init.rc revision a1d97e5d1c15e0adf40b5853f2f85db7008baa77
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29 # create mountpoints 30 mkdir /mnt 0775 root system 31 32on init 33 sysclktz 0 34 35 loglevel 3 36 37 # Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41 # Right now vendor lives on the same filesystem as system, 42 # but someday that may change. 43 symlink /system/vendor /vendor 44 45 # Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50 # Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 # memory control cgroup 92 mkdir /dev/memcg 0700 root system 93 mount cgroup none /dev/memcg memory 94 95 write /proc/sys/kernel/panic_on_oops 1 96 write /proc/sys/kernel/hung_task_timeout_secs 0 97 write /proc/cpu/alignment 4 98 write /proc/sys/kernel/sched_latency_ns 10000000 99 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 100 write /proc/sys/kernel/sched_compat_yield 1 101 write /proc/sys/kernel/sched_child_runs_first 0 102 write /proc/sys/kernel/randomize_va_space 2 103 write /proc/sys/kernel/kptr_restrict 2 104 write /proc/sys/vm/mmap_min_addr 32768 105 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 106 write /proc/sys/net/unix/max_dgram_qlen 300 107 write /proc/sys/kernel/sched_rt_runtime_us 950000 108 write /proc/sys/kernel/sched_rt_period_us 1000000 109 110 # reflect fwmark from incoming packets onto generated replies 111 write /proc/sys/net/ipv4/fwmark_reflect 1 112 write /proc/sys/net/ipv6/fwmark_reflect 1 113 114 # set fwmark on accepted sockets 115 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 116 117 # Create cgroup mount points for process groups 118 mkdir /dev/cpuctl 119 mount cgroup none /dev/cpuctl cpu 120 chown system system /dev/cpuctl 121 chown system system /dev/cpuctl/tasks 122 chmod 0660 /dev/cpuctl/tasks 123 write /dev/cpuctl/cpu.shares 1024 124 write /dev/cpuctl/cpu.rt_runtime_us 950000 125 write /dev/cpuctl/cpu.rt_period_us 1000000 126 127 mkdir /dev/cpuctl/apps 128 chown system system /dev/cpuctl/apps/tasks 129 chmod 0666 /dev/cpuctl/apps/tasks 130 write /dev/cpuctl/apps/cpu.shares 1024 131 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 132 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 133 134 mkdir /dev/cpuctl/apps/bg_non_interactive 135 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 136 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 137 # 5.0 % 138 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 139 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 140 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 141 142 # qtaguid will limit access to specific data based on group memberships. 143 # net_bw_acct grants impersonation of socket owners. 144 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 145 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 146 chown root net_bw_stats /proc/net/xt_qtaguid/stats 147 148 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 149 # This is needed by any process that uses socket tagging. 150 chmod 0644 /dev/xt_qtaguid 151 152 # Create location for fs_mgr to store abbreviated output from filesystem 153 # checker programs. 154 mkdir /dev/fscklogs 0770 root system 155 156 # pstore/ramoops previous console log 157 mount pstore pstore /sys/fs/pstore 158 chown system log /sys/fs/pstore/console-ramoops 159 chmod 0440 /sys/fs/pstore/console-ramoops 160 161# Healthd can trigger a full boot from charger mode by signaling this 162# property when the power button is held. 163on property:sys.boot_from_charger_mode=1 164 class_stop charger 165 trigger late-init 166 167# Load properties from /system/ + /factory after fs mount. 168on load_all_props_action 169 load_all_props 170 171# Mount filesystems and start core system services. 172on late-init 173 trigger early-fs 174 trigger fs 175 trigger post-fs 176 trigger post-fs-data 177 178 # Load properties from /system/ + /factory after fs mount. Place 179 # this in another action so that the load will be scheduled after the prior 180 # issued fs triggers have completed. 181 trigger load_all_props_action 182 183 trigger early-boot 184 trigger boot 185 186on post-fs 187 # once everything is setup, no need to modify / 188 mount rootfs rootfs / ro remount 189 # mount shared so changes propagate into child namespaces 190 mount rootfs rootfs / shared rec 191 192 # We chown/chmod /cache again so because mount is run as root + defaults 193 chown system cache /cache 194 chmod 0770 /cache 195 # We restorecon /cache in case the cache partition has been reset. 196 restorecon /cache 197 198 # This may have been created by the recovery system with odd permissions 199 chown system cache /cache/recovery 200 chmod 0770 /cache/recovery 201 # This may have been created by the recovery system with the wrong context. 