init.rc revision 92781808bab8f045752aa1824a57956ddd52fcbd 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.usb.rc
8import /init.${ro.hardware}.rc
9import /init.trace.rc
10
11on early-init
12    # Set init and its forked children's oom_adj.
13    write /proc/1/oom_adj -16
14
15    # Set the security context for the init process.
16    # This should occur before anything else (e.g. ueventd) is started.
17    setcon u:r:init:s0
18
19    start ueventd
20
21# create mountpoints
22    mkdir /mnt 0775 root system
23
24on init
25
26sysclktz 0
27
28loglevel 3
29
30# setup the global environment
31    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
32    export LD_LIBRARY_PATH /vendor/lib:/system/lib
33    export ANDROID_BOOTLOGO 1
34    export ANDROID_ROOT /system
35    export ANDROID_ASSETS /system/app
36    export ANDROID_DATA /data
37    export ANDROID_STORAGE /storage
38    export ASEC_MOUNTPOINT /mnt/asec
39    export LOOP_MOUNTPOINT /mnt/obb
40    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
41
42# Backward compatibility
43    symlink /system/etc /etc
44    symlink /sys/kernel/debug /d
45
46# Right now vendor lives on the same filesystem as system,
47# but someday that may change.
48    symlink /system/vendor /vendor
49
50# Create cgroup mount point for cpu accounting
51    mkdir /acct
52    mount cgroup none /acct cpuacct
53    mkdir /acct/uid
54
55    mkdir /system
56    mkdir /data 0771 system system
57    mkdir /cache 0770 system cache
58    mkdir /config 0500 root root
59
60    # See storage config details at http://source.android.com/tech/storage/
61    mkdir /mnt/shell 0700 shell shell
62    mkdir /storage 0050 root sdcard_r
63
64    # Directory for putting things only root should see.
65    mkdir /mnt/secure 0700 root root
66    # Create private mountpoint so we can MS_MOVE from staging
67    mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
68
69    # Directory for staging bindmounts
70    mkdir /mnt/secure/staging 0700 root root
71
72    # Directory-target for where the secure container
73    # imagefile directory will be bind-mounted
74    mkdir /mnt/secure/asec  0700 root root
75
76    # Secure container public mount points.
77    mkdir /mnt/asec  0700 root system
78    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
79
80    # Filesystem image public mount points.
81    mkdir /mnt/obb 0700 root system
82    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
83
84    write /proc/sys/kernel/panic_on_oops 1
85    write /proc/sys/kernel/hung_task_timeout_secs 0
86    write /proc/cpu/alignment 4
87    write /proc/sys/kernel/sched_latency_ns 10000000
88    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
89    write /proc/sys/kernel/sched_compat_yield 1
90    write /proc/sys/kernel/sched_child_runs_first 0
91    write /proc/sys/kernel/randomize_va_space 2
92    write /proc/sys/kernel/kptr_restrict 2
93    write /proc/sys/kernel/dmesg_restrict 1
94    write /proc/sys/vm/mmap_min_addr 32768
95    write /proc/sys/kernel/sched_rt_runtime_us 950000
96    write /proc/sys/kernel/sched_rt_period_us 1000000
97
98# Create cgroup mount points for process groups
99    mkdir /dev/cpuctl
100    mount cgroup none /dev/cpuctl cpu
101    chown system system /dev/cpuctl
102    chown system system /dev/cpuctl/tasks
103    chmod 0660 /dev/cpuctl/tasks
104    write /dev/cpuctl/cpu.shares 1024
105    write /dev/cpuctl/cpu.rt_runtime_us 950000
106    write /dev/cpuctl/cpu.rt_period_us 1000000
107
108    mkdir /dev/cpuctl/apps
109    chown system system /dev/cpuctl/apps/tasks
110    chmod 0666 /dev/cpuctl/apps/tasks
111    write /dev/cpuctl/apps/cpu.shares 1024
112    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
113    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
114
115    mkdir /dev/cpuctl/apps/bg_non_interactive
116    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
117    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
118    # 5.0 %
119    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
120    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
121    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
122
123# Allow everybody to read the xt_qtaguid resource tracking misc dev.
124# This is needed by any process that uses socket tagging.
