init.rc revision 9e9f05e5ebf72a60930a53e5cf45f575534fc29d 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.trace.rc
11
12on early-init
13    # Set init and its forked children's oom_adj.
14    write /proc/1/oom_adj -16
15
16    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
17    write /sys/fs/selinux/checkreqprot 0
18
19    # Set the security context for the init process.
20    # This should occur before anything else (e.g. ueventd) is started.
21    setcon u:r:init:s0
22
23    # Set the security context of /adb_keys if present.
24    restorecon /adb_keys
25
26    start ueventd
27
28# create mountpoints
29    mkdir /mnt 0775 root system
30
31on init
32
33sysclktz 0
34
35loglevel 3
36
37# Backward compatibility
38    symlink /system/etc /etc
39    symlink /sys/kernel/debug /d
40
41# Right now vendor lives on the same filesystem as system,
42# but someday that may change.
43    symlink /system/vendor /vendor
44
45# Create cgroup mount point for cpu accounting
46    mkdir /acct
47    mount cgroup none /acct cpuacct
48    mkdir /acct/uid
49
50# Create cgroup mount point for memory
51    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
52    mkdir /sys/fs/cgroup/memory 0750 root system
53    mount cgroup none /sys/fs/cgroup/memory memory
54    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
55    chown root system /sys/fs/cgroup/memory/tasks
56    chmod 0660 /sys/fs/cgroup/memory/tasks
57    mkdir /sys/fs/cgroup/memory/sw 0750 root system
58    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
59    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
60    chown root system /sys/fs/cgroup/memory/sw/tasks
61    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
62
63    mkdir /system
64    mkdir /data 0771 system system
65    mkdir /cache 0770 system cache
66    mkdir /config 0500 root root
67
68    # See storage config details at http://source.android.com/tech/storage/
69    mkdir /mnt/shell 0700 shell shell
70    mkdir /mnt/media_rw 0700 media_rw media_rw
71    mkdir /storage 0751 root sdcard_r
72
73    # Directory for putting things only root should see.
74    mkdir /mnt/secure 0700 root root
75
76    # Directory for staging bindmounts
77    mkdir /mnt/secure/staging 0700 root root
78
79    # Directory-target for where the secure container
80    # imagefile directory will be bind-mounted
81    mkdir /mnt/secure/asec  0700 root root
82
83    # Secure container public mount points.
84    mkdir /mnt/asec  0700 root system
85    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
86
87    # Filesystem image public mount points.
88    mkdir /mnt/obb 0700 root system
89    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
90
91    write /proc/sys/kernel/panic_on_oops 1
92    write /proc/sys/kernel/hung_task_timeout_secs 0
93    write /proc/cpu/alignment 4
94    write /proc/sys/kernel/sched_latency_ns 10000000
95    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
96    write /proc/sys/kernel/sched_compat_yield 1
97    write /proc/sys/kernel/sched_child_runs_first 0
98    write /proc/sys/kernel/randomize_va_space 2
99    write /proc/sys/kernel/kptr_restrict 2
100    write /proc/sys/kernel/dmesg_restrict 1
101    write /proc/sys/vm/mmap_min_addr 32768
102    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
103    write /proc/sys/kernel/sched_rt_runtime_us 950000
104    write /proc/sys/kernel/sched_rt_period_us 1000000
105
106# Create cgroup mount points for process groups
107    mkdir /dev/cpuctl
108    mount cgroup none /dev/cpuctl cpu
109    chown system system /dev/cpuctl
110    chown system system /dev/cpuctl/tasks
111    chmod 0660 /dev/cpuctl/tasks
112    write /dev/cpuctl/cpu.shares 1024
113    write /dev/cpuctl/cpu.rt_runtime_us 950000
114    write /dev/cpuctl/cpu.rt_period_us 1000000
115
116    mkdir /dev/cpuctl/apps
117    chown system system /dev/cpuctl/apps/tasks
118    chmod 0666 /dev/cpuctl/apps/tasks
119    write /dev/cpuctl/apps/cpu.shares 1024
120    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
121    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
122
123    mkdir /dev/cpuctl/apps/bg_non_interactive
124    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
125    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
126    # 5.0 %
127    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
128    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
129    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
130
131# qtaguid will limit access to specific data based on group memberships.
132#   net_bw_acct grants impersonation of socket owners.
133#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
134    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
135    chown root net_bw_stats /proc/net/xt_qtaguid/stats
136
137# Allow everybody to read the xt_qtaguid resource tracking misc dev.
138# This is needed by any process that uses socket tagging.
139    chmod 0644 /dev/xt_qtaguid
140
141# Create location for fs_mgr to store abbreviated output from filesystem
142# checker programs.
