init.rc revision aacded70196acf958ddd26149dec9709571f1f56
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_adj -16 15 16 # Set the security context for the init process. 17 # This should occur before anything else (e.g. ueventd) is started. 18 setcon u:r:init:s0 19 20 start ueventd 21 22# create mountpoints 23 mkdir /mnt 0775 root system 24 25on init 26 27sysclktz 0 28 29loglevel 3 30 31# Backward compatibility 32 symlink /system/etc /etc 33 symlink /sys/kernel/debug /d 34 35# Right now vendor lives on the same filesystem as system, 36# but someday that may change. 37 symlink /system/vendor /vendor 38 39# Create cgroup mount point for cpu accounting 40 mkdir /acct 41 mount cgroup none /acct cpuacct 42 mkdir /acct/uid 43 44# Create cgroup mount point for memory 45 mount tmpfs none /sys/fs/cgroup 46 mkdir /sys/fs/cgroup/memory 47 mount cgroup none /sys/fs/cgroup/memory memory 48 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 49 chown root system /sys/fs/cgroup/memory/tasks 50 chmod 0660 /sys/fs/cgroup/memory/tasks 51 mkdir /sys/fs/cgroup/memory/sw 52 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 53 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 54 chown root system /sys/fs/cgroup/memory/sw/tasks 55 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 56 57 mkdir /system 58 mkdir /data 0771 system system 59 mkdir /cache 0770 system cache 60 mkdir /config 0500 root root 61 62 # See storage config details at http://source.android.com/tech/storage/ 63 mkdir /mnt/shell 0700 shell shell 64 mkdir /storage 0050 root sdcard_r 65 66 # Directory for putting things only root should see. 67 mkdir /mnt/secure 0700 root root 68 # Create private mountpoint so we can MS_MOVE from staging 69 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 70 71 # Directory for staging bindmounts 72 mkdir /mnt/secure/staging 0700 root root 73 74 # Directory-target for where the secure container 75 # imagefile directory will be bind-mounted 76 mkdir /mnt/secure/asec 0700 root root 77 78 # Secure container public mount points. 79 mkdir /mnt/asec 0700 root system 80 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 81 82 # Filesystem image public mount points. 83 mkdir /mnt/obb 0700 root system 84 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 85 86 # memory control cgroup 87 mkdir /dev/memcg 0700 root system 88 mount cgroup none /dev/memcg memory 89 90 write /proc/sys/kernel/panic_on_oops 1 91 write /proc/sys/kernel/hung_task_timeout_secs 0 92 write /proc/cpu/alignment 4 93 write /proc/sys/kernel/sched_latency_ns 10000000 94 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 95 write /proc/sys/kernel/sched_compat_yield 1 96 write /proc/sys/kernel/sched_child_runs_first 0 97 write /proc/sys/kernel/randomize_va_space 2 98 write /proc/sys/kernel/kptr_restrict 2 99 write /proc/sys/kernel/dmesg_restrict 1 100 write /proc/sys/vm/mmap_min_addr 32768 101 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 102 write /proc/sys/kernel/sched_rt_runtime_us 950000 103 write /proc/sys/kernel/sched_rt_period_us 1000000 104 105# Create cgroup mount points for process groups 106 mkdir /dev/cpuctl 107 mount cgroup none /dev/cpuctl cpu 108 chown system system /dev/cpuctl 109 chown system system /dev/cpuctl/tasks 110 chmod 0660 /dev/cpuctl/tasks 111 write /dev/cpuctl/cpu.shares 1024 112 write /dev/cpuctl/cpu.rt_runtime_us 950000 113 write /dev/cpuctl/cpu.rt_period_us 1000000 114 115 mkdir /dev/cpuctl/apps 116 chown system system /dev/cpuctl/apps/tasks 117 chmod 0666 /dev/cpuctl/apps/tasks 118 write /dev/cpuctl/apps/cpu.shares 1024 119 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 120 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 121 122 mkdir /dev/cpuctl/apps/bg_non_interactive 123 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 124 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 125 # 5.0 % 126 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 127 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 128 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 129 130# qtaguid will limit access to specific data based on group memberships. 131# net_bw_acct grants impersonation of socket owners. 132# net_bw_stats grants access to other apps' detailed tagged-socket stats. 133 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 134 chown root net_bw_stats /proc/net/xt_qtaguid/stats 135 136# Allow everybody to read the xt_qtaguid resource tracking misc dev. 137# This is needed by any process that uses socket tagging. 138 chmod 0644 /dev/xt_qtaguid 139 140on post-fs 141 # once everything is setup, no need to modify / 142 mount rootfs rootfs / ro remount 143 # mount shared so changes propagate into child namespaces 144 mount rootfs rootfs / shared rec 145 mount tmpfs tmpfs /mnt/secure private rec 146 147 # We chown/chmod /cache again so because mount is run as root + defaults 148 chown system cache /cache 149 chmod 0770 /cache 150 # We restorecon /cache in case the cache partition has been reset. 