init.rc revision 9481266ea360e0a8f326fec1106ea445f2ef883c
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/kernel/sched_rt_runtime_us 950000 96 write /proc/sys/kernel/sched_rt_period_us 1000000 97 98# Create cgroup mount points for process groups 99 mkdir /dev/cpuctl 100 mount cgroup none /dev/cpuctl cpu 101 chown system system /dev/cpuctl 102 chown system system /dev/cpuctl/tasks 103 chmod 0660 /dev/cpuctl/tasks 104 write /dev/cpuctl/cpu.shares 1024 105 write /dev/cpuctl/cpu.rt_runtime_us 950000 106 write /dev/cpuctl/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps 109 chown system system /dev/cpuctl/apps/tasks 110 chmod 0666 /dev/cpuctl/apps/tasks 111 write /dev/cpuctl/apps/cpu.shares 1024 112 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 113 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 114 115 mkdir /dev/cpuctl/apps/bg_non_interactive 116 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 117 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 118 # 5.0 % 119 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 122 123# Allow everybody to read the xt_qtaguid resource tracking misc dev. 124# This is needed by any process that uses socket tagging. 125 chmod 0644 /dev/xt_qtaguid 126 127on fs 128# mount mtd partitions 129 # Mount /system rw first to give the filesystem a chance to save a checkpoint 130 mount yaffs2 mtd@system /system 131 mount yaffs2 mtd@system /system ro remount 132 mount yaffs2 mtd@userdata /data nosuid nodev 133 mount yaffs2 mtd@cache /cache nosuid nodev 134 135on post-fs 136 # once everything is setup, no need to modify / 137 mount rootfs rootfs / ro remount 138 # mount shared so changes propagate into child namespaces 139 mount rootfs rootfs / shared rec 140 mount tmpfs tmpfs /mnt/secure private rec 141 142 # We chown/chmod /cache again so because mount is run as root + defaults 143 chown system cache /cache 144 chmod 0770 /cache 145 # We restorecon /cache in case the cache partition has been reset. 146 restorecon /cache 147 148 # This may have been created by the recovery system with odd permissions 149 chown system cache /cache/recovery 150 chmod 0770 /cache/recovery 151 # This may have been created by the recovery system with the wrong context. 152 restorecon /cache/recovery 153 154 #change permissions on vmallocinfo so we can grab it from bugreports 155 chown root log /proc/vmallocinfo 156 chmod 0440 /proc/vmallocinfo 157 158 chown root log /proc/slabinfo 159 chmod 0440 /proc/slabinfo 160 161 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 162 chown root system /proc/kmsg 163 chmod 0440 /proc/kmsg 164 chown root system /proc/sysrq-trigger 165 chmod 0220 /proc/sysrq-trigger 166 chown system log /proc/last_kmsg 167 chmod 0440 /proc/last_kmsg 168 169 # create the lost+found directories, so as to enforce our permissions 170 mkdir /cache/lost+found 0770 root root 171 172on post-fs-data 173 # We chown/chmod /data again so because mount is run as root + defaults 174 chown system system /data 175 chmod 0771 /data 176 # We restorecon /data in case the userdata partition has been reset. 177 restorecon /data 178 179 # Create dump dir and collect dumps. 180 # Do this before we mount cache so eventually we can use cache for 181 # storing dumps on platforms which do not have a dedicated dump partition. 182 mkdir /data/dontpanic 0750 root log 183 184 # Collect apanic data, free resources and re-arm trigger 185 copy /proc/apanic_console /data/dontpanic/apanic_console 186 chown root log /data/dontpanic/apanic_console 187 chmod 0640 /data/dontpanic/apanic_console 188 189 copy /proc/apanic_threads /data/dontpanic/apanic_threads 190 chown root log /data/dontpanic/apanic_threads 191 chmod 0640 /data/dontpanic/apanic_threads 192 193 write /proc/apanic_console 1 194 195 # create basic filesystem structure 196 mkdir /data/misc 01771 system misc 197 mkdir /data/misc/adb 02750 system shell 198 mkdir /data/misc/bluedroid 0770 bluetooth bluetooth 199 mkdir /data/misc/bluetooth 0770 system system 200 mkdir /data/misc/keystore 0700 keystore keystore 201 mkdir /data/misc/keychain 0771 system system 202 mkdir /data/misc/vpn 0770 system vpn 203 mkdir /data/misc/systemkeys 0700 system system 204 # give system access to wpa_supplicant.conf for backup and restore 205 mkdir /data/misc/wifi 0770 wifi wifi 206 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 207 mkdir /data/local 0751 root root 208 209 # For security reasons, /data/local/tmp should always be empty. 