init.rc revision 9481266ea360e0a8f326fec1106ea445f2ef883c 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.usb.rc
8import /init.${ro.hardware}.rc
9import /init.trace.rc
10
11on early-init
12    # Set init and its forked children's oom_adj.
13    write /proc/1/oom_adj -16
14
15    # Set the security context for the init process.
16    # This should occur before anything else (e.g. ueventd) is started.
17    setcon u:r:init:s0
18
19    start ueventd
20
21# create mountpoints
22    mkdir /mnt 0775 root system
23
24on init
25
26sysclktz 0
27
28loglevel 3
29
30# setup the global environment
31    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
32    export LD_LIBRARY_PATH /vendor/lib:/system/lib
33    export ANDROID_BOOTLOGO 1
34    export ANDROID_ROOT /system
35    export ANDROID_ASSETS /system/app
36    export ANDROID_DATA /data
37    export ANDROID_STORAGE /storage
38    export ASEC_MOUNTPOINT /mnt/asec
39    export LOOP_MOUNTPOINT /mnt/obb
40    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
41
42# Backward compatibility
43    symlink /system/etc /etc
44    symlink /sys/kernel/debug /d
45
46# Right now vendor lives on the same filesystem as system,
47# but someday that may change.
48    symlink /system/vendor /vendor
49
50# Create cgroup mount point for cpu accounting
51    mkdir /acct
52    mount cgroup none /acct cpuacct
53    mkdir /acct/uid
54
55    mkdir /system
56    mkdir /data 0771 system system
57    mkdir /cache 0770 system cache
58    mkdir /config 0500 root root
59
60    # See storage config details at http://source.android.com/tech/storage/
61    mkdir /mnt/shell 0700 shell shell
62    mkdir /storage 0050 root sdcard_r
63
64    # Directory for putting things only root should see.
65    mkdir /mnt/secure 0700 root root
66    # Create private mountpoint so we can MS_MOVE from staging
67    mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
68
69    # Directory for staging bindmounts
70    mkdir /mnt/secure/staging 0700 root root
71
72    # Directory-target for where the secure container
73    # imagefile directory will be bind-mounted
74    mkdir /mnt/secure/asec  0700 root root
75
76    # Secure container public mount points.
77    mkdir /mnt/asec  0700 root system
78    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
79
80    # Filesystem image public mount points.
81    mkdir /mnt/obb 0700 root system
82    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
83
84    write /proc/sys/kernel/panic_on_oops 1
85    write /proc/sys/kernel/hung_task_timeout_secs 0
86    write /proc/cpu/alignment 4
87    write /proc/sys/kernel/sched_latency_ns 10000000
88    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
89    write /proc/sys/kernel/sched_compat_yield 1
90    write /proc/sys/kernel/sched_child_runs_first 0
91    write /proc/sys/kernel/randomize_va_space 2
92    write /proc/sys/kernel/kptr_restrict 2
93    write /proc/sys/kernel/dmesg_restrict 1
94    write /proc/sys/vm/mmap_min_addr 32768
95    write /proc/sys/kernel/sched_rt_runtime_us 950000
96    write /proc/sys/kernel/sched_rt_period_us 1000000
97
98# Create cgroup mount points for process groups
99    mkdir /dev/cpuctl
100    mount cgroup none /dev/cpuctl cpu
101    chown system system /dev/cpuctl
102    chown system system /dev/cpuctl/tasks
103    chmod 0660 /dev/cpuctl/tasks
104    write /dev/cpuctl/cpu.shares 1024
105    write /dev/cpuctl/cpu.rt_runtime_us 950000
106    write /dev/cpuctl/cpu.rt_period_us 1000000
107
108    mkdir /dev/cpuctl/apps
109    chown system system /dev/cpuctl/apps/tasks
110    chmod 0666 /dev/cpuctl/apps/tasks
111    write /dev/cpuctl/apps/cpu.shares 1024
112    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
113    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
114
115    mkdir /dev/cpuctl/apps/bg_non_interactive
116    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
117    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
118    # 5.0 %
119    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
120    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
121    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
122
123# Allow everybody to read the xt_qtaguid resource tracking misc dev.
124# This is needed by any process that uses socket tagging.