151 restorecon /cache 152 153 # This may have been created by the recovery system with odd permissions 154 chown system cache /cache/recovery 155 chmod 0770 /cache/recovery 156 # This may have been created by the recovery system with the wrong context. 157 restorecon /cache/recovery 158 159 #change permissions on vmallocinfo so we can grab it from bugreports 160 chown root log /proc/vmallocinfo 161 chmod 0440 /proc/vmallocinfo 162 163 chown root log /proc/slabinfo 164 chmod 0440 /proc/slabinfo 165 166 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 167 chown root system /proc/kmsg 168 chmod 0440 /proc/kmsg 169 chown root system /proc/sysrq-trigger 170 chmod 0220 /proc/sysrq-trigger 171 chown system log /proc/last_kmsg 172 chmod 0440 /proc/last_kmsg 173 174 # create the lost+found directories, so as to enforce our permissions 175 mkdir /cache/lost+found 0770 root root 176 177on post-fs-data 178 # We chown/chmod /data again so because mount is run as root + defaults 179 chown system system /data 180 chmod 0771 /data 181 # We restorecon /data in case the userdata partition has been reset. 182 restorecon /data 183 184 # Create dump dir and collect dumps. 185 # Do this before we mount cache so eventually we can use cache for 186 # storing dumps on platforms which do not have a dedicated dump partition. 187 mkdir /data/dontpanic 0750 root log 188 189 # Collect apanic data, free resources and re-arm trigger 190 copy /proc/apanic_console /data/dontpanic/apanic_console 191 chown root log /data/dontpanic/apanic_console 192 chmod 0640 /data/dontpanic/apanic_console 193 194 copy /proc/apanic_threads /data/dontpanic/apanic_threads 195 chown root log /data/dontpanic/apanic_threads 196 chmod 0640 /data/dontpanic/apanic_threads 197 198 write /proc/apanic_console 1 199 200 # create basic filesystem structure 201 mkdir /data/misc 01771 system misc 202 mkdir /data/misc/adb 02750 system shell 203 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 204 mkdir /data/misc/bluetooth 0770 system system 205 mkdir /data/misc/keystore 0700 keystore keystore 206 mkdir /data/misc/keychain 0771 system system 207 mkdir /data/misc/radio 0770 system radio 208 mkdir /data/misc/sms 0770 system radio 209 mkdir /data/misc/zoneinfo 0775 system system 210 mkdir /data/misc/vpn 0770 system vpn 211 mkdir /data/misc/systemkeys 0700 system system 212 # give system access to wpa_supplicant.conf for backup and restore 213 mkdir /data/misc/wifi 0770 wifi wifi 214 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 215 mkdir /data/local 0751 root root 216 mkdir /data/misc/media 0700 media media 217 218 # For security reasons, /data/local/tmp should always be empty. 219 # Do not place files or directories in /data/local/tmp 220 mkdir /data/local/tmp 0771 shell shell 221 mkdir /data/data 0771 system system 222 mkdir /data/app-private 0771 system system 223 mkdir /data/app-asec 0700 root root 224 mkdir /data/app-lib 0771 system system 225 mkdir /data/app 0771 system system 226 mkdir /data/property 0700 root root 227 mkdir /data/ssh 0750 root shell 228 mkdir /data/ssh/empty 0700 root root 229 230 # create dalvik-cache, so as to enforce our permissions 231 mkdir /data/dalvik-cache 0771 system system 232 233 # create resource-cache and double-check the perms 234 mkdir /data/resource-cache 0771 system system 235 chown system system /data/resource-cache 236 chmod 0771 /data/resource-cache 237 238 # create the lost+found directories, so as to enforce our permissions 239 mkdir /data/lost+found 0770 root root 240 241 # create directory for DRM plug-ins - give drm the read/write access to 242 # the following directory. 243 mkdir /data/drm 0770 drm drm 244 245 # create directory for MediaDrm plug-ins - give drm the read/write access to 246 # the following directory. 247 mkdir /data/mediadrm 0770 mediadrm mediadrm 248 249 # symlink to bugreport storage location 250 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 251 252 # Separate location for storing security policy files on data 253 mkdir /data/security 0711 system system 254 255 # If there is no fs-post-data action in the init.<device>.rc file, you 256 # must uncomment this line, otherwise encrypted filesystems 257 # won't work. 258 # Set indication (checked by vold) that we have finished this action 259 #setprop vold.post_fs_data_done 1 260 261on boot 262# basic network init 263 ifup lo 264 hostname localhost 265 domainname localdomain 266 267# set RLIMIT_NICE to allow priorities from 19 to -20 268 setrlimit 13 40 40 269 270# Memory management. Basic kernel parameters, and allow the high 271# level system server to be able to adjust the kernel OOM driver 272# parameters to match how it is managing things. 