init.rc revision 9e9f05e5ebf72a60930a53e5cf45f575534fc29d
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_adj -16 15 16 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 17 write /sys/fs/selinux/checkreqprot 0 18 19 # Set the security context for the init process. 20 # This should occur before anything else (e.g. ueventd) is started. 21 setcon u:r:init:s0 22 23 # Set the security context of /adb_keys if present. 24 restorecon /adb_keys 25 26 start ueventd 27 28# create mountpoints 29 mkdir /mnt 0775 root system 30 31on init 32 33sysclktz 0 34 35loglevel 3 36 37# Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41# Right now vendor lives on the same filesystem as system, 42# but someday that may change. 43 symlink /system/vendor /vendor 44 45# Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50# Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 write /proc/sys/kernel/panic_on_oops 1 92 write /proc/sys/kernel/hung_task_timeout_secs 0 93 write /proc/cpu/alignment 4 94 write /proc/sys/kernel/sched_latency_ns 10000000 95 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 96 write /proc/sys/kernel/sched_compat_yield 1 97 write /proc/sys/kernel/sched_child_runs_first 0 98 write /proc/sys/kernel/randomize_va_space 2 99 write /proc/sys/kernel/kptr_restrict 2 100 write /proc/sys/kernel/dmesg_restrict 1 101 write /proc/sys/vm/mmap_min_addr 32768 102 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 103 write /proc/sys/kernel/sched_rt_runtime_us 950000 104 write /proc/sys/kernel/sched_rt_period_us 1000000 105 106# Create cgroup mount points for process groups 107 mkdir /dev/cpuctl 108 mount cgroup none /dev/cpuctl cpu 109 chown system system /dev/cpuctl 110 chown system system /dev/cpuctl/tasks 111 chmod 0660 /dev/cpuctl/tasks 112 write /dev/cpuctl/cpu.shares 1024 113 write /dev/cpuctl/cpu.rt_runtime_us 950000 114 write /dev/cpuctl/cpu.rt_period_us 1000000 115 116 mkdir /dev/cpuctl/apps 117 chown system system /dev/cpuctl/apps/tasks 118 chmod 0666 /dev/cpuctl/apps/tasks 119 write /dev/cpuctl/apps/cpu.shares 1024 120 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 121 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 122 123 mkdir /dev/cpuctl/apps/bg_non_interactive 124 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 125 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 126 # 5.0 % 127 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 128 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 129 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 130 131# qtaguid will limit access to specific data based on group memberships. 132# net_bw_acct grants impersonation of socket owners. 133# net_bw_stats grants access to other apps' detailed tagged-socket stats. 134 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 135 chown root net_bw_stats /proc/net/xt_qtaguid/stats 136 137# Allow everybody to read the xt_qtaguid resource tracking misc dev. 138# This is needed by any process that uses socket tagging. 139 chmod 0644 /dev/xt_qtaguid 140 141# Create location for fs_mgr to store abbreviated output from filesystem 142# checker programs. 143 mkdir /dev/fscklogs 0770 root system 144 145on post-fs 146 # once everything is setup, no need to modify / 147 mount rootfs rootfs / ro remount 148 # mount shared so changes propagate into child namespaces 149 mount rootfs rootfs / shared rec 150 151 # We chown/chmod /cache again so because mount is run as root + defaults 152 chown system cache /cache 153 chmod 0770 /cache 154 # We restorecon /cache in case the cache partition has been reset. 155 restorecon /cache 156 157 # This may have been created by the recovery system with odd permissions 158 chown system cache /cache/recovery 159 chmod 0770 /cache/recovery 160 # This may have been created by the recovery system with the wrong context. 161 restorecon /cache/recovery 162 163 #change permissions on vmallocinfo so we can grab it from bugreports 164 chown root log /proc/vmallocinfo 165 chmod 0440 /proc/vmallocinfo 166 167 chown root log /proc/slabinfo 168 chmod 0440 /proc/slabinfo 169 170 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 171 chown root system /proc/kmsg 172 chmod 0440 /proc/kmsg 173 chown root system /proc/sysrq-trigger 174 chmod 0220 /proc/sysrq-trigger 175 chown system log /proc/last_kmsg 176 chmod 0440 /proc/last_kmsg 177 178 # create the lost+found directories, so as to enforce our permissions 179 mkdir /cache/lost+found 0770 root root 180 181on post-fs-data 182 # We chown/chmod /data again so because mount is run as root + defaults 183 chown system system /data 184 chmod 0771 /data 185 # We restorecon /data in case the userdata partition has been reset. 