init.rc revision ae6f3d7c05070f7e0e56fe0056c8923c6ee2f473
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ASEC_MOUNTPOINT /mnt/asec 38 export LOOP_MOUNTPOINT /mnt/obb 39 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 40 41# Backward compatibility 42 symlink /system/etc /etc 43 symlink /sys/kernel/debug /d 44 45# Right now vendor lives on the same filesystem as system, 46# but someday that may change. 47 symlink /system/vendor /vendor 48 49# Create cgroup mount point for cpu accounting 50 mkdir /acct 51 mount cgroup none /acct cpuacct 52 mkdir /acct/uid 53 54 mkdir /system 55 mkdir /data 0771 system system 56 mkdir /cache 0770 system cache 57 mkdir /config 0500 root root 58 59 # Directory for putting things only root should see. 60 mkdir /mnt/secure 0700 root root 61 62 # Directory for staging bindmounts 63 mkdir /mnt/secure/staging 0700 root root 64 65 # Directory-target for where the secure container 66 # imagefile directory will be bind-mounted 67 mkdir /mnt/secure/asec 0700 root root 68 69 # Secure container public mount points. 70 mkdir /mnt/asec 0700 root system 71 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 72 73 # Filesystem image public mount points. 74 mkdir /mnt/obb 0700 root system 75 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 76 77 write /proc/sys/kernel/panic_on_oops 1 78 write /proc/sys/kernel/hung_task_timeout_secs 0 79 write /proc/cpu/alignment 4 80 write /proc/sys/kernel/sched_latency_ns 10000000 81 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 82 write /proc/sys/kernel/sched_compat_yield 1 83 write /proc/sys/kernel/sched_child_runs_first 0 84 write /proc/sys/kernel/randomize_va_space 2 85 write /proc/sys/kernel/kptr_restrict 2 86 write /proc/sys/kernel/dmesg_restrict 1 87 write /proc/sys/vm/mmap_min_addr 32768 88 write /proc/sys/kernel/sched_rt_runtime_us 950000 89 write /proc/sys/kernel/sched_rt_period_us 1000000 90 91# Create cgroup mount points for process groups 92 mkdir /dev/cpuctl 93 mount cgroup none /dev/cpuctl cpu 94 chown system system /dev/cpuctl 95 chown system system /dev/cpuctl/tasks 96 chmod 0660 /dev/cpuctl/tasks 97 write /dev/cpuctl/cpu.shares 1024 98 write /dev/cpuctl/cpu.rt_runtime_us 950000 99 write /dev/cpuctl/cpu.rt_period_us 1000000 100 101 mkdir /dev/cpuctl/apps 102 chown system system /dev/cpuctl/apps/tasks 103 chmod 0666 /dev/cpuctl/apps/tasks 104 write /dev/cpuctl/apps/cpu.shares 1024 105 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 106 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps/bg_non_interactive 109 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 110 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 111 # 5.0 % 112 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 113 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 114 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 115 116# Allow everybody to read the xt_qtaguid resource tracking misc dev. 117# This is needed by any process that uses socket tagging. 118 chmod 0644 /dev/xt_qtaguid 119 120on fs 121# mount mtd partitions 122 # Mount /system rw first to give the filesystem a chance to save a checkpoint 123 mount yaffs2 mtd@system /system 124 mount yaffs2 mtd@system /system ro remount 125 mount yaffs2 mtd@userdata /data nosuid nodev 126 mount yaffs2 mtd@cache /cache nosuid nodev 127 128on post-fs 129 # once everything is setup, no need to modify / 130 mount rootfs rootfs / ro remount 131 132 # We chown/chmod /cache again so because mount is run as root + defaults 133 chown system cache /cache 134 chmod 0770 /cache 135 # We restorecon /cache in case the cache partition has been reset. 136 restorecon /cache 137 138 # This may have been created by the recovery system with odd permissions 139 chown system cache /cache/recovery 140 chmod 0770 /cache/recovery 141 # This may have been created by the recovery system with the wrong context. 