273 write /proc/sys/vm/overcommit_memory 1 274 write /proc/sys/vm/min_free_order_shift 4 275 chown root system /sys/module/lowmemorykiller/parameters/adj 276 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 277 chown root system /sys/module/lowmemorykiller/parameters/minfree 278 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 279 280 # Tweak background writeout 281 write /proc/sys/vm/dirty_expire_centisecs 200 282 write /proc/sys/vm/dirty_background_ratio 5 283 284 # Permissions for System Server and daemons. 285 chown radio system /sys/android_power/state 286 chown radio system /sys/android_power/request_state 287 chown radio system /sys/android_power/acquire_full_wake_lock 288 chown radio system /sys/android_power/acquire_partial_wake_lock 289 chown radio system /sys/android_power/release_wake_lock 290 chown system system /sys/power/autosleep 291 chown system system /sys/power/state 292 chown system system /sys/power/wakeup_count 293 chown radio system /sys/power/wake_lock 294 chown radio system /sys/power/wake_unlock 295 chmod 0660 /sys/power/state 296 chmod 0660 /sys/power/wake_lock 297 chmod 0660 /sys/power/wake_unlock 298 299 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 300 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 301 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 302 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 303 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 304 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 305 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 306 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 307 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 308 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 309 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 310 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 311 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 312 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 313 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 314 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 315 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 316 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 317 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 318 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 319 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 320 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 321 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 322 323 # Assume SMP uses shared cpufreq policy for all CPUs 324 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 325 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 326 327 chown system system /sys/class/timed_output/vibrator/enable 328 chown system system /sys/class/leds/keyboard-backlight/brightness 329 chown system system /sys/class/leds/lcd-backlight/brightness 330 chown system system /sys/class/leds/button-backlight/brightness 331 chown system system /sys/class/leds/jogball-backlight/brightness 332 chown system system /sys/class/leds/red/brightness 333 chown system system /sys/class/leds/green/brightness 334 chown system system /sys/class/leds/blue/brightness 335 chown system system /sys/class/leds/red/device/grpfreq 336 chown system system /sys/class/leds/red/device/grppwm 337 chown system system /sys/class/leds/red/device/blink 338 chown system system /sys/class/timed_output/vibrator/enable 339 chown system system /sys/module/sco/parameters/disable_esco 340 chown system system /sys/kernel/ipv4/tcp_wmem_min 341 chown system system /sys/kernel/ipv4/tcp_wmem_def 342 chown system system /sys/kernel/ipv4/tcp_wmem_max 343 chown system system /sys/kernel/ipv4/tcp_rmem_min 344 chown system system /sys/kernel/ipv4/tcp_rmem_def 345 chown system system /sys/kernel/ipv4/tcp_rmem_max 346 chown root radio /proc/cmdline 347 348# Set these so we can remotely update SELinux policy 349 chown system system /sys/fs/selinux/load 350 chown system system /sys/fs/selinux/enforce 351 352# Define TCP buffer sizes for various networks 353# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 354 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 355 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 356 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 357 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 358 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 359 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 360 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 361 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 362 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 