime_us 950000 106 write /dev/cpuctl/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps 109 chown system system /dev/cpuctl/apps/tasks 110 chmod 0666 /dev/cpuctl/apps/tasks 111 write /dev/cpuctl/apps/cpu.shares 1024 112 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 113 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 114 115 mkdir /dev/cpuctl/apps/bg_non_interactive 116 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 117 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 118 # 5.0 % 119 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 122 123# Allow everybody to read the xt_qtaguid resource tracking misc dev. 124# This is needed by any process that uses socket tagging. 125 chmod 0644 /dev/xt_qtaguid 126 127on fs 128# mount mtd partitions 129 # Mount /system rw first to give the filesystem a chance to save a checkpoint 130 mount yaffs2 mtd@system /system 131 mount yaffs2 mtd@system /system ro remount 132 mount yaffs2 mtd@userdata /data nosuid nodev 133 mount yaffs2 mtd@cache /cache nosuid nodev 134 135on post-fs 136 # once everything is setup, no need to modify / 137 mount rootfs rootfs / ro remount 138 # mount shared so changes propagate into child namespaces 139 mount rootfs rootfs / shared rec 140 mount tmpfs tmpfs /mnt/secure private rec 141 142 # We chown/chmod /cache again so because mount is run as root + defaults 143 chown system cache /cache 144 chmod 0770 /cache 145 # We restorecon /cache in case the cache partition has been reset. 146 restorecon /cache 147 148 # This may have been created by the recovery system with odd permissions 149 chown system cache /cache/recovery 150 chmod 0770 /cache/recovery 151 # This may have been created by the recovery system with the wrong context. 152 restorecon /cache/recovery 153 154 #change permissions on vmallocinfo so we can grab it from bugreports 155 chown root log /proc/vmallocinfo 156 chmod 0440 /proc/vmallocinfo 157 158 chown root log /proc/slabinfo 159 chmod 0440 /proc/slabinfo 160 161 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 162 chown root system /proc/kmsg 163 chmod 0440 /proc/kmsg 164 chown root system /proc/sysrq-trigger 165 chmod 0220 /proc/sysrq-trigger 166 chown system log /proc/last_kmsg 167 chmod 0440 /proc/last_kmsg 168 169 # create the lost+found directories, so as to enforce our permissions 170 mkdir /cache/lost+found 0770 root root 171 172on post-fs-data 173 # We chown/chmod /data again so because mount is run as root + defaults 174 chown system system /data 175 chmod 0771 /data 176 # We restorecon /data in case the userdata partition has been reset. 177 restorecon /data 178 179 # Create dump dir and collect dumps. 180 # Do this before we mount cache so eventually we can use cache for 181 # storing dumps on platforms which do not have a dedicated dump partition. 182 mkdir /data/dontpanic 0750 root log 183 184 # Collect apanic data, free resources and re-arm trigger 185 copy /proc/apanic_console /data/dontpanic/apanic_console 186 chown root log /data/dontpanic/apanic_console 187 chmod 0640 /data/dontpanic/apanic_console 188 189 copy /proc/apanic_threads /data/dontpanic/apanic_threads 190 chown root log /data/dontpanic/apanic_threads 191 chmod 0640 /data/dontpanic/apanic_threads 192 193 write /proc/apanic_console 1 194 195 # create basic filesystem structure 196 mkdir /data/misc 01771 system misc 197 mkdir /data/misc/adb 02750 system shell 198 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 199 mkdir /data/misc/bluetooth 0770 system system 200 mkdir /data/misc/keystore 0700 keystore keystore 201 mkdir /data/misc/keychain 0771 system system 202 mkdir /data/misc/sms 0770 system radio 203 mkdir /data/misc/zoneinfo 0775 system system 204 mkdir /data/misc/vpn 0770 system vpn 205 mkdir /data/misc/systemkeys 0700 system system 206 # give system access to wpa_supplicant.conf for backup and restore 207 mkdir /data/misc/wifi 0770 wifi wifi 208 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 209 mkdir /data/local 0751 root root 210 211 # For security reasons, /data/local/tmp should always be empty. 212 # Do not place files or directories in /data/local/tmp 213 mkdir /data/local/tmp 0771 shell shell 214 mkdir /data/data 0771 system system 215 mkdir /data/app-private 0771 system system 216 mkdir /data/app-asec 0700 root root 217 mkdir /data/app-lib 0771 system system 218 mkdir /data/app 0771 system system 219 mkdir /data/property 0700 root root 220 mkdir /data/ssh 0750 root shell 221 mkdir /data/ssh/empty 0700 root root 222 223 # create dalvik-cache, so as to enforce our permissions 224 mkdir /data/dalvik-cache 0771 system system 225 226 # create resource-cache and double-check the perms 227 mkdir /data/resource-cache 0771 system system 228 chown system system /data/resource-cache 229 chmod 0771 /data/resource-cache 230 231 # create the lost+found directories, so as to enforce our permissions 232 mkdir /data/lost+found 0770 root root 233 234 # create directory for DRM plug-ins - give drm the read/write access to 235 # the following directory. 