init.rc revision c2594f36e789bbd49cbeeb9421a7b6a16cd30ba4
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 96 write /proc/sys/kernel/sched_rt_runtime_us 950000 97 write /proc/sys/kernel/sched_rt_period_us 1000000 98 99# Create cgroup mount points for process groups 100 mkdir /dev/cpuctl 101 mount cgroup none /dev/cpuctl cpu 102 chown system system /dev/cpuctl 103 chown system system /dev/cpuctl/tasks 104 chmod 0660 /dev/cpuctl/tasks 105 write /dev/cpuctl/cpu.shares 1024 106 write /dev/cpuctl/cpu.rt_runtime_us 950000 107 write /dev/cpuctl/cpu.rt_period_us 1000000 108 109 mkdir /dev/cpuctl/apps 110 chown system system /dev/cpuctl/apps/tasks 111 chmod 0666 /dev/cpuctl/apps/tasks 112 write /dev/cpuctl/apps/cpu.shares 1024 113 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 114 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 115 116 mkdir /dev/cpuctl/apps/bg_non_interactive 117 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 118 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 119 # 5.0 % 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 122 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 123 124# qtaguid will limit access to specific data based on group memberships. 125# net_bw_acct grants impersonation of socket owners. 126# net_bw_stats grants access to other apps' detailed tagged-socket stats. 127 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 128 chown root net_bw_stats /proc/net/xt_qtaguid/stats 129 130# Allow everybody to read the xt_qtaguid resource tracking misc dev. 131# This is needed by any process that uses socket tagging. 132 chmod 0644 /dev/xt_qtaguid 133 134on fs 135# mount mtd partitions 136 # Mount /system rw first to give the filesystem a chance to save a checkpoint 137 mount yaffs2 mtd@system /system 138 mount yaffs2 mtd@system /system ro remount 139 mount yaffs2 mtd@userdata /data nosuid nodev 140 mount yaffs2 mtd@cache /cache nosuid nodev 141 142on post-fs 143 # once everything is setup, no need to modify / 144 mount rootfs rootfs / ro remount 145 # mount shared so changes propagate into child namespaces 146 mount rootfs rootfs / shared rec 147 mount tmpfs tmpfs /mnt/secure private rec 148 149 # We chown/chmod /cache again so because mount is run as root + defaults 150 chown system cache /cache 151 chmod 0770 /cache 152 # We restorecon /cache in case the cache partition has been reset. 153 restorecon /cache 154 155 # This may have been created by the recovery system with odd permissions 156 chown system cache /cache/recovery 157 chmod 0770 /cache/recovery 158 # This may have been created by the recovery system with the wrong context. 159 restorecon /cache/recovery 160 161 #change permissions on vmallocinfo so we can grab it from bugreports 162 chown root log /proc/vmallocinfo 163 chmod 0440 /proc/vmallocinfo 164 165 chown root log /proc/slabinfo 166 chmod 0440 /proc/slabinfo 167 168 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 169 chown root system /proc/kmsg 170 chmod 0440 /proc/kmsg 171 chown root system /proc/sysrq-trigger 172 chmod 0220 /proc/sysrq-trigger 173 chown system log /proc/last_kmsg 174 chmod 0440 /proc/last_kmsg 175 176 # create the lost+found directories, so as to enforce our permissions 177 mkdir /cache/lost+found 0770 root root 178 179on post-fs-data 180 # We chown/chmod /data again so because mount is run as root + defaults 181 chown system system /data 182 chmod 0771 /data 183 # We restorecon /data in case the userdata partition has been reset. 184 restorecon /data 185 186 # Create dump dir and collect dumps. 187 # Do this before we mount cache so eventually we can use cache for 188 # storing dumps on platforms which do not have a dedicated dump partition. 189 mkdir /data/dontpanic 0750 root log 190 191 # Collect apanic data, free resources and re-arm trigger 192 copy /proc/apanic_console /data/dontpanic/apanic_console 193 chown root log /data/dontpanic/apanic_console 194 chmod 0640 /data/dontpanic/apanic_console 195 196 copy /proc/apanic_threads /data/dontpanic/apanic_threads 197 chown root log /data/dontpanic/apanic_threads 198 chmod 0640 /data/dontpanic/apanic_threads 199 200 write /proc/apanic_console 1 201 202 # create basic filesystem structure 203 mkdir /data/misc 01771 system misc 204 mkdir /data/misc/adb 02750 system shell 205 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 206 mkdir /data/misc/bluetooth 0770 system system 207 mkdir /data/misc/keystore 0700 keystore keystore 208 mkdir /data/misc/keychain 0771 system system 209 mkdir /data/misc/sms 0770 system radio 210 mkdir /data/misc/zoneinfo 0775 system system 211 mkdir /data/misc/vpn 0770 system vpn 212 mkdir /data/misc/systemkeys 0700 system system 213 # give system access to wpa_supplicant.conf for backup and restore 214 mkdir /data/misc/wifi 0770 wifi wifi 215 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 216 mkdir /data/local 0751 root root 217 mkdir /data/misc/media 0700 media media 218 219 # For security reasons, /data/local/tmp should always be empty. 