202 restorecon /cache/recovery 203 204 #change permissions on vmallocinfo so we can grab it from bugreports 205 chown root log /proc/vmallocinfo 206 chmod 0440 /proc/vmallocinfo 207 208 chown root log /proc/slabinfo 209 chmod 0440 /proc/slabinfo 210 211 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 212 chown root system /proc/kmsg 213 chmod 0440 /proc/kmsg 214 chown root system /proc/sysrq-trigger 215 chmod 0220 /proc/sysrq-trigger 216 chown system log /proc/last_kmsg 217 chmod 0440 /proc/last_kmsg 218 219 # make the selinux kernel policy world-readable 220 chmod 0444 /sys/fs/selinux/policy 221 222 # create the lost+found directories, so as to enforce our permissions 223 mkdir /cache/lost+found 0770 root root 224 225on post-fs-data 226 # We chown/chmod /data again so because mount is run as root + defaults 227 chown system system /data 228 chmod 0771 /data 229 # We restorecon /data in case the userdata partition has been reset. 230 restorecon /data 231 232 # Avoid predictable entropy pool. Carry over entropy from previous boot. 233 copy /data/system/entropy.dat /dev/urandom 234 235 # Create dump dir and collect dumps. 236 # Do this before we mount cache so eventually we can use cache for 237 # storing dumps on platforms which do not have a dedicated dump partition. 238 mkdir /data/dontpanic 0750 root log 239 240 # Collect apanic data, free resources and re-arm trigger 241 copy /proc/apanic_console /data/dontpanic/apanic_console 242 chown root log /data/dontpanic/apanic_console 243 chmod 0640 /data/dontpanic/apanic_console 244 245 copy /proc/apanic_threads /data/dontpanic/apanic_threads 246 chown root log /data/dontpanic/apanic_threads 247 chmod 0640 /data/dontpanic/apanic_threads 248 249 write /proc/apanic_console 1 250 251 # create basic filesystem structure 252 mkdir /data/misc 01771 system misc 253 mkdir /data/misc/adb 02750 system shell 254 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 255 mkdir /data/misc/bluetooth 0770 system system 256 mkdir /data/misc/keystore 0700 keystore keystore 257 mkdir /data/misc/keychain 0771 system system 258 mkdir /data/misc/radio 0770 system radio 259 mkdir /data/misc/sms 0770 system radio 260 mkdir /data/misc/zoneinfo 0775 system system 261 mkdir /data/misc/vpn 0770 system vpn 262 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 263 mkdir /data/misc/systemkeys 0700 system system 264 mkdir /data/misc/wifi 0770 wifi wifi 265 mkdir /data/misc/wifi/sockets 0770 wifi wifi 266 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 267 mkdir /data/misc/ethernet 0770 system system 268 mkdir /data/misc/dhcp 0770 dhcp dhcp 269 mkdir /data/misc/user 0771 root root 270 # give system access to wpa_supplicant.conf for backup and restore 271 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 272 mkdir /data/local 0751 root root 273 mkdir /data/misc/media 0700 media media 274 275 # For security reasons, /data/local/tmp should always be empty. 276 # Do not place files or directories in /data/local/tmp 277 mkdir /data/local/tmp 0771 shell shell 278 mkdir /data/data 0771 system system 279 mkdir /data/app-private 0771 system system 280 mkdir /data/app-asec 0700 root root 281 mkdir /data/app-lib 0771 system system 282 mkdir /data/app 0771 system system 283 mkdir /data/property 0700 root root 284 285 # create dalvik-cache, so as to enforce our permissions 286 mkdir /data/dalvik-cache 0771 system system 287 mkdir /data/dalvik-cache/profiles 0711 system system 288 289 # create resource-cache and double-check the perms 290 mkdir /data/resource-cache 0771 system system 291 chown system system /data/resource-cache 292 chmod 0771 /data/resource-cache 293 294 # create the lost+found directories, so as to enforce our permissions 295 mkdir /data/lost+found 0770 root root 296 297 # create directory for DRM plug-ins - give drm the read/write access to 298 # the following directory. 299 mkdir /data/drm 0770 drm drm 300 301 # create directory for MediaDrm plug-ins - give drm the read/write access to 302 # the following directory. 303 mkdir /data/mediadrm 0770 mediadrm mediadrm 304 305 # symlink to bugreport storage location 306 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 307 308 # Separate location for storing security policy files on data 309 mkdir /data/security 0711 system system 310 311 # Reload policy from /data/security if present. 312 setprop selinux.reload_policy 1 313 314 # Set SELinux security contexts on upgrade or policy update. 315 restorecon_recursive /data 316 317 # If there is no fs-post-data action in the init.<device>.rc file, you 318 # must uncomment this line, otherwise encrypted filesystems 319 # won't work. 320 # Set indication (checked by vold) that we have finished this action 321 #setprop vold.post_fs_data_done 1 322 323on boot 324 # basic network init 325 ifup lo 326 hostname localhost 327 domainname localdomain 328 329 # set RLIMIT_NICE to allow priorities from 19 to -20 330 setrlimit 13 40 40 331 332 # Memory management. Basic kernel parameters, and allow the high 333 # level system server to be able to adjust the kernel OOM driver 334 # parameters to match how it is managing things. 335 write /proc/sys/vm/overcommit_memory 1 336 write /proc/sys/vm/min_free_order_shift 4 337 chown root system /sys/module/lowmemorykiller/parameters/adj 338 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 339 chown root system /sys/module/lowmemorykiller/parameters/minfree 340 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 341 342 # Tweak background writeout 343 write /proc/sys/vm/dirty_expire_centisecs 200 344 write /proc/sys/vm/dirty_background_ratio 5 345 346 # Permissions for System Server and daemons. 