142 restorecon /cache/recovery 143 144 #change permissions on vmallocinfo so we can grab it from bugreports 145 chown root log /proc/vmallocinfo 146 chmod 0440 /proc/vmallocinfo 147 148 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 149 chown root system /proc/kmsg 150 chmod 0440 /proc/kmsg 151 chown root system /proc/sysrq-trigger 152 chmod 0220 /proc/sysrq-trigger 153 154 # create the lost+found directories, so as to enforce our permissions 155 mkdir /cache/lost+found 0770 root root 156 157on post-fs-data 158 # We chown/chmod /data again so because mount is run as root + defaults 159 chown system system /data 160 chmod 0771 /data 161 # We restorecon /data in case the userdata partition has been reset. 162 restorecon /data 163 164 # Create dump dir and collect dumps. 165 # Do this before we mount cache so eventually we can use cache for 166 # storing dumps on platforms which do not have a dedicated dump partition. 167 mkdir /data/dontpanic 0750 root log 168 169 # Collect apanic data, free resources and re-arm trigger 170 copy /proc/apanic_console /data/dontpanic/apanic_console 171 chown root log /data/dontpanic/apanic_console 172 chmod 0640 /data/dontpanic/apanic_console 173 174 copy /proc/apanic_threads /data/dontpanic/apanic_threads 175 chown root log /data/dontpanic/apanic_threads 176 chmod 0640 /data/dontpanic/apanic_threads 177 178 write /proc/apanic_console 1 179 180 # create basic filesystem structure 181 mkdir /data/misc 01771 system misc 182 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 183 mkdir /data/misc/bluetooth 0770 system system 184 mkdir /data/misc/keystore 0700 keystore keystore 185 mkdir /data/misc/keychain 0771 system system 186 mkdir /data/misc/vpn 0770 system vpn 187 mkdir /data/misc/systemkeys 0700 system system 188 # give system access to wpa_supplicant.conf for backup and restore 189 mkdir /data/misc/wifi 0770 wifi wifi 190 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 191 mkdir /data/local 0751 root root 192 193 # For security reasons, /data/local/tmp should always be empty. 194 # Do not place files or directories in /data/local/tmp 195 mkdir /data/local/tmp 0771 shell shell 196 mkdir /data/data 0771 system system 197 mkdir /data/app-private 0771 system system 198 mkdir /data/app-asec 0700 root root 199 mkdir /data/app 0771 system system 200 mkdir /data/property 0700 root root 201 mkdir /data/ssh 0750 root shell 202 mkdir /data/ssh/empty 0700 root root 203 204 # create dalvik-cache, so as to enforce our permissions 205 mkdir /data/dalvik-cache 0771 system system 206 207 # create resource-cache and double-check the perms 208 mkdir /data/resource-cache 0771 system system 209 chown system system /data/resource-cache 210 chmod 0771 /data/resource-cache 211 212 # create the lost+found directories, so as to enforce our permissions 213 mkdir /data/lost+found 0770 root root 214 215 # create directory for DRM plug-ins - give drm the read/write access to 216 # the following directory. 217 mkdir /data/drm 0770 drm drm 218 219 # If there is no fs-post-data action in the init.<device>.rc file, you 220 # must uncomment this line, otherwise encrypted filesystems 221 # won't work. 222 # Set indication (checked by vold) that we have finished this action 223 #setprop vold.post_fs_data_done 1 224 225on boot 226# basic network init 227 ifup lo 228 hostname localhost 229 domainname localdomain 230 231# set RLIMIT_NICE to allow priorities from 19 to -20 232 setrlimit 13 40 40 233 234# Memory management. Basic kernel parameters, and allow the high 235# level system server to be able to adjust the kernel OOM driver 236# parameters to match how it is managing things. 237 write /proc/sys/vm/overcommit_memory 1 238 write /proc/sys/vm/min_free_order_shift 4 239 chown root system /sys/module/lowmemorykiller/parameters/adj 240 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 241 chown root system /sys/module/lowmemorykiller/parameters/minfree 242 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 243 244 # Tweak background writeout 245 write /proc/sys/vm/dirty_expire_centisecs 200 246 write /proc/sys/vm/dirty_background_ratio 5 247 248 # Permissions for System Server and daemons. 