125    chmod 0644 /dev/xt_qtaguid
126
127on fs
128# mount mtd partitions
129    # Mount /system rw first to give the filesystem a chance to save a checkpoint
130    mount yaffs2 mtd@system /system
131    mount yaffs2 mtd@system /system ro remount
132    mount yaffs2 mtd@userdata /data nosuid nodev
133    mount yaffs2 mtd@cache /cache nosuid nodev
134
135on post-fs
136    # once everything is setup, no need to modify /
137    mount rootfs rootfs / ro remount
138    # mount shared so changes propagate into child namespaces
139    mount rootfs rootfs / shared rec
140    mount tmpfs tmpfs /mnt/secure private rec
141
142    # We chown/chmod /cache again so because mount is run as root + defaults
143    chown system cache /cache
144    chmod 0770 /cache
145    # We restorecon /cache in case the cache partition has been reset.
146    restorecon /cache
147
148    # This may have been created by the recovery system with odd permissions
149    chown system cache /cache/recovery
150    chmod 0770 /cache/recovery
151    # This may have been created by the recovery system with the wrong context.
152    restorecon /cache/recovery
153
154    #change permissions on vmallocinfo so we can grab it from bugreports
155    chown root log /proc/vmallocinfo
156    chmod 0440 /proc/vmallocinfo
157
158    chown root log /proc/slabinfo
159    chmod 0440 /proc/slabinfo
160
161    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
162    chown root system /proc/kmsg
163    chmod 0440 /proc/kmsg
164    chown root system /proc/sysrq-trigger
165    chmod 0220 /proc/sysrq-trigger
166    chown system log /proc/last_kmsg
167    chmod 0440 /proc/last_kmsg
168
169    # create the lost+found directories, so as to enforce our permissions
170    mkdir /cache/lost+found 0770 root root
171
172on post-fs-data
173    # We chown/chmod /data again so because mount is run as root + defaults
174    chown system system /data
175    chmod 0771 /data
176    # We restorecon /data in case the userdata partition has been reset.
177    restorecon /data
178
179    # Create dump dir and collect dumps.
180    # Do this before we mount cache so eventually we can use cache for
181    # storing dumps on platforms which do not have a dedicated dump partition.
182    mkdir /data/dontpanic 0750 root log
183
184    # Collect apanic data, free resources and re-arm trigger
185    copy /proc/apanic_console /data/dontpanic/apanic_console
186    chown root log /data/dontpanic/apanic_console
187    chmod 0640 /data/dontpanic/apanic_console
188
189    copy /proc/apanic_threads /data/dontpanic/apanic_threads
190    chown root log /data/dontpanic/apanic_threads
191    chmod 0640 /data/dontpanic/apanic_threads
192
193    write /proc/apanic_console 1
194
195    # create basic filesystem structure
196    mkdir /data/misc 01771 system misc
197    mkdir /data/misc/adb 02750 system shell
198    mkdir /data/misc/bluedroid 0770 bluetooth bluetooth
199    mkdir /data/misc/bluetooth 0770 system system
200    mkdir /data/misc/keystore 0700 keystore keystore
201    mkdir /data/misc/keychain 0771 system system
202    mkdir /data/misc/vpn 0770 system vpn
203    mkdir /data/misc/systemkeys 0700 system system
204    # give system access to wpa_supplicant.conf for backup and restore
205    mkdir /data/misc/wifi 0770 wifi wifi
206    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
207    mkdir /data/local 0751 root root
208
209    # For security reasons, /data/local/tmp should always be empty.
210    # Do not place files or directories in /data/local/tmp
211    mkdir /data/local/tmp 0771 shell shell
212    mkdir /data/data 0771 system system
213    mkdir /data/app-private 0771 system system
214    mkdir /data/app-asec 0700 root root
215    mkdir /data/app-lib 0771 system system
216    mkdir /data/app 0771 system system
217    mkdir /data/property 0700 root root
218    mkdir /data/ssh 0750 root shell
219    mkdir /data/ssh/empty 0700 root root
220
221    # create dalvik-cache, so as to enforce our permissions
222    mkdir /data/dalvik-cache 0771 system system
223
224    # create resource-cache and double-check the perms
225    mkdir /data/resource-cache 0771 system system
226    chown system system /data/resource-cache
227    chmod 0771 /data/resource-cache
228
229    # create the lost+found directories, so as to enforce our permissions
230    mkdir /data/lost+found 0770 root root
231
232    # create directory for DRM plug-ins - give drm the read/write access to
233    # the following directory.