347 chown radio system /sys/android_power/state 348 chown radio system /sys/android_power/request_state 349 chown radio system /sys/android_power/acquire_full_wake_lock 350 chown radio system /sys/android_power/acquire_partial_wake_lock 351 chown radio system /sys/android_power/release_wake_lock 352 chown system system /sys/power/autosleep 353 chown system system /sys/power/state 354 chown system system /sys/power/wakeup_count 355 chown radio system /sys/power/wake_lock 356 chown radio system /sys/power/wake_unlock 357 chmod 0660 /sys/power/state 358 chmod 0660 /sys/power/wake_lock 359 chmod 0660 /sys/power/wake_unlock 360 361 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 362 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 363 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 364 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 365 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 366 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 367 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 368 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 369 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 370 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 371 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 372 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 373 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 374 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 375 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 376 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 377 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 378 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 379 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 380 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 381 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 382 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 383 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 384 385 # Assume SMP uses shared cpufreq policy for all CPUs 386 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 387 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 388 389 chown system system /sys/class/timed_output/vibrator/enable 390 chown system system /sys/class/leds/keyboard-backlight/brightness 391 chown system system /sys/class/leds/lcd-backlight/brightness 392 chown system system /sys/class/leds/button-backlight/brightness 393 chown system system /sys/class/leds/jogball-backlight/brightness 394 chown system system /sys/class/leds/red/brightness 395 chown system system /sys/class/leds/green/brightness 396 chown system system /sys/class/leds/blue/brightness 397 chown system system /sys/class/leds/red/device/grpfreq 398 chown system system /sys/class/leds/red/device/grppwm 399 chown system system /sys/class/leds/red/device/blink 400 chown system system /sys/class/timed_output/vibrator/enable 401 chown system system /sys/module/sco/parameters/disable_esco 402 chown system system /sys/kernel/ipv4/tcp_wmem_min 403 chown system system /sys/kernel/ipv4/tcp_wmem_def 404 chown system system /sys/kernel/ipv4/tcp_wmem_max 405 chown system system /sys/kernel/ipv4/tcp_rmem_min 406 chown system system /sys/kernel/ipv4/tcp_rmem_def 407 chown system system /sys/kernel/ipv4/tcp_rmem_max 408 chown root radio /proc/cmdline 409 410 # Define TCP buffer sizes for various networks 411 # ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 412 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 413 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 414 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 415 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 416 setprop net.tcp.buffersize.umts 58254,349525,1048576,58254,349525,1048576 417 setprop net.tcp.buffersize.hspa 40778,244668,734003,16777,100663,301990 418 setprop net.tcp.buffersize.hsupa 40778,244668,734003,16777,100663,301990 419 setprop net.tcp.buffersize.hsdpa 61167,367002,1101005,8738,52429,262114 420 setprop net.tcp.buffersize.hspap 122334,734003,2202010,32040,192239,576717 421 setprop net.tcp.buffersize.edge 4093,26280,70800,4096,16384,70800 422 setprop net.tcp.buffersize.gprs 4092,8760,48000,4096,8760,48000 423 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 424 425 # Define default initial receive window size in segments. 426 setprop net.tcp.default_init_rwnd 60 427 428 class_start core 429 430on nonencrypted 431 class_start main 432 class_start late_start 433 434on property:vold.decrypt=trigger_default_encryption 435 start defaultcrypto 436 437on property:vold.decrypt=trigger_encryption 438 start surfaceflinger 439 start encrypt 440 class_start main 441 442on property:sys.init_log_level=* 443 loglevel ${sys.init_log_level} 444 445on charger 446 class_start charger 447 448on property:vold.decrypt=trigger_reset_main 449 class_reset main 450 451on property:vold.decrypt=trigger_load_persist_props 452 load_persist_props 453 454on property:vold.decrypt=trigger_post_fs_data 455 trigger post-fs-data 456 457on property:vold.decrypt=trigger_restart_min_framework 458 class_start main 459 460on property:vold.decrypt=trigger_restart_framework 461 class_start main 462 class_start late_start 463 464on property:vold.decrypt=trigger_shutdown_framework 465 class_reset late_start 466 class_reset main 467 468on property:sys.powerctl=* 469 powerctl ${sys.powerctl} 470 471# system server cannot write to /proc/sys files, 472# and chown/chmod does not work for /proc/sys/ entries. 