125    chmod 0644 /dev/xt_qtaguid
126
127on fs
128# mount mtd partitions
129    # Mount /system rw first to give the filesystem a chance to save a checkpoint
130    mount yaffs2 mtd@system /system
131    mount yaffs2 mtd@system /system ro remount
132    mount yaffs2 mtd@userdata /data nosuid nodev
133    mount yaffs2 mtd@cache /cache nosuid nodev
134
135on post-fs
136    # once everything is setup, no need to modify /
137    mount rootfs rootfs / ro remount
138    # mount shared so changes propagate into child namespaces
139    mount rootfs rootfs / shared rec
140    mount tmpfs tmpfs /mnt/secure private rec
141
142    # We chown/chmod /cache again so because mount is run as root + defaults
143    chown system cache /cache
144    chmod 0770 /cache
145    # We restorecon /cache in case the cache partition has been reset.
146    restorecon /cache
147
148    # This may have been created by the recovery system with odd permissions
149    chown system cache /cache/recovery
150    chmod 0770 /cache/recovery
151    # This may have been created by the recovery system with the wrong context.
152    restorecon /cache/recovery
153
154    #change permissions on vmallocinfo so we can grab it from bugreports
155    chown root log /proc/vmallocinfo
156    chmod 0440 /proc/vmallocinfo
157
158    chown root log /proc/slabinfo
159    chmod 0440 /proc/slabinfo
160
161    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
162    chown root system /proc/kmsg
163    chmod 0440 /proc/kmsg
164    chown root system /proc/sysrq-trigger
165    chmod 0220 /proc/sysrq-trigger
166    chown system log /proc/last_kmsg
167    chmod 0440 /proc/last_kmsg
168
169    # create the lost+found directories, so as to enforce our permissions
170    mkdir /cache/lost+found 0770 root root
171
172on post-fs-data
173    # We chown/chmod /data again so because mount is run as root + defaults
174    chown system system /data
175    chmod 0771 /data
176    # We restorecon /data in case the userdata partition has been reset.
177    restorecon /data
178
179    # Create dump dir and collect dumps.
180    # Do this before we mount cache so eventually we can use cache for
181    # storing dumps on platforms which do not have a dedicated dump partition.
182    mkdir /data/dontpanic 0750 root log
183
184    # Collect apanic data, free resources and re-arm trigger
185    copy /proc/apanic_console /data/dontpanic/apanic_console
186    chown root log /data/dontpanic/apanic_console
187    chmod 0640 /data/dontpanic/apanic_console
188
189    copy /proc/apanic_threads /data/dontpanic/apanic_threads
190    chown root log /data/dontpanic/apanic_threads
191    chmod 0640 /data/dontpanic/apanic_threads
192
193    write /proc/apanic_console 1
194
195    # create basic filesystem structure
196    mkdir /data/misc 01771 system misc
197    mkdir /data/misc/adb 02750 system shell
198    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
199    mkdir /data/misc/bluetooth 0770 system system
200    mkdir /data/misc/keystore 0700 keystore keystore
201    mkdir /data/misc/keychain 0771 system system
202    mkdir /data/misc/sms 0770 system radio
203    mkdir /data/misc/zoneinfo 0775 system system
204    mkdir /data/misc/vpn 0770 system vpn
205    mkdir /data/misc/systemkeys 0700 system system
206    # give system access to wpa_supplicant.conf for backup and restore
207    mkdir /data/misc/wifi 0770 wifi wifi
208    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
209    mkdir /data/local 0751 root root
210
211    # For security reasons, /data/local/tmp should always be empty.
212    # Do not place files or directories in /data/local/tmp
213    mkdir /data/local/tmp 0771 shell shell
214    mkdir /data/data 0771 system system
215    mkdir /data/app-private 0771 system system
216    mkdir /data/app-asec 0700 root root
217    mkdir /data/app-lib 0771 system system
218    mkdir /data/app 0771 system system
219    mkdir /data/property 0700 root root
220    mkdir /data/ssh 0750 root shell
221    mkdir /data/ssh/empty 0700 root root
222
223    # create dalvik-cache, so as to enforce our permissions
224    mkdir /data/dalvik-cache 0771 system system
225
226    # create resource-cache and double-check the perms
227    mkdir /data/resource-cache 0771 system system
228    chown system system /data/resource-cache
229    chmod 0771 /data/resource-cache
230
231    # create the lost+found directories, so as to enforce our permissions
232    mkdir /data/lost+found 0770 root root
233
234    # create directory for DRM plug-ins - give drm the read/write access to
235    # the following directory.