210 # Do not place files or directories in /data/local/tmp 211 mkdir /data/local/tmp 0771 shell shell 212 mkdir /data/data 0771 system system 213 mkdir /data/app-private 0771 system system 214 mkdir /data/app-asec 0700 root root 215 mkdir /data/app-lib 0771 system system 216 mkdir /data/app 0771 system system 217 mkdir /data/property 0700 root root 218 mkdir /data/ssh 0750 root shell 219 mkdir /data/ssh/empty 0700 root root 220 221 # create dalvik-cache, so as to enforce our permissions 222 mkdir /data/dalvik-cache 0771 system system 223 224 # create resource-cache and double-check the perms 225 mkdir /data/resource-cache 0771 system system 226 chown system system /data/resource-cache 227 chmod 0771 /data/resource-cache 228 229 # create the lost+found directories, so as to enforce our permissions 230 mkdir /data/lost+found 0770 root root 231 232 # create directory for DRM plug-ins - give drm the read/write access to 233 # the following directory. 234 mkdir /data/drm 0770 drm drm 235 236 # If there is no fs-post-data action in the init.<device>.rc file, you 237 # must uncomment this line, otherwise encrypted filesystems 238 # won't work. 239 # Set indication (checked by vold) that we have finished this action 240 #setprop vold.post_fs_data_done 1 241 242on boot 243# basic network init 244 ifup lo 245 hostname localhost 246 domainname localdomain 247 248# set RLIMIT_NICE to allow priorities from 19 to -20 249 setrlimit 13 40 40 250 251# Memory management. Basic kernel parameters, and allow the high 252# level system server to be able to adjust the kernel OOM driver 253# parameters to match how it is managing things. 254 write /proc/sys/vm/overcommit_memory 1 255 write /proc/sys/vm/min_free_order_shift 4 256 chown root system /sys/module/lowmemorykiller/parameters/adj 257 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 258 chown root system /sys/module/lowmemorykiller/parameters/minfree 259 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 260 261 # Tweak background writeout 262 write /proc/sys/vm/dirty_expire_centisecs 200 263 write /proc/sys/vm/dirty_background_ratio 5 264 265 # Permissions for System Server and daemons. 266 chown radio system /sys/android_power/state 267 chown radio system /sys/android_power/request_state 268 chown radio system /sys/android_power/acquire_full_wake_lock 269 chown radio system /sys/android_power/acquire_partial_wake_lock 270 chown radio system /sys/android_power/release_wake_lock 271 chown system system /sys/power/autosleep 272 chown system system /sys/power/state 273 chown system system /sys/power/wakeup_count 274 chown radio system /sys/power/wake_lock 275 chown radio system /sys/power/wake_unlock 276 chmod 0660 /sys/power/state 277 chmod 0660 /sys/power/wake_lock 278 chmod 0660 /sys/power/wake_unlock 279 280 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 281 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 282 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 283 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 284 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 285 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 286 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 287 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 288 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 289 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 290 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 291 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 292 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 293 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 294 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 295 296 # Assume SMP uses shared cpufreq policy for all CPUs 297 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 298 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 299 300 chown system system /sys/class/timed_output/vibrator/enable 301 chown system system /sys/class/leds/keyboard-backlight/brightness 302 chown system system /sys/class/leds/lcd-backlight/brightness 303 chown system system /sys/class/leds/button-backlight/brightness 304 chown system system /sys/class/leds/jogball-backlight/brightness 305 chown system system /sys/class/leds/red/brightness 306 chown system system /sys/class/leds/green/brightness 307 chown system system /sys/class/leds/blue/brightness 308 chown system system /sys/class/leds/red/device/grpfreq 309 chown system system /sys/class/leds/red/device/grppwm 310 chown system system /sys/class/leds/red/device/blink 311 chown system system /sys/class/leds/red/brightness 312 chown system system /sys/class/leds/green/brightness 313 chown system system /sys/class/leds/blue/brightness 314 chown system system /sys/class/leds/red/device/grpfreq 315 chown system system /sys/class/leds/red/device/grppwm 316 chown system system /sys/class/leds/red/device/blink 317 chown system system /sys/class/timed_output/vibrator/enable 318 chown system system /sys/module/sco/parameters/disable_esco 319 chown system system /sys/kernel/ipv4/tcp_wmem_min 320 chown system system /sys/kernel/ipv4/tcp_wmem_def 321 chown system system /sys/kernel/ipv4/tcp_wmem_max 322 chown system system /sys/kernel/ipv4/tcp_rmem_min 323 chown system system /sys/kernel/ipv4/tcp_rmem_def 324 chown system system /sys/kernel/ipv4/tcp_rmem_max 