220 # Do not place files or directories in /data/local/tmp 221 mkdir /data/local/tmp 0771 shell shell 222 mkdir /data/data 0771 system system 223 mkdir /data/app-private 0771 system system 224 mkdir /data/app-asec 0700 root root 225 mkdir /data/app-lib 0771 system system 226 mkdir /data/app 0771 system system 227 mkdir /data/property 0700 root root 228 mkdir /data/ssh 0750 root shell 229 mkdir /data/ssh/empty 0700 root root 230 231 # create dalvik-cache, so as to enforce our permissions 232 mkdir /data/dalvik-cache 0771 system system 233 234 # create resource-cache and double-check the perms 235 mkdir /data/resource-cache 0771 system system 236 chown system system /data/resource-cache 237 chmod 0771 /data/resource-cache 238 239 # create the lost+found directories, so as to enforce our permissions 240 mkdir /data/lost+found 0770 root root 241 242 # create directory for DRM plug-ins - give drm the read/write access to 243 # the following directory. 244 mkdir /data/drm 0770 drm drm 245 246 # symlink to bugreport storage location 247 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 248 249 # Separate location for storing security policy files on data 250 mkdir /data/security 0700 system system 251 252 # If there is no fs-post-data action in the init.<device>.rc file, you 253 # must uncomment this line, otherwise encrypted filesystems 254 # won't work. 255 # Set indication (checked by vold) that we have finished this action 256 #setprop vold.post_fs_data_done 1 257 258on boot 259# basic network init 260 ifup lo 261 hostname localhost 262 domainname localdomain 263 264# set RLIMIT_NICE to allow priorities from 19 to -20 265 setrlimit 13 40 40 266 267# Memory management. Basic kernel parameters, and allow the high 268# level system server to be able to adjust the kernel OOM driver 269# parameters to match how it is managing things. 270 write /proc/sys/vm/overcommit_memory 1 271 write /proc/sys/vm/min_free_order_shift 4 272 chown root system /sys/module/lowmemorykiller/parameters/adj 273 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 274 chown root system /sys/module/lowmemorykiller/parameters/minfree 275 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 276 277 # Tweak background writeout 278 write /proc/sys/vm/dirty_expire_centisecs 200 279 write /proc/sys/vm/dirty_background_ratio 5 280 281 # Permissions for System Server and daemons. 282 chown radio system /sys/android_power/state 283 chown radio system /sys/android_power/request_state 284 chown radio system /sys/android_power/acquire_full_wake_lock 285 chown radio system /sys/android_power/acquire_partial_wake_lock 286 chown radio system /sys/android_power/release_wake_lock 287 chown system system /sys/power/autosleep 288 chown system system /sys/power/state 289 chown system system /sys/power/wakeup_count 290 chown radio system /sys/power/wake_lock 291 chown radio system /sys/power/wake_unlock 292 chmod 0660 /sys/power/state 293 chmod 0660 /sys/power/wake_lock 294 chmod 0660 /sys/power/wake_unlock 295 296 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 297 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 298 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 299 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 300 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 301 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 302 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 303 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 304 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 305 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 306 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 307 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 308 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 309 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 310 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 311 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 312 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 313 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 314 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 315 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 316 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 317 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 318 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 319 320 # Assume SMP uses shared cpufreq policy for all CPUs 321 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 322 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 323 324 chown system system /sys/class/timed_output/vibrator/enable 325 chown system system /sys/class/leds/keyboard-backlight/brightness 326 chown system system /sys/class/leds/lcd-backlight/brightness 327 chown system system /sys/class/leds/button-backlight/brightness 328 chown system system /sys/class/leds/jogball-backlight/brightness 329 chown system system /sys/class/leds/red/brightness 330 chown system system /sys/class/leds/green/brightness 331 chown system system /sys/class/leds/blue/brightness 332 chown system system /sys/class/leds/red/device/grpfreq 333 chown system system /sys/class/leds/red/device/grppwm 334 chown system system /sys/class/leds/red/device/blink 335 chown system system /sys/class/leds/red/brightness 336 chown system system /sys/class/leds/green/brightness 337 chown system system /sys/class/leds/blue/brightness 338 chown system system /sys/class/leds/red/device/grpfreq 339 chown system system /sys/class/leds/red/device/grppwm 340 chown system system /sys/class/leds/red/device/blink 341 chown system system /sys/class/timed_output/vibrator/enable 342 chown system system /sys/module/sco/parameters/disable_esco 