236    mkdir /data/drm 0770 drm drm
237
238    # If there is no fs-post-data action in the init.<device>.rc file, you
239    # must uncomment this line, otherwise encrypted filesystems
240    # won't work.
241    # Set indication (checked by vold) that we have finished this action
242    #setprop vold.post_fs_data_done 1
243
244on boot
245# basic network init
246    ifup lo
247    hostname localhost
248    domainname localdomain
249
250# set RLIMIT_NICE to allow priorities from 19 to -20
251    setrlimit 13 40 40
252
253# Memory management.  Basic kernel parameters, and allow the high
254# level system server to be able to adjust the kernel OOM driver
255# parameters to match how it is managing things.
256    write /proc/sys/vm/overcommit_memory 1
257    write /proc/sys/vm/min_free_order_shift 4
258    chown root system /sys/module/lowmemorykiller/parameters/adj
259    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
260    chown root system /sys/module/lowmemorykiller/parameters/minfree
261    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
262
263    # Tweak background writeout
264    write /proc/sys/vm/dirty_expire_centisecs 200
265    write /proc/sys/vm/dirty_background_ratio  5
266
267    # Permissions for System Server and daemons.
268    chown radio system /sys/android_power/state
269    chown radio system /sys/android_power/request_state
270    chown radio system /sys/android_power/acquire_full_wake_lock
271    chown radio system /sys/android_power/acquire_partial_wake_lock
272    chown radio system /sys/android_power/release_wake_lock
273    chown system system /sys/power/autosleep
274    chown system system /sys/power/state
275    chown system system /sys/power/wakeup_count
276    chown radio system /sys/power/wake_lock
277    chown radio system /sys/power/wake_unlock
278    chmod 0660 /sys/power/state
279    chmod 0660 /sys/power/wake_lock
280    chmod 0660 /sys/power/wake_unlock
281
282    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
283    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
284    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
285    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
286    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
287    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
288    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
289    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
290    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
291    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
292    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
293    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
294    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
295    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
296    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
297
298    # Assume SMP uses shared cpufreq policy for all CPUs
299    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
300    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
301
302    chown system system /sys/class/timed_output/vibrator/enable
303    chown system system /sys/class/leds/keyboard-backlight/brightness
304    chown system system /sys/class/leds/lcd-backlight/brightness
305    chown system system /sys/class/leds/button-backlight/brightness
306    chown system system /sys/class/leds/jogball-backlight/brightness
307    chown system system /sys/class/leds/red/brightness
308    chown system system /sys/class/leds/green/brightness
309    chown system system /sys/class/leds/blue/brightness
310    chown system system /sys/class/leds/red/device/grpfreq
311    chown system system /sys/class/leds/red/device/grppwm
312    chown system system /sys/class/leds/red/device/blink
313    chown system system /sys/class/leds/red/brightness
314    chown system system /sys/class/leds/green/brightness
315    chown system system /sys/class/leds/blue/brightness
316    chown system system /sys/class/leds/red/device/grpfreq
317    chown system system /sys/class/leds/red/device/grppwm
318    chown system system /sys/class/leds/red/device/blink
319    chown system system /sys/class/timed_output/vibrator/enable
320    chown system system /sys/module/sco/parameters/disable_esco
321    chown system system /sys/kernel/ipv4/tcp_wmem_min
322    chown system system /sys/kernel/ipv4/tcp_wmem_def
323    chown system system /sys/kernel/ipv4/tcp_wmem_max
324    chown system system /sys/kernel/ipv4/tcp_rmem_min
325    chown system system /sys/kernel/ipv4/tcp_rmem_def
326    chown system system /sys/kernel/ipv4/tcp_rmem_max
327    chown root radio /proc/cmdline
328
329# Define TCP buffer sizes for various networks
330#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
331    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
332    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
333    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
334    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
335    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
336    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
337    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
338    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
339    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
340    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
341    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
342
343# Set this property so surfaceflinger is not started by system_init
344    setprop system_init.startsurfaceflinger 0
345
346    class_start core
347    class_start main
348
349on nonencrypted
350    class_start late_start
351
352on charger
353    class_start charger
354
355on property:vold.decrypt=trigger_reset_main
356    class_reset main
357
358on property:vold.decrypt=trigger_load_persist_props
359    load_persist_props
360
361on property:vold.decrypt=trigger_post_fs_data
362    trigger post-fs-data
363
364on property:vold.decrypt=trigger_restart_min_framework
365    class_start main
366
367on property:vold.decrypt=trigger_restart_framework
368    class_start main
369    class_start late_start
370
371on property:vold.decrypt=trigger_shutdown_framework
372    class_reset late_start
373    class_reset main
374
375## Daemon processes to be run by init.