363 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 364 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 365 366 class_start core 367 class_start main 368 369on nonencrypted 370 class_start late_start 371 372on charger 373 class_start charger 374 375on property:vold.decrypt=trigger_reset_main 376 class_reset main 377 378on property:vold.decrypt=trigger_load_persist_props 379 load_persist_props 380 381on property:vold.decrypt=trigger_post_fs_data 382 trigger post-fs-data 383 384on property:vold.decrypt=trigger_restart_min_framework 385 class_start main 386 387on property:vold.decrypt=trigger_restart_framework 388 class_start main 389 class_start late_start 390 391on property:vold.decrypt=trigger_shutdown_framework 392 class_reset late_start 393 class_reset main 394 395on property:sys.powerctl=* 396 powerctl ${sys.powerctl} 397 398# system server cannot write to /proc/sys files, so proxy it through init 399on property:sys.sysctl.extra_free_kbytes=* 400 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 401 402## Daemon processes to be run by init. 403## 404service ueventd /sbin/ueventd 405 class core 406 critical 407 seclabel u:r:ueventd:s0 408 409service healthd /sbin/healthd 410 class core 411 critical 412 seclabel u:r:healthd:s0 413 414service healthd-charger /sbin/healthd -n 415 class charger 416 critical 417 seclabel u:r:healthd:s0 418 419service console /system/bin/sh 420 class core 421 console 422 disabled 423 user shell 424 group log 425 426on property:ro.debuggable=1 427 start console 428 429# adbd is controlled via property triggers in init.<platform>.usb.rc 430service adbd /sbin/adbd 431 class core 432 socket adbd stream 660 system system 433 disabled 434 seclabel u:r:adbd:s0 435 436# adbd on at boot in emulator 437on property:ro.kernel.qemu=1 438 start adbd 439 440service lmkd /system/bin/lmkd 441 class core 442 critical 443 socket lmkd seqpacket 0660 system system 444 445service servicemanager /system/bin/servicemanager 446 class core 447 user system 448 group system 449 critical 450 onrestart restart healthd 451 onrestart restart zygote 452 onrestart restart media 453 onrestart restart surfaceflinger 454 onrestart restart inputflinger 455 onrestart restart drm 456 457service vold /system/bin/vold 458 class core 459 socket vold stream 0660 root mount 460 ioprio be 2 461 462service netd /system/bin/netd 463 class main 464 socket netd stream 0660 root system 465 socket dnsproxyd stream 0660 root inet 466 socket mdns stream 0660 root system 467 468service debuggerd /system/bin/debuggerd 469 class main 470 471service ril-daemon /system/bin/rild 472 class main 473 socket rild stream 660 root radio 474 socket rild-debug stream 660 radio system 475 user root 476 group radio cache inet misc audio log 477 478service surfaceflinger /system/bin/surfaceflinger 479 class main 480 user system 481 group graphics drmrpc 482 onrestart restart zygote 483 484service inputflinger /system/bin/inputflinger 485 class main 486 user system 487 group input 488 onrestart restart zygote 489 490service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 491 class main 492 socket zygote stream 660 root system 493 onrestart write /sys/android_power/request_state wake 494 onrestart write /sys/power/state on 495 onrestart restart media 496 onrestart restart netd 497 498service drm /system/bin/drmserver 499 class main 500 user drm 501 group drm system inet drmrpc 502 503service media /system/bin/mediaserver 504 class main 505 user media 506 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 507 ioprio rt 4 508 509service bootanim /system/bin/bootanimation 510 class main 511 user graphics 512 group graphics 513 disabled 514 oneshot 515 516service installd /system/bin/installd 517 class main 518 socket installd stream 600 system system 519 520service flash_recovery /system/etc/install-recovery.sh 521 class main 522 oneshot 523 524service racoon /system/bin/racoon 525 class main 526 socket racoon stream 600 system system 527 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 528 group vpn net_admin inet 529 disabled 530 oneshot 531 532service mtpd /system/bin/mtpd 533 class main 534 socket mtpd stream 600 system system 535 user vpn 536 group vpn net_admin inet net_raw 537 disabled 538 oneshot 539 540service keystore /system/bin/keystore /data/misc/keystore 541 class main 542 user keystore 543 group keystore drmrpc 544 545service dumpstate /system/bin/dumpstate -s 546 class main 547 socket dumpstate stream 0660 shell log 548 disabled 549 oneshot 550 551service sshd /system/bin/start-ssh 552 class main 553 disabled 554 555service mdnsd /system/bin/mdnsd 556 class main 557 user mdnsr 558 group inet net_raw 559 socket mdnsd stream 0660 mdnsr inet 560 disabled 561 oneshot 562