186 restorecon /data 187 188 # Avoid predictable entropy pool. Carry over entropy from previous boot. 189 copy /data/system/entropy.dat /dev/urandom 190 191 # Create dump dir and collect dumps. 192 # Do this before we mount cache so eventually we can use cache for 193 # storing dumps on platforms which do not have a dedicated dump partition. 194 mkdir /data/dontpanic 0750 root log 195 196 # Collect apanic data, free resources and re-arm trigger 197 copy /proc/apanic_console /data/dontpanic/apanic_console 198 chown root log /data/dontpanic/apanic_console 199 chmod 0640 /data/dontpanic/apanic_console 200 201 copy /proc/apanic_threads /data/dontpanic/apanic_threads 202 chown root log /data/dontpanic/apanic_threads 203 chmod 0640 /data/dontpanic/apanic_threads 204 205 write /proc/apanic_console 1 206 207 # create basic filesystem structure 208 mkdir /data/misc 01771 system misc 209 mkdir /data/misc/adb 02750 system shell 210 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 211 mkdir /data/misc/bluetooth 0770 system system 212 mkdir /data/misc/keystore 0700 keystore keystore 213 mkdir /data/misc/keychain 0771 system system 214 mkdir /data/misc/radio 0770 system radio 215 mkdir /data/misc/sms 0770 system radio 216 mkdir /data/misc/zoneinfo 0775 system system 217 restorecon_recursive /data/misc/zoneinfo 218 mkdir /data/misc/vpn 0770 system vpn 219 mkdir /data/misc/systemkeys 0700 system system 220 # give system access to wpa_supplicant.conf for backup and restore 221 mkdir /data/misc/wifi 0770 wifi wifi 222 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 223 mkdir /data/local 0751 root root 224 mkdir /data/misc/media 0700 media media 225 restorecon_recursive /data/misc/media 226 227 # Set security context of any pre-existing /data/misc/adb/adb_keys file. 228 restorecon /data/misc/adb 229 restorecon /data/misc/adb/adb_keys 230 231 # For security reasons, /data/local/tmp should always be empty. 232 # Do not place files or directories in /data/local/tmp 233 mkdir /data/local/tmp 0771 shell shell 234 mkdir /data/data 0771 system system 235 mkdir /data/app-private 0771 system system 236 mkdir /data/app-asec 0700 root root 237 mkdir /data/app-lib 0771 system system 238 mkdir /data/app 0771 system system 239 mkdir /data/property 0700 root root 240 mkdir /data/ssh 0750 root shell 241 mkdir /data/ssh/empty 0700 root root 242 243 # create dalvik-cache, so as to enforce our permissions 244 mkdir /data/dalvik-cache 0771 system system 245 246 # create resource-cache and double-check the perms 247 mkdir /data/resource-cache 0771 system system 248 chown system system /data/resource-cache 249 chmod 0771 /data/resource-cache 250 251 # create the lost+found directories, so as to enforce our permissions 252 mkdir /data/lost+found 0770 root root 253 254 # create directory for DRM plug-ins - give drm the read/write access to 255 # the following directory. 256 mkdir /data/drm 0770 drm drm 257 258 # create directory for MediaDrm plug-ins - give drm the read/write access to 259 # the following directory. 260 mkdir /data/mediadrm 0770 mediadrm mediadrm 261 restorecon_recursive /data/mediadrm 262 263 # symlink to bugreport storage location 264 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 265 266 # Separate location for storing security policy files on data 267 mkdir /data/security 0711 system system 268 269 # Reload policy from /data/security if present. 270 setprop selinux.reload_policy 1 271 272 # If there is no fs-post-data action in the init.<device>.rc file, you 273 # must uncomment this line, otherwise encrypted filesystems 274 # won't work. 275 # Set indication (checked by vold) that we have finished this action 276 #setprop vold.post_fs_data_done 1 277 278on boot 279# basic network init 280 ifup lo 281 hostname localhost 282 domainname localdomain 283 284# set RLIMIT_NICE to allow priorities from 19 to -20 285 setrlimit 13 40 40 286 287# Memory management. Basic kernel parameters, and allow the high 288# level system server to be able to adjust the kernel OOM driver 289# parameters to match how it is managing things. 