376##
377service ueventd /sbin/ueventd
378    class core
379    critical
380    seclabel u:r:ueventd:s0
381
382on property:selinux.reload_policy=1
383    restart ueventd
384    restart installd
385
386service console /system/bin/sh
387    class core
388    console
389    disabled
390    user shell
391    group log
392
393on property:ro.debuggable=1
394    start console
395
396# adbd is controlled via property triggers in init.<platform>.usb.rc
397service adbd /sbin/adbd
398    class core
399    socket adbd stream 660 system system
400    disabled
401    seclabel u:r:adbd:s0
402
403# adbd on at boot in emulator
404on property:ro.kernel.qemu=1
405    start adbd
406
407service servicemanager /system/bin/servicemanager
408    class core
409    user system
410    group system
411    critical
412    onrestart restart zygote
413    onrestart restart media
414    onrestart restart surfaceflinger
415    onrestart restart drm
416
417service vold /system/bin/vold
418    class core
419    socket vold stream 0660 root mount
420    ioprio be 2
421
422service netd /system/bin/netd
423    class main
424    socket netd stream 0660 root system
425    socket dnsproxyd stream 0660 root inet
426    socket mdns stream 0660 root system
427
428service debuggerd /system/bin/debuggerd
429    class main
430
431service ril-daemon /system/bin/rild
432    class main
433    socket rild stream 660 root radio
434    socket rild-debug stream 660 radio system
435    user root
436    group radio cache inet misc audio log
437
438service surfaceflinger /system/bin/surfaceflinger
439    class main
440    user system
441    group graphics drmrpc
442    onrestart restart zygote
443
444service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
445    class main
446    socket zygote stream 660 root system
447    onrestart write /sys/android_power/request_state wake
448    onrestart write /sys/power/state on
449    onrestart restart media
450    onrestart restart netd
451
452service drm /system/bin/drmserver
453    class main
454    user drm
455    group drm system inet drmrpc
456
457service media /system/bin/mediaserver
458    class main
459    user media
460    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc
461    ioprio rt 4
462
463service bootanim /system/bin/bootanimation
464    class main
465    user graphics
466    group graphics
467    disabled
468    oneshot
469
470service installd /system/bin/installd
471    class main
472    socket installd stream 600 system system
473
474service flash_recovery /system/etc/install-recovery.sh
475    class main
476    oneshot
477
478service racoon /system/bin/racoon
479    class main
480    socket racoon stream 600 system system
481    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
482    group vpn net_admin inet
483    disabled
484    oneshot
485
486service mtpd /system/bin/mtpd
487    class main
488    socket mtpd stream 600 system system
489    user vpn
490    group vpn net_admin inet net_raw
491    disabled
492    oneshot
493
494service keystore /system/bin/keystore /data/misc/keystore
495    class main
496    user keystore
497    group keystore drmrpc
498
499service dumpstate /system/bin/dumpstate -s
500    class main
501    socket dumpstate stream 0660 shell log
502    disabled
503    oneshot
504
505service sshd /system/bin/start-ssh
506    class main
507    disabled
508
509service mdnsd /system/bin/mdnsd
510    class main
511    user mdnsr
512    group inet net_raw
513    socket mdnsd stream 0660 mdnsr inet
514    disabled
515    oneshot
516