234    mkdir /data/drm 0770 drm drm
235
236    # If there is no fs-post-data action in the init.<device>.rc file, you
237    # must uncomment this line, otherwise encrypted filesystems
238    # won't work.
239    # Set indication (checked by vold) that we have finished this action
240    #setprop vold.post_fs_data_done 1
241
242on boot
243# basic network init
244    ifup lo
245    hostname localhost
246    domainname localdomain
247
248# set RLIMIT_NICE to allow priorities from 19 to -20
249    setrlimit 13 40 40
250
251# Memory management.  Basic kernel parameters, and allow the high
252# level system server to be able to adjust the kernel OOM driver
253# parameters to match how it is managing things.
254    write /proc/sys/vm/overcommit_memory 1
255    write /proc/sys/vm/min_free_order_shift 4
256    chown root system /sys/module/lowmemorykiller/parameters/adj
257    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
258    chown root system /sys/module/lowmemorykiller/parameters/minfree
259    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
260
261    # Tweak background writeout
262    write /proc/sys/vm/dirty_expire_centisecs 200
263    write /proc/sys/vm/dirty_background_ratio  5
264
265    # Permissions for System Server and daemons.
266    chown radio system /sys/android_power/state
267    chown radio system /sys/android_power/request_state
268    chown radio system /sys/android_power/acquire_full_wake_lock
269    chown radio system /sys/android_power/acquire_partial_wake_lock
270    chown radio system /sys/android_power/release_wake_lock
271    chown system system /sys/power/autosleep
272    chown system system /sys/power/state
273    chown system system /sys/power/wakeup_count
274    chown radio system /sys/power/wake_lock
275    chown radio system /sys/power/wake_unlock
276    chmod 0660 /sys/power/state
277    chmod 0660 /sys/power/wake_lock
278    chmod 0660 /sys/power/wake_unlock
279
280    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
281    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
282    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
283    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
284    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
285    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
286    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
287    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
288    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
289    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
290    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
291    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
292    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
293    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
294    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
295
296    # Assume SMP uses shared cpufreq policy for all CPUs
297    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
298    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
299
300    chown system system /sys/class/timed_output/vibrator/enable
301    chown system system /sys/class/leds/keyboard-backlight/brightness
302    chown system system /sys/class/leds/lcd-backlight/brightness
303    chown system system /sys/class/leds/button-backlight/brightness
304    chown system system /sys/class/leds/jogball-backlight/brightness
305    chown system system /sys/class/leds/red/brightness
306    chown system system /sys/class/leds/green/brightness
307    chown system system /sys/class/leds/blue/brightness
308    chown system system /sys/class/leds/red/device/grpfreq
309    chown system system /sys/class/leds/red/device/grppwm
310    chown system system /sys/class/leds/red/device/blink
311    chown system system /sys/class/leds/red/brightness
312    chown system system /sys/class/leds/green/brightness
313    chown system system /sys/class/leds/blue/brightness
314    chown system system /sys/class/leds/red/device/grpfreq
315    chown system system /sys/class/leds/red/device/grppwm
316    chown system system /sys/class/leds/red/device/blink
317    chown system system /sys/class/timed_output/vibrator/enable
318    chown system system /sys/module/sco/parameters/disable_esco
319    chown system system /sys/kernel/ipv4/tcp_wmem_min
320    chown system system /sys/kernel/ipv4/tcp_wmem_def
321    chown system system /sys/kernel/ipv4/tcp_wmem_max
322    chown system system /sys/kernel/ipv4/tcp_rmem_min
323    chown system system /sys/kernel/ipv4/tcp_rmem_def
324    chown system system /sys/kernel/ipv4/tcp_rmem_max
325    chown root radio /proc/cmdline
326
327# Define TCP buffer sizes for various networks
328#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
329    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
330    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
331    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
332    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
333    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
334    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
335    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
336    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
337    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
338    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
339    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
340
341# Set this property so surfaceflinger is not started by system_init
342    setprop system_init.startsurfaceflinger 0
343
344    class_start core
345    class_start main
346
347on nonencrypted
348    class_start late_start
349
350on charger
351    class_start charger
352
353on property:vold.decrypt=trigger_reset_main
354    class_reset main
355
356on property:vold.decrypt=trigger_load_persist_props
357    load_persist_props
358
359on property:vold.decrypt=trigger_post_fs_data
360    trigger post-fs-data
361
362on property:vold.decrypt=trigger_restart_min_framework
363    class_start main
364
365on property:vold.decrypt=trigger_restart_framework
366    class_start main
367    class_start late_start
368
369on property:vold.decrypt=trigger_shutdown_framework
370    class_reset late_start
371    class_reset main
372
373## Daemon processes to be run by init.