473# So proxy writes through init. 474on property:sys.sysctl.extra_free_kbytes=* 475 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 476 477# "tcp_default_init_rwnd" Is too long! 478on property:sys.sysctl.tcp_def_init_rwnd=* 479 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 480 481 482## Daemon processes to be run by init. 483## 484service ueventd /sbin/ueventd 485 class core 486 critical 487 seclabel u:r:ueventd:s0 488 489service logd /system/bin/logd 490 class core 491 socket logd stream 0666 logd logd 492 socket logdr seqpacket 0666 logd logd 493 socket logdw dgram 0222 logd logd 494 seclabel u:r:logd:s0 495 496service healthd /sbin/healthd 497 class core 498 critical 499 seclabel u:r:healthd:s0 500 501service console /system/bin/sh 502 class core 503 console 504 disabled 505 user shell 506 group shell log 507 seclabel u:r:shell:s0 508 509on property:ro.debuggable=1 510 start console 511 512# adbd is controlled via property triggers in init.<platform>.usb.rc 513service adbd /sbin/adbd --root_seclabel=u:r:su:s0 514 class core 515 socket adbd stream 660 system system 516 disabled 517 seclabel u:r:adbd:s0 518 519# adbd on at boot in emulator 520on property:ro.kernel.qemu=1 521 start adbd 522 523service lmkd /system/bin/lmkd 524 class core 525 critical 526 socket lmkd seqpacket 0660 system system 527 528service servicemanager /system/bin/servicemanager 529 class core 530 user system 531 group system 532 critical 533 onrestart restart healthd 534 onrestart restart zygote 535 onrestart restart media 536 onrestart restart surfaceflinger 537 onrestart restart inputflinger 538 onrestart restart drm 539 540service vold /system/bin/vold 541 class core 542 socket vold stream 0660 root mount 543 ioprio be 2 544 545service netd /system/bin/netd 546 class main 547 socket netd stream 0660 root system 548 socket dnsproxyd stream 0660 root inet 549 socket mdns stream 0660 root system 550 socket fwmarkd stream 0660 root inet 551 552service debuggerd /system/bin/debuggerd 553 class main 554 555service debuggerd64 /system/bin/debuggerd64 556 class main 557 558service ril-daemon /system/bin/rild 559 class main 560 socket rild stream 660 root radio 561 socket rild-debug stream 660 radio system 562 user root 563 group radio cache inet misc audio log 564 565service surfaceflinger /system/bin/surfaceflinger 566 class main 567 user system 568 group graphics drmrpc 569 onrestart restart zygote 570 571service inputflinger /system/bin/inputflinger 572 class main 573 user system 574 group input 575 onrestart restart zygote 576 577service drm /system/bin/drmserver 578 class main 579 user drm 580 group drm system inet drmrpc 581 582service media /system/bin/mediaserver 583 class main 584 user media 585 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 586 ioprio rt 4 587 588# One shot invocation to deal with encrypted volume. 589service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 590 disabled 591 oneshot 592 # vold will set vold.decrypt to trigger_restart_framework (default 593 # encryption) or trigger_restart_min_framework (other encryption) 594 595# One shot invocation to encrypt unencrypted volumes 596service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 597 disabled 598 oneshot 599 # vold will set vold.decrypt to trigger_restart_framework (default 600 # encryption) 601 602service bootanim /system/bin/bootanimation 603 class main 604 user graphics 605 group graphics 606 disabled 607 oneshot 608 609service installd /system/bin/installd 610 class main 611 socket installd stream 600 system system 612 613service flash_recovery /system/bin/install-recovery.sh 614 class main 615 seclabel u:r:install_recovery:s0 616 oneshot 617 618service racoon /system/bin/racoon 619 class main 620 socket racoon stream 600 system system 621 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 622 group vpn net_admin inet 623 disabled 624 oneshot 625 626service mtpd /system/bin/mtpd 627 class main 628 socket mtpd stream 600 system system 629 user vpn 630 group vpn net_admin inet net_raw 631 disabled 632 oneshot 633 634service keystore /system/bin/keystore /data/misc/keystore 635 class main 636 user keystore 637 group keystore drmrpc 638 639service dumpstate /system/bin/dumpstate -s 640 class main 641 socket dumpstate stream 0660 shell log 642 disabled 643 oneshot 644 645service mdnsd /system/bin/mdnsd 646 class main 647 user mdnsr 648 group inet net_raw 649 socket mdnsd stream 0660 mdnsr inet 650 disabled 651 oneshot 652 653service pre-recovery /system/bin/uncrypt 654 class main 655 disabled 656 oneshot 657