290 write /proc/sys/vm/overcommit_memory 1 291 write /proc/sys/vm/min_free_order_shift 4 292 chown root system /sys/module/lowmemorykiller/parameters/adj 293 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 294 chown root system /sys/module/lowmemorykiller/parameters/minfree 295 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 296 297 # Tweak background writeout 298 write /proc/sys/vm/dirty_expire_centisecs 200 299 write /proc/sys/vm/dirty_background_ratio 5 300 301 # Permissions for System Server and daemons. 302 chown radio system /sys/android_power/state 303 chown radio system /sys/android_power/request_state 304 chown radio system /sys/android_power/acquire_full_wake_lock 305 chown radio system /sys/android_power/acquire_partial_wake_lock 306 chown radio system /sys/android_power/release_wake_lock 307 chown system system /sys/power/autosleep 308 chown system system /sys/power/state 309 chown system system /sys/power/wakeup_count 310 chown radio system /sys/power/wake_lock 311 chown radio system /sys/power/wake_unlock 312 chmod 0660 /sys/power/state 313 chmod 0660 /sys/power/wake_lock 314 chmod 0660 /sys/power/wake_unlock 315 316 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 317 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 318 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 319 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 320 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 321 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 322 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 323 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 324 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 325 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 326 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 327 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 328 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 329 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 330 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 331 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 332 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 333 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 334 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 335 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 336 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 338 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 339 340 # Assume SMP uses shared cpufreq policy for all CPUs 341 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 342 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 343 344 chown system system /sys/class/timed_output/vibrator/enable 345 chown system system /sys/class/leds/keyboard-backlight/brightness 346 chown system system /sys/class/leds/lcd-backlight/brightness 347 chown system system /sys/class/leds/button-backlight/brightness 348 chown system system /sys/class/leds/jogball-backlight/brightness 349 chown system system /sys/class/leds/red/brightness 350 chown system system /sys/class/leds/green/brightness 351 chown system system /sys/class/leds/blue/brightness 352 chown system system /sys/class/leds/red/device/grpfreq 353 chown system system /sys/class/leds/red/device/grppwm 354 chown system system /sys/class/leds/red/device/blink 355 chown system system /sys/class/timed_output/vibrator/enable 356 chown system system /sys/module/sco/parameters/disable_esco 357 chown system system /sys/kernel/ipv4/tcp_wmem_min 358 chown system system /sys/kernel/ipv4/tcp_wmem_def 359 chown system system /sys/kernel/ipv4/tcp_wmem_max 360 chown system system /sys/kernel/ipv4/tcp_rmem_min 361 chown system system /sys/kernel/ipv4/tcp_rmem_def 362 chown system system /sys/kernel/ipv4/tcp_rmem_max 363 chown root radio /proc/cmdline 364 365# Define TCP buffer sizes for various networks 366# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 367 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 368 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 369 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 370 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 371 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 372 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 373 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 374 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 375 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 376 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 377 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 378 