236 mkdir /data/drm 0770 drm drm 237 238 # If there is no fs-post-data action in the init.<device>.rc file, you 239 # must uncomment this line, otherwise encrypted filesystems 240 # won't work. 241 # Set indication (checked by vold) that we have finished this action 242 #setprop vold.post_fs_data_done 1 243 244on boot 245# basic network init 246 ifup lo 247 hostname localhost 248 domainname localdomain 249 250# set RLIMIT_NICE to allow priorities from 19 to -20 251 setrlimit 13 40 40 252 253# Memory management. Basic kernel parameters, and allow the high 254# level system server to be able to adjust the kernel OOM driver 255# parameters to match how it is managing things. 256 write /proc/sys/vm/overcommit_memory 1 257 write /proc/sys/vm/min_free_order_shift 4 258 chown root system /sys/module/lowmemorykiller/parameters/adj 259 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 260 chown root system /sys/module/lowmemorykiller/parameters/minfree 261 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 262 263 # Tweak background writeout 264 write /proc/sys/vm/dirty_expire_centisecs 200 265 write /proc/sys/vm/dirty_background_ratio 5 266 267 # Permissions for System Server and daemons. 268 chown radio system /sys/android_power/state 269 chown radio system /sys/android_power/request_state 270 chown radio system /sys/android_power/acquire_full_wake_lock 271 chown radio system /sys/android_power/acquire_partial_wake_lock 272 chown radio system /sys/android_power/release_wake_lock 273 chown system system /sys/power/autosleep 274 chown system system /sys/power/state 275 chown system system /sys/power/wakeup_count 276 chown radio system /sys/power/wake_lock 277 chown radio system /sys/power/wake_unlock 278 chmod 0660 /sys/power/state 279 chmod 0660 /sys/power/wake_lock 280 chmod 0660 /sys/power/wake_unlock 281 282 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 283 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 284 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 285 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 286 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 287 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 288 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 289 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 290 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 291 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 292 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 293 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 294 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 295 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 296 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 297 298 # Assume SMP uses shared cpufreq policy for all CPUs 299 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 300 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 301 302 chown system system /sys/class/timed_output/vibrator/enable 303 chown system system /sys/class/leds/keyboard-backlight/brightness 304 chown system system /sys/class/leds/lcd-backlight/brightness 305 chown system system /sys/class/leds/button-backlight/brightness 306 chown system system /sys/class/leds/jogball-backlight/brightness 307 chown system system /sys/class/leds/red/brightness 308 chown system system /sys/class/leds/green/brightness 309 chown system system /sys/class/leds/blue/brightness 310 chown system system /sys/class/leds/red/device/grpfreq 311 chown system system /sys/class/leds/red/device/grppwm 312 chown system system /sys/class/leds/red/device/blink 313 chown system system /sys/class/leds/red/brightness 314 chown system system /sys/class/leds/green/brightness 315 chown system system /sys/class/leds/blue/brightness 316 chown system system /sys/class/leds/red/device/grpfreq 317 chown system system /sys/class/leds/red/device/grppwm 318 chown system system /sys/class/leds/red/device/blink 319 chown system system /sys/class/timed_output/vibrator/enable 320 chown system system /sys/module/sco/parameters/disable_esco 321 chown system system /sys/kernel/ipv4/tcp_wmem_min 322 chown system system /sys/kernel/ipv4/tcp_wmem_def 323 chown system system /sys/kernel/ipv4/tcp_wmem_max 324 chown system system /sys/kernel/ipv4/tcp_rmem_min 325 chown system system /sys/kernel/ipv4/tcp_rmem_def 326 chown system system /sys/kernel/ipv4/tcp_rmem_max 327 chown root radio /proc/cmdline 328 329# Define TCP buffer sizes for various networks 330# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 331 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 332 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 333 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 334 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 335 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 336 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 337 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 338 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 339 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 340 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 341 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 342 343# Set this property so surfaceflinger is not started by system_init 344 setprop system_init.startsurfaceflinger 0 345 346 class_start core 347 class_start main 348 349on nonencrypted 350 class_start late_start 351 352on charger 353 class_start charger 354 355on property:vold.decrypt=trigger_reset_main 356 class_reset main 357 358on property:vold.decrypt=trigger_load_persist_props 359 load_persist_props 360 361on property:vold.decrypt=trigger_post_fs_data 362 trigger post-fs-data 363 364on property:vold.decrypt=trigger_restart_min_framework 365 class_start main 366 367on property:vold.decrypt=trigger_restart_framework 368 class_start main 369 class_start late_start 370 371on property:vold.decrypt=trigger_shutdown_framework 372 class_reset late_start 373 class_reset main 374 375## Daemon processes to be run by init. 376## 377service ueventd /sbin/ueventd 378 class core 379 critical 380 seclabel u:r:ueventd:s0 381 382on property:selinux.reload_policy=1 383 restart ueventd 384 restart installd 385 386service console /system/bin/sh 387 class core 388 console 389 disabled 390 user shell 391 group log 392 393on property:ro.debuggable=1 394 start console 395 396# adbd is controlled via property triggers in init.<platform>.usb.rc 397service adbd /sbin/adbd 398 class core 399 socket adbd stream 660 system system 400 disabled 401 seclabel u:r:adbd:s0 402 403# adbd on at boot in emulator 404on property:ro.kernel.qemu=1 405 start adbd 406 407service servicemanager /system/bin/servicemanager 408 class core 409 user system 410 group system 411 critical 412 onrestart restart zygote 413 onrestart restart media 414 onrestart restart surfaceflinger 415 onrestart restart drm 416 417service vold /system/bin/vold 418 class core 419 socket vold stream 0660 root mount 420 ioprio be 2 421 422service netd /system/bin/netd 423 class main 424 socket netd stream 0660 root system 425 socket dnsproxyd stream 0660 root inet 426 socket mdns stream 0660 root system 427 428service debuggerd /system/bin/debuggerd 429 class main 430 431service ril-daemon /system/bin/rild 432 class main 433 socket rild stream 660 root radio 434 socket rild-debug stream 660 radio system 435 user root 436 group radio cache inet misc audio log 437 438service surfaceflinger /system/bin/surfaceflinger 439 class main 440 user system 441 group graphics drmrpc 442 onrestart restart zygote 443 444service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 445 class main 446 socket zygote stream 660 root system 447 onrestart write /sys/android_power/request_state wake 448 onrestart write /sys/power/state on 449 onrestart restart media 450 onrestart restart netd 451 452service drm /system/bin/drmserver 453 class main 454 user drm 455 group drm system inet drmrpc 456 457service media /system/bin/mediaserver 458 class main 459 user media 460 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 461 ioprio rt 4 462 463service bootanim /system/bin/bootanimation 464 class main 465 user graphics 466 group graphics 467 disabled 468 oneshot 469 470service installd /system/bin/installd 471 class main 472 socket installd stream 600 system system 473 474service flash_recovery /system/etc/install-recovery.sh 475 class main 476 oneshot 477 478service racoon /system/bin/racoon 479 class main 480 socket racoon stream 600 system system 481 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 482 group vpn net_admin inet 483 disabled 484 oneshot 485 486service mtpd /system/bin/mtpd 487 class main 488 socket mtpd stream 600 system system 489 user vpn 490 group vpn net_admin inet net_raw 491 disabled 492 oneshot 493 494service keystore /system/bin/keystore /data/misc/keystore 495 class main 496 user keystore 497 group keystore drmrpc 498 499service dumpstate /system/bin/dumpstate -s 500 class main 501 socket dumpstate stream 0660 shell log 502 disabled 503 oneshot 504 505service sshd /system/bin/start-ssh 506 class main 507 disabled 508 509service mdnsd /system/bin/mdnsd 510 class main 511 user mdnsr 512 group inet net_raw 513 socket mdnsd stream 0660 mdnsr inet 514 disabled 515 oneshot 516