143    mkdir /dev/fscklogs 0770 root system
144
145on post-fs
146    # once everything is setup, no need to modify /
147    mount rootfs rootfs / ro remount
148    # mount shared so changes propagate into child namespaces
149    mount rootfs rootfs / shared rec
150
151    # We chown/chmod /cache again so because mount is run as root + defaults
152    chown system cache /cache
153    chmod 0770 /cache
154    # We restorecon /cache in case the cache partition has been reset.
155    restorecon /cache
156
157    # This may have been created by the recovery system with odd permissions
158    chown system cache /cache/recovery
159    chmod 0770 /cache/recovery
160    # This may have been created by the recovery system with the wrong context.
161    restorecon /cache/recovery
162
163    #change permissions on vmallocinfo so we can grab it from bugreports
164    chown root log /proc/vmallocinfo
165    chmod 0440 /proc/vmallocinfo
166
167    chown root log /proc/slabinfo
168    chmod 0440 /proc/slabinfo
169
170    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
171    chown root system /proc/kmsg
172    chmod 0440 /proc/kmsg
173    chown root system /proc/sysrq-trigger
174    chmod 0220 /proc/sysrq-trigger
175    chown system log /proc/last_kmsg
176    chmod 0440 /proc/last_kmsg
177
178    # create the lost+found directories, so as to enforce our permissions
179    mkdir /cache/lost+found 0770 root root
180
181on post-fs-data
182    # We chown/chmod /data again so because mount is run as root + defaults
183    chown system system /data
184    chmod 0771 /data
185    # We restorecon /data in case the userdata partition has been reset.
186    restorecon /data
187
188    # Avoid predictable entropy pool. Carry over entropy from previous boot.
189    copy /data/system/entropy.dat /dev/urandom
190
191    # Create dump dir and collect dumps.
192    # Do this before we mount cache so eventually we can use cache for
193    # storing dumps on platforms which do not have a dedicated dump partition.
194    mkdir /data/dontpanic 0750 root log
195
196    # Collect apanic data, free resources and re-arm trigger
197    copy /proc/apanic_console /data/dontpanic/apanic_console
198    chown root log /data/dontpanic/apanic_console
199    chmod 0640 /data/dontpanic/apanic_console
200
201    copy /proc/apanic_threads /data/dontpanic/apanic_threads
202    chown root log /data/dontpanic/apanic_threads
203    chmod 0640 /data/dontpanic/apanic_threads
204
205    write /proc/apanic_console 1
206
207    # create basic filesystem structure
208    mkdir /data/misc 01771 system misc
209    mkdir /data/misc/adb 02750 system shell
210    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
211    mkdir /data/misc/bluetooth 0770 system system
212    mkdir /data/misc/keystore 0700 keystore keystore
213    mkdir /data/misc/keychain 0771 system system
214    mkdir /data/misc/radio 0770 system radio
215    mkdir /data/misc/sms 0770 system radio
216    mkdir /data/misc/zoneinfo 0775 system system
217    restorecon_recursive /data/misc/zoneinfo
218    mkdir /data/misc/vpn 0770 system vpn
219    mkdir /data/misc/systemkeys 0700 system system
220    # give system access to wpa_supplicant.conf for backup and restore
221    mkdir /data/misc/wifi 0770 wifi wifi
222    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
223    mkdir /data/local 0751 root root
224    mkdir /data/misc/media 0700 media media
225    restorecon_recursive /data/misc/media
226
227    # Set security context of any pre-existing /data/misc/adb/adb_keys file.
228    restorecon /data/misc/adb
229    restorecon /data/misc/adb/adb_keys
230
231    # For security reasons, /data/local/tmp should always be empty.
232    # Do not place files or directories in /data/local/tmp
233    mkdir /data/local/tmp 0771 shell shell
234    mkdir /data/data 0771 system system
235    mkdir /data/app-private 0771 system system
236    mkdir /data/app-asec 0700 root root
237    mkdir /data/app-lib 0771 system system
238    mkdir /data/app 0771 system system
239    mkdir /data/property 0700 root root
240    mkdir /data/ssh 0750 root shell
241    mkdir /data/ssh/empty 0700 root root
242
243    # create dalvik-cache, so as to enforce our permissions
244    mkdir /data/dalvik-cache 0771 system system
245
246    # create resource-cache and double-check the perms
247    mkdir /data/resource-cache 0771 system system
248    chown system system /data/resource-cache
249    chmod 0771 /data/resource-cache
250
251    # create the lost+found directories, so as to enforce our permissions
252    mkdir /data/lost+found 0770 root root
253
254    # create directory for DRM plug-ins - give drm the read/write access to
255    # the following directory.