249 chown radio system /sys/android_power/state 250 chown radio system /sys/android_power/request_state 251 chown radio system /sys/android_power/acquire_full_wake_lock 252 chown radio system /sys/android_power/acquire_partial_wake_lock 253 chown radio system /sys/android_power/release_wake_lock 254 chown system system /sys/power/state 255 chown system system /sys/power/wakeup_count 256 chown radio system /sys/power/wake_lock 257 chown radio system /sys/power/wake_unlock 258 chmod 0660 /sys/power/state 259 chmod 0660 /sys/power/wake_lock 260 chmod 0660 /sys/power/wake_unlock 261 262 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 263 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 264 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 265 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 266 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 267 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 268 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 269 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 270 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 271 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 272 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 273 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 274 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 275 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 276 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 277 278 # Assume SMP uses shared cpufreq policy for all CPUs 279 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 280 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 281 282 chown system system /sys/class/timed_output/vibrator/enable 283 chown system system /sys/class/leds/keyboard-backlight/brightness 284 chown system system /sys/class/leds/lcd-backlight/brightness 285 chown system system /sys/class/leds/button-backlight/brightness 286 chown system system /sys/class/leds/jogball-backlight/brightness 287 chown system system /sys/class/leds/red/brightness 288 chown system system /sys/class/leds/green/brightness 289 chown system system /sys/class/leds/blue/brightness 290 chown system system /sys/class/leds/red/device/grpfreq 291 chown system system /sys/class/leds/red/device/grppwm 292 chown system system /sys/class/leds/red/device/blink 293 chown system system /sys/class/leds/red/brightness 294 chown system system /sys/class/leds/green/brightness 295 chown system system /sys/class/leds/blue/brightness 296 chown system system /sys/class/leds/red/device/grpfreq 297 chown system system /sys/class/leds/red/device/grppwm 298 chown system system /sys/class/leds/red/device/blink 299 chown system system /sys/class/timed_output/vibrator/enable 300 chown system system /sys/module/sco/parameters/disable_esco 301 chown system system /sys/kernel/ipv4/tcp_wmem_min 302 chown system system /sys/kernel/ipv4/tcp_wmem_def 303 chown system system /sys/kernel/ipv4/tcp_wmem_max 304 chown system system /sys/kernel/ipv4/tcp_rmem_min 305 chown system system /sys/kernel/ipv4/tcp_rmem_def 306 chown system system /sys/kernel/ipv4/tcp_rmem_max 307 chown root radio /proc/cmdline 308 309# Define TCP buffer sizes for various networks 310# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 311 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 312 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 313 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 314 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 315 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 316 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 317 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 318 319# Set this property so surfaceflinger is not started by system_init 320 setprop system_init.startsurfaceflinger 0 321 322 class_start core 323 class_start main 324 325on nonencrypted 326 class_start late_start 327 328on charger 329 class_start charger 330 331on property:vold.decrypt=trigger_reset_main 332 class_reset main 333 334on property:vold.decrypt=trigger_load_persist_props 335 load_persist_props 336 337on property:vold.decrypt=trigger_post_fs_data 338 trigger post-fs-data 339 340on property:vold.decrypt=trigger_restart_min_framework 