325 chown root radio /proc/cmdline 326 327# Define TCP buffer sizes for various networks 328# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 329 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 330 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 331 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 332 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 333 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 334 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 335 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 336 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 337 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 338 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 339 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 340 341# Set this property so surfaceflinger is not started by system_init 342 setprop system_init.startsurfaceflinger 0 343 344 class_start core 345 class_start main 346 347on nonencrypted 348 class_start late_start 349 350on charger 351 class_start charger 352 353on property:vold.decrypt=trigger_reset_main 354 class_reset main 355 356on property:vold.decrypt=trigger_load_persist_props 357 load_persist_props 358 359on property:vold.decrypt=trigger_post_fs_data 360 trigger post-fs-data 361 362on property:vold.decrypt=trigger_restart_min_framework 363 class_start main 364 365on property:vold.decrypt=trigger_restart_framework 366 class_start main 367 class_start late_start 368 369on property:vold.decrypt=trigger_shutdown_framework 370 class_reset late_start 371 class_reset main 372 373## Daemon processes to be run by init. 374## 375service ueventd /sbin/ueventd 376 class core 377 critical 378 seclabel u:r:ueventd:s0 379 380on property:selinux.reload_policy=1 381 restart ueventd 382 restart installd 383 384service console /system/bin/sh 385 class core 386 console 387 disabled 388 user shell 389 group log 390 391on property:ro.debuggable=1 392 start console 393 394# adbd is controlled via property triggers in init.<platform>.usb.rc 395service adbd /sbin/adbd 396 class core 397 socket adbd stream 660 system system 398 disabled 399 seclabel u:r:adbd:s0 400 401# adbd on at boot in emulator 402on property:ro.kernel.qemu=1 403 start adbd 404 405service servicemanager /system/bin/servicemanager 406 class core 407 user system 408 group system 409 critical 410 onrestart restart zygote 411 onrestart restart media 412 onrestart restart surfaceflinger 413 onrestart restart drm 414 415service vold /system/bin/vold 416 class core 417 socket vold stream 0660 root mount 418 ioprio be 2 419 420service netd /system/bin/netd 421 class main 422 socket netd stream 0660 root system 423 socket dnsproxyd stream 0660 root inet 424 socket mdns stream 0660 root system 425 426service debuggerd /system/bin/debuggerd 427 class main 428 429service ril-daemon /system/bin/rild 430 class main 431 socket rild stream 660 root radio 432 socket rild-debug stream 660 radio system 433 user root 434 group radio cache inet misc audio log 435 436service surfaceflinger /system/bin/surfaceflinger 437 class main 438 user system 439 group graphics 440 onrestart restart zygote 441 442service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 443 class main 444 socket zygote stream 660 root system 445 onrestart write /sys/android_power/request_state wake 446 onrestart write /sys/power/state on 447 onrestart restart media 448 onrestart restart netd 449 450service drm /system/bin/drmserver 451 class main 452 user drm 453 group drm system inet drmrpc 454 455service media /system/bin/mediaserver 456 class main 457 user media 458 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 459 ioprio rt 4 460 461service bootanim /system/bin/bootanimation 462 class main 463 user graphics 464 group graphics 465 disabled 466 oneshot 467 468service installd /system/bin/installd 469 class main 470 socket installd stream 600 system system 471 472service flash_recovery /system/etc/install-recovery.sh 473 class main 474 oneshot 475 476service racoon /system/bin/racoon 477 class main 478 socket racoon stream 600 system system 479 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 480 group vpn net_admin inet 481 disabled 482 oneshot 483 484service mtpd /system/bin/mtpd 485 class main 486 socket mtpd stream 600 system system 487 user vpn 488 group vpn net_admin inet net_raw 489 disabled 490 oneshot 491 492service keystore /system/bin/keystore /data/misc/keystore 493 class main 494 user keystore 495 group keystore drmrpc 496 socket keystore stream 666 497 498service dumpstate /system/bin/dumpstate -s 499 class main 500 socket dumpstate stream 0660 shell log 501 disabled 502 oneshot 503 504service sshd /system/bin/start-ssh 505 class main 506 disabled 507 508service mdnsd /system/bin/mdnsd 509 class main 510 user mdnsr 511 group inet net_raw 512 socket mdnsd stream 0660 mdnsr inet 513 disabled 514 oneshot 515