256    mkdir /data/drm 0770 drm drm
257
258    # create directory for MediaDrm plug-ins - give drm the read/write access to
259    # the following directory.
260    mkdir /data/mediadrm 0770 mediadrm mediadrm
261    restorecon_recursive /data/mediadrm
262
263    # symlink to bugreport storage location
264    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
265
266    # Separate location for storing security policy files on data
267    mkdir /data/security 0711 system system
268
269    # Reload policy from /data/security if present.
270    setprop selinux.reload_policy 1
271
272    # If there is no fs-post-data action in the init.<device>.rc file, you
273    # must uncomment this line, otherwise encrypted filesystems
274    # won't work.
275    # Set indication (checked by vold) that we have finished this action
276    #setprop vold.post_fs_data_done 1
277
278on boot
279# basic network init
280    ifup lo
281    hostname localhost
282    domainname localdomain
283
284# set RLIMIT_NICE to allow priorities from 19 to -20
285    setrlimit 13 40 40
286
287# Memory management.  Basic kernel parameters, and allow the high
288# level system server to be able to adjust the kernel OOM driver
289# parameters to match how it is managing things.
290    write /proc/sys/vm/overcommit_memory 1
291    write /proc/sys/vm/min_free_order_shift 4
292    chown root system /sys/module/lowmemorykiller/parameters/adj
293    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
294    chown root system /sys/module/lowmemorykiller/parameters/minfree
295    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
296
297    # Tweak background writeout
298    write /proc/sys/vm/dirty_expire_centisecs 200
299    write /proc/sys/vm/dirty_background_ratio  5
300
301    # Permissions for System Server and daemons.
302    chown radio system /sys/android_power/state
303    chown radio system /sys/android_power/request_state
304    chown radio system /sys/android_power/acquire_full_wake_lock
305    chown radio system /sys/android_power/acquire_partial_wake_lock
306    chown radio system /sys/android_power/release_wake_lock
307    chown system system /sys/power/autosleep
308    chown system system /sys/power/state
309    chown system system /sys/power/wakeup_count
310    chown radio system /sys/power/wake_lock
311    chown radio system /sys/power/wake_unlock
312    chmod 0660 /sys/power/state
313    chmod 0660 /sys/power/wake_lock
314    chmod 0660 /sys/power/wake_unlock
315
316    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
317    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
318    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
319    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
320    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
321    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
322    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
323    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
324    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
325    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
326    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
327    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
328    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
329    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
330    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
331    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
332    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
333    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
334    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
335    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
336    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
337    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
338    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
339
340    # Assume SMP uses shared cpufreq policy for all CPUs
341    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
342    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
343
344    chown system system /sys/class/timed_output/vibrator/enable
345    chown system system /sys/class/leds/keyboard-backlight/brightness
346    chown system system /sys/class/leds/lcd-backlight/brightness
347    chown system system /sys/class/leds/button-backlight/brightness
348    chown system system /sys/class/leds/jogball-backlight/brightness
349    chown system system /sys/class/leds/red/brightness
350    chown system system /sys/class/leds/green/brightness
351    chown system system /sys/class/leds/blue/brightness
352    chown system system /sys/class/leds/red/device/grpfreq
353    chown system system /sys/class/leds/red/device/grppwm
354    chown system system /sys/class/leds/red/device/blink
355    chown system system /sys/class/timed_output/vibrator/enable
356    chown system system /sys/module/sco/parameters/disable_esco
357    chown system system /sys/kernel/ipv4/tcp_wmem_min
358    chown system system /sys/kernel/ipv4/tcp_wmem_def
359    chown system system /sys/kernel/ipv4/tcp_wmem_max
360    chown system system /sys/kernel/ipv4/tcp_rmem_min
361    chown system system /sys/kernel/ipv4/tcp_rmem_def
362    chown system system /sys/kernel/ipv4/tcp_rmem_max
363    chown root radio /proc/cmdline
364
365# Define TCP buffer sizes for various networks
366#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
367    setprop net.tcp.buffersize.default  4096,87380,110208,4096,16384,110208
368    setprop net.tcp.buffersize.wifi     524288,1048576,2097152,262144,524288,1048576
369    setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152
370    setprop net.tcp.buffersize.lte      524288,1048576,2097152,262144,524288,1048576
371    setprop net.tcp.buffersize.umts     4094,87380,110208,4096,16384,110208
372    setprop net.tcp.buffersize.hspa     4094,87380,262144,4096,16384,262144
373    setprop net.tcp.buffersize.hsupa    4094,87380,262144,4096,16384,262144
374    setprop net.tcp.buffersize.hsdpa    4094,87380,262144,4096,16384,262144
375    setprop net.tcp.buffersize.hspap    4094,87380,1220608,4096,16384,1220608
376    setprop net.tcp.buffersize.edge     4093,26280,35040,4096,16384,35040
377    setprop net.tcp.buffersize.gprs     4092,8760,11680,4096,8760,11680
378    setprop net.tcp.buffersize.evdo     4094,87380,262144,4096,16384,262144
379
380    class_start core
381    class_start main
382
383on nonencrypted
384    class_start late_start
385
386on charger
387    class_start charger
388
389on property:vold.decrypt=trigger_reset_main
390    class_reset main
391
392on property:vold.decrypt=trigger_load_persist_props
393    load_persist_props
394
395on property:vold.decrypt=trigger_post_fs_data
396    trigger post-fs-data
397
398on property:vold.decrypt=trigger_restart_min_framework
399    class_start main
400
401on property:vold.decrypt=trigger_restart_framework
402    class_start main
403    class_start late_start
404
405on property:vold.decrypt=trigger_shutdown_framework
406    class_reset late_start
407    class_reset main
408
409on property:sys.powerctl=*
410    powerctl ${sys.powerctl}
411
412# system server cannot write to /proc/sys files, so proxy it through init
413on property:sys.sysctl.extra_free_kbytes=*
414    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
415
416## Daemon processes to be run by init.