341 class_start main 342 343on property:vold.decrypt=trigger_restart_framework 344 class_start main 345 class_start late_start 346 347on property:vold.decrypt=trigger_shutdown_framework 348 class_reset late_start 349 class_reset main 350 351## Daemon processes to be run by init. 352## 353service ueventd /sbin/ueventd 354 class core 355 critical 356 seclabel u:r:ueventd:s0 357 358on property:selinux.reload_policy=1 359 restart ueventd 360 restart installd 361 362service console /system/bin/sh 363 class core 364 console 365 disabled 366 user shell 367 group log 368 369on property:ro.debuggable=1 370 start console 371 372# adbd is controlled via property triggers in init.<platform>.usb.rc 373service adbd /sbin/adbd 374 class core 375 disabled 376 seclabel u:r:adbd:s0 377 378# adbd on at boot in emulator 379on property:ro.kernel.qemu=1 380 start adbd 381 382service servicemanager /system/bin/servicemanager 383 class core 384 user system 385 group system 386 critical 387 onrestart restart zygote 388 onrestart restart media 389 onrestart restart surfaceflinger 390 onrestart restart drm 391 392service vold /system/bin/vold 393 class core 394 socket vold stream 0660 root mount 395 ioprio be 2 396 397service netd /system/bin/netd 398 class main 399 socket netd stream 0660 root system 400 socket dnsproxyd stream 0660 root inet 401 socket mdns stream 0660 root system 402 403service debuggerd /system/bin/debuggerd 404 class main 405 406service ril-daemon /system/bin/rild 407 class main 408 socket rild stream 660 root radio 409 socket rild-debug stream 660 radio system 410 user root 411 group radio cache inet misc audio sdcard_rw log 412 413service surfaceflinger /system/bin/surfaceflinger 414 class main 415 user system 416 group graphics 417 onrestart restart zygote 418 419service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 420 class main 421 socket zygote stream 660 root system 422 onrestart write /sys/android_power/request_state wake 423 onrestart write /sys/power/state on 424 onrestart restart media 425 onrestart restart netd 426 427service drm /system/bin/drmserver 428 class main 429 user drm 430 group drm system inet drmrpc sdcard_r 431 432service media /system/bin/mediaserver 433 class main 434 user media 435 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 436 ioprio rt 4 437 438service bootanim /system/bin/bootanimation 439 class main 440 user graphics 441 group graphics 442 disabled 443 oneshot 444 445service dbus /system/bin/dbus-daemon --system --nofork 446 class main 447 socket dbus stream 660 bluetooth bluetooth 448 user bluetooth 449 group bluetooth net_bt_admin 450 451service bluetoothd /system/bin/bluetoothd -n 452 class main 453 socket bluetooth stream 660 bluetooth bluetooth 454 socket dbus_bluetooth stream 660 bluetooth bluetooth 455 # init.rc does not yet support applying capabilities, so run as root and 456 # let bluetoothd drop uid to bluetooth with the right linux capabilities 457 group bluetooth net_bt_admin misc 458 disabled 459 460service installd /system/bin/installd 461 class main 462 socket installd stream 600 system system 463 464service flash_recovery /system/etc/install-recovery.sh 465 class main 466 oneshot 467 468service racoon /system/bin/racoon 469 class main 470 socket racoon stream 600 system system 471 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 472 group vpn net_admin inet 473 disabled 474 oneshot 475 476service mtpd /system/bin/mtpd 477 class main 478 socket mtpd stream 600 system system 479 user vpn 480 group vpn net_admin inet net_raw 481 disabled 482 oneshot 483 484service keystore /system/bin/keystore /data/misc/keystore 485 class main 486 user keystore 487 group keystore drmrpc 488 socket keystore stream 666 489 490service dumpstate /system/bin/dumpstate -s 491 class main 492 socket dumpstate stream 0660 shell log 493 disabled 494 oneshot 495 496service sshd /system/bin/start-ssh 497 class main 498 disabled 499 500service mdnsd /system/bin/mdnsd 501 class main 502 user mdnsr 503 group inet net_raw 504 socket mdnsd stream 0660 mdnsr inet 505 disabled 506 oneshot 507