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 379 380 class_start core 381 class_start main 382 383on nonencrypted 384 class_start late_start 385 386on charger 387 class_start charger 388 389on property:vold.decrypt=trigger_reset_main 390 class_reset main 391 392on property:vold.decrypt=trigger_load_persist_props 393 load_persist_props 394 395on property:vold.decrypt=trigger_post_fs_data 396 trigger post-fs-data 397 398on property:vold.decrypt=trigger_restart_min_framework 399 class_start main 400 401on property:vold.decrypt=trigger_restart_framework 402 class_start main 403 class_start late_start 404 405on property:vold.decrypt=trigger_shutdown_framework 406 class_reset late_start 407 class_reset main 408 409on property:sys.powerctl=* 410 powerctl ${sys.powerctl} 411 412# system server cannot write to /proc/sys files, so proxy it through init 413on property:sys.sysctl.extra_free_kbytes=* 414 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 415 416## Daemon processes to be run by init. 417## 418service ueventd /sbin/ueventd 419 class core 420 critical 421 seclabel u:r:ueventd:s0 422 423service healthd /sbin/healthd 424 class core 425 critical 426 seclabel u:r:healthd:s0 427 428service healthd-charger /sbin/healthd -n 429 class charger 430 critical 431 seclabel u:r:healthd:s0 432 433service console /system/bin/sh 434 class core 435 console 436 disabled 437 user shell 438 group log 439 seclabel u:r:shell:s0 440 441on property:ro.debuggable=1 442 start console 443 444# adbd is controlled via property triggers in init.<platform>.usb.rc 445service adbd /sbin/adbd 446 class core 447 socket adbd stream 660 system system 448 disabled 449 seclabel u:r:adbd:s0 450 451# adbd on at boot in emulator 452on property:ro.kernel.qemu=1 453 start adbd 454 455service servicemanager /system/bin/servicemanager 456 class core 457 user system 458 group system 459 critical 460 onrestart restart healthd 461 onrestart restart zygote 462 onrestart restart media 463 onrestart restart surfaceflinger 464 onrestart restart drm 465 466service vold /system/bin/vold 467 class core 468 socket vold stream 0660 root mount 469 ioprio be 2 470 471service netd /system/bin/netd 472 class main 473 socket netd stream 0660 root system 474 socket dnsproxyd stream 0660 root inet 475 socket mdns stream 0660 root system 476 477service debuggerd /system/bin/debuggerd 478 class main 479 480service ril-daemon /system/bin/rild 481 class main 482 socket rild stream 660 root radio 483 socket rild-debug stream 660 radio system 484 user root 485 group radio cache inet misc audio log 486 487service surfaceflinger /system/bin/surfaceflinger 488 class main 489 user system 490 group graphics drmrpc 491 onrestart restart zygote 492 493service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 494 class main 495 socket zygote stream 660 root system 496 onrestart write /sys/android_power/request_state wake 497 onrestart write /sys/power/state on 498 onrestart restart media 499 onrestart restart netd 500 501service drm /system/bin/drmserver 502 class main 503 user drm 504 group drm system inet drmrpc 505 506service media /system/bin/mediaserver 507 class main 508 user media 509 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 510 ioprio rt 4 511 512service bootanim /system/bin/bootanimation 513 class main 514 user graphics 515 group graphics 516 disabled 517 oneshot 518 519service installd /system/bin/installd 520 class main 521 socket installd stream 600 system system 522 523service flash_recovery /system/etc/install-recovery.sh 524 class main 525 oneshot 526 527service racoon /system/bin/racoon 528 class main 529 socket racoon stream 600 system system 530 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 531 group vpn net_admin inet 532 disabled 533 oneshot 534 535service mtpd /system/bin/mtpd 536 class main 537 socket mtpd stream 600 system system 538 user vpn 539 group vpn net_admin inet net_raw 540 disabled 541 oneshot 542 543service keystore /system/bin/keystore /data/misc/keystore 544 class main 545 user keystore 546 group keystore drmrpc 547 548service dumpstate /system/bin/dumpstate -s 549 class main 550 socket dumpstate stream 0660 shell log 551 disabled 552 oneshot 553 554service sshd /system/bin/start-ssh 555 class main 556 disabled 557 558service mdnsd /system/bin/mdnsd 559 class main 560 user mdnsr 561 group inet net_raw 562 socket mdnsd stream 0660 mdnsr inet 563 disabled 564 oneshot 565