343 chown system system /sys/kernel/ipv4/tcp_wmem_min 344 chown system system /sys/kernel/ipv4/tcp_wmem_def 345 chown system system /sys/kernel/ipv4/tcp_wmem_max 346 chown system system /sys/kernel/ipv4/tcp_rmem_min 347 chown system system /sys/kernel/ipv4/tcp_rmem_def 348 chown system system /sys/kernel/ipv4/tcp_rmem_max 349 chown root radio /proc/cmdline 350 351# Set these so we can remotely update SELinux policy 352 chown system system /sys/fs/selinux/load 353 chown system system /sys/fs/selinux/enforce 354 355# Define TCP buffer sizes for various networks 356# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 357 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 358 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 359 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 360 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 361 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 362 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 363 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 364 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 365 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 366 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 367 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 368 369# Set this property so surfaceflinger is not started by system_init 370 setprop system_init.startsurfaceflinger 0 371 372 class_start core 373 class_start main 374 375on nonencrypted 376 class_start late_start 377 378on charger 379 class_start charger 380 381on property:vold.decrypt=trigger_reset_main 382 class_reset main 383 384on property:vold.decrypt=trigger_load_persist_props 385 load_persist_props 386 387on property:vold.decrypt=trigger_post_fs_data 388 trigger post-fs-data 389 390on property:vold.decrypt=trigger_restart_min_framework 391 class_start main 392 393on property:vold.decrypt=trigger_restart_framework 394 class_start main 395 class_start late_start 396 397on property:vold.decrypt=trigger_shutdown_framework 398 class_reset late_start 399 class_reset main 400 401## Daemon processes to be run by init. 402## 403service ueventd /sbin/ueventd 404 class core 405 critical 406 seclabel u:r:ueventd:s0 407 408on property:selinux.reload_policy=1 409 restart ueventd 410 restart installd 411 412service console /system/bin/sh 413 class core 414 console 415 disabled 416 user shell 417 group log 418 419on property:ro.debuggable=1 420 start console 421 422# adbd is controlled via property triggers in init.<platform>.usb.rc 423service adbd /sbin/adbd 424 class core 425 socket adbd stream 660 system system 426 disabled 427 seclabel u:r:adbd:s0 428 429# adbd on at boot in emulator 430on property:ro.kernel.qemu=1 431 start adbd 432 433service servicemanager /system/bin/servicemanager 434 class core 435 user system 436 group system 437 critical 438 onrestart restart zygote 439 onrestart restart media 440 onrestart restart surfaceflinger 441 onrestart restart drm 442 443service vold /system/bin/vold 444 class core 445 socket vold stream 0660 root mount 446 ioprio be 2 447 448service netd /system/bin/netd 449 class main 450 socket netd stream 0660 root system 451 socket dnsproxyd stream 0660 root inet 452 socket mdns stream 0660 root system 453 454service debuggerd /system/bin/debuggerd 455 class main 456 457service ril-daemon /system/bin/rild 458 class main 459 socket rild stream 660 root radio 460 socket rild-debug stream 660 radio system 461 user root 462 group radio cache inet misc audio log 463 464service surfaceflinger /system/bin/surfaceflinger 465 class main 466 user system 467 group graphics drmrpc 468 onrestart restart zygote 469 470service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 471 class main 472 socket zygote stream 660 root system 473 onrestart write /sys/android_power/request_state wake 474 onrestart write /sys/power/state on 475 onrestart restart media 476 onrestart restart netd 477 478service drm /system/bin/drmserver 479 class main 480 user drm 481 group drm system inet drmrpc 482 483service media /system/bin/mediaserver 484 class main 485 user media 486 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 487 ioprio rt 4 488 489service bootanim /system/bin/bootanimation 490 class main 491 user graphics 492 group graphics 493 disabled 494 oneshot 495 496service installd /system/bin/installd 497 class main 498 socket installd stream 600 system system 499 500service flash_recovery /system/etc/install-recovery.sh 501 class main 502 oneshot 503 504service racoon /system/bin/racoon 505 class main 506 socket racoon stream 600 system system 507 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 508 group vpn net_admin inet 509 disabled 510 oneshot 511 512service mtpd /system/bin/mtpd 513 class main 514 socket mtpd stream 600 system system 515 user vpn 516 group vpn net_admin inet net_raw 517 disabled 518 oneshot 519 520service keystore /system/bin/keystore /data/misc/keystore 521 class main 522 user keystore 523 group keystore drmrpc 524 525service dumpstate /system/bin/dumpstate -s 526 class main 527 socket dumpstate stream 0660 shell log 528 disabled 529 oneshot 530 531service sshd /system/bin/start-ssh 532 class main 533 disabled 534 535service mdnsd /system/bin/mdnsd 536 class main 537 user mdnsr 538 group inet net_raw 539 socket mdnsd stream 0660 mdnsr inet 540 disabled 541 oneshot 542