417##
418service ueventd /sbin/ueventd
419    class core
420    critical
421    seclabel u:r:ueventd:s0
422
423service healthd /sbin/healthd
424    class core
425    critical
426    seclabel u:r:healthd:s0
427
428service healthd-charger /sbin/healthd -n
429    class charger
430    critical
431    seclabel u:r:healthd:s0
432
433service console /system/bin/sh
434    class core
435    console
436    disabled
437    user shell
438    group log
439    seclabel u:r:shell:s0
440
441on property:ro.debuggable=1
442    start console
443
444# adbd is controlled via property triggers in init.<platform>.usb.rc
445service adbd /sbin/adbd
446    class core
447    socket adbd stream 660 system system
448    disabled
449    seclabel u:r:adbd:s0
450
451# adbd on at boot in emulator
452on property:ro.kernel.qemu=1
453    start adbd
454
455service servicemanager /system/bin/servicemanager
456    class core
457    user system
458    group system
459    critical
460    onrestart restart healthd
461    onrestart restart zygote
462    onrestart restart media
463    onrestart restart surfaceflinger
464    onrestart restart drm
465
466service vold /system/bin/vold
467    class core
468    socket vold stream 0660 root mount
469    ioprio be 2
470
471service netd /system/bin/netd
472    class main
473    socket netd stream 0660 root system
474    socket dnsproxyd stream 0660 root inet
475    socket mdns stream 0660 root system
476
477service debuggerd /system/bin/debuggerd
478    class main
479
480service ril-daemon /system/bin/rild
481    class main
482    socket rild stream 660 root radio
483    socket rild-debug stream 660 radio system
484    user root
485    group radio cache inet misc audio log
486
487service surfaceflinger /system/bin/surfaceflinger
488    class main
489    user system
490    group graphics drmrpc
491    onrestart restart zygote
492
493service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
494    class main
495    socket zygote stream 660 root system
496    onrestart write /sys/android_power/request_state wake
497    onrestart write /sys/power/state on
498    onrestart restart media
499    onrestart restart netd
500
501service drm /system/bin/drmserver
502    class main
503    user drm
504    group drm system inet drmrpc
505
506service media /system/bin/mediaserver
507    class main
508    user media
509    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
510    ioprio rt 4
511
512service bootanim /system/bin/bootanimation
513    class main
514    user graphics
515    group graphics
516    disabled
517    oneshot
518
519service installd /system/bin/installd
520    class main
521    socket installd stream 600 system system
522
523service flash_recovery /system/etc/install-recovery.sh
524    class main
525    oneshot
526
527service racoon /system/bin/racoon
528    class main
529    socket racoon stream 600 system system
530    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
531    group vpn net_admin inet
532    disabled
533    oneshot
534
535service mtpd /system/bin/mtpd
536    class main
537    socket mtpd stream 600 system system
538    user vpn
539    group vpn net_admin inet net_raw
540    disabled
541    oneshot
542
543service keystore /system/bin/keystore /data/misc/keystore
544    class main
545    user keystore
546    group keystore drmrpc
547
548service dumpstate /system/bin/dumpstate -s
549    class main
550    socket dumpstate stream 0660 shell log
551    disabled
552    oneshot
553
554service sshd /system/bin/start-ssh
555    class main
556    disabled
557
558service mdnsd /system/bin/mdnsd
559    class main
560    user mdnsr
561    group inet net_raw
562    socket mdnsd stream 0660 mdnsr inet
563    disabled
564    oneshot
565