374##
375service ueventd /sbin/ueventd
376    class core
377    critical
378    seclabel u:r:ueventd:s0
379
380on property:selinux.reload_policy=1
381    restart ueventd
382    restart installd
383
384service console /system/bin/sh
385    class core
386    console
387    disabled
388    user shell
389    group log
390
391on property:ro.debuggable=1
392    start console
393
394# adbd is controlled via property triggers in init.<platform>.usb.rc
395service adbd /sbin/adbd
396    class core
397    socket adbd stream 660 system system
398    disabled
399    seclabel u:r:adbd:s0
400
401# adbd on at boot in emulator
402on property:ro.kernel.qemu=1
403    start adbd
404
405service servicemanager /system/bin/servicemanager
406    class core
407    user system
408    group system
409    critical
410    onrestart restart zygote
411    onrestart restart media
412    onrestart restart surfaceflinger
413    onrestart restart drm
414
415service vold /system/bin/vold
416    class core
417    socket vold stream 0660 root mount
418    ioprio be 2
419
420service netd /system/bin/netd
421    class main
422    socket netd stream 0660 root system
423    socket dnsproxyd stream 0660 root inet
424    socket mdns stream 0660 root system
425
426service debuggerd /system/bin/debuggerd
427    class main
428
429service ril-daemon /system/bin/rild
430    class main
431    socket rild stream 660 root radio
432    socket rild-debug stream 660 radio system
433    user root
434    group radio cache inet misc audio log
435
436service surfaceflinger /system/bin/surfaceflinger
437    class main
438    user system
439    group graphics
440    onrestart restart zygote
441
442service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
443    class main
444    socket zygote stream 660 root system
445    onrestart write /sys/android_power/request_state wake
446    onrestart write /sys/power/state on
447    onrestart restart media
448    onrestart restart netd
449
450service drm /system/bin/drmserver
451    class main
452    user drm
453    group drm system inet drmrpc
454
455service media /system/bin/mediaserver
456    class main
457    user media
458    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc
459    ioprio rt 4
460
461service bootanim /system/bin/bootanimation
462    class main
463    user graphics
464    group graphics
465    disabled
466    oneshot
467
468service installd /system/bin/installd
469    class main
470    socket installd stream 600 system system
471
472service flash_recovery /system/etc/install-recovery.sh
473    class main
474    oneshot
475
476service racoon /system/bin/racoon
477    class main
478    socket racoon stream 600 system system
479    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
480    group vpn net_admin inet
481    disabled
482    oneshot
483
484service mtpd /system/bin/mtpd
485    class main
486    socket mtpd stream 600 system system
487    user vpn
488    group vpn net_admin inet net_raw
489    disabled
490    oneshot
491
492service keystore /system/bin/keystore /data/misc/keystore
493    class main
494    user keystore
495    group keystore drmrpc
496    socket keystore stream 666
497
498service dumpstate /system/bin/dumpstate -s
499    class main
500    socket dumpstate stream 0660 shell log
501    disabled
502    oneshot
503
504service sshd /system/bin/start-ssh
505    class main
506    disabled
507
508service mdnsd /system/bin/mdnsd
509    class main
510    user mdnsr
511    group inet net_raw
512    socket mdnsd stream 0660 mdnsr inet
513    disabled
514    oneshot
515