init.rc revision d43bab7b98d329ead0b5304be79d430b5a92ad10
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/okhttp.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 96 write /proc/sys/kernel/sched_rt_runtime_us 950000 97 write /proc/sys/kernel/sched_rt_period_us 1000000 98 99# Create cgroup mount points for process groups 100 mkdir /dev/cpuctl 101 mount cgroup none /dev/cpuctl cpu 102 chown system system /dev/cpuctl 103 chown system system /dev/cpuctl/tasks 104 chmod 0660 /dev/cpuctl/tasks 105 write /dev/cpuctl/cpu.shares 1024 106 write /dev/cpuctl/cpu.rt_runtime_us 950000 107 write /dev/cpuctl/cpu.rt_period_us 1000000 108 109 mkdir /dev/cpuctl/apps 110 chown system system /dev/cpuctl/apps/tasks 111 chmod 0666 /dev/cpuctl/apps/tasks 112 write /dev/cpuctl/apps/cpu.shares 1024 113 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 114 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 115 116 mkdir /dev/cpuctl/apps/bg_non_interactive 117 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 118 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 119 # 5.0 % 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 122 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 123 124# qtaguid will limit access to specific data based on group memberships. 125# net_bw_acct grants impersonation of socket owners. 126# net_bw_stats grants access to other apps' detailed tagged-socket stats. 127 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 128 chown root net_bw_stats /proc/net/xt_qtaguid/stats 129 130# Allow everybody to read the xt_qtaguid resource tracking misc dev. 131# This is needed by any process that uses socket tagging. 132 chmod 0644 /dev/xt_qtaguid 133 134on fs 135# mount mtd partitions 136 # Mount /system rw first to give the filesystem a chance to save a checkpoint 137 mount yaffs2 mtd@system /system 138 mount yaffs2 mtd@system /system ro remount 139 mount yaffs2 mtd@userdata /data nosuid nodev 140 mount yaffs2 mtd@cache /cache nosuid nodev 141 142on post-fs 143 # once everything is setup, no need to modify / 144 mount rootfs rootfs / ro remount 145 # mount shared so changes propagate into child namespaces 146 mount rootfs rootfs / shared rec 147 mount tmpfs tmpfs /mnt/secure private rec 148 149 # We chown/chmod /cache again so because mount is run as root + defaults 150 chown system cache /cache 151 chmod 0770 /cache 152 # We restorecon /cache in case the cache partition has been reset. 153 restorecon /cache 154 155 # This may have been created by the recovery system with odd permissions 156 chown system cache /cache/recovery 157 chmod 0770 /cache/recovery 158 # This may have been created by the recovery system with the wrong context. 159 restorecon /cache/recovery 160 161 #change permissions on vmallocinfo so we can grab it from bugreports 162 chown root log /proc/vmallocinfo 163 chmod 0440 /proc/vmallocinfo 164 165 chown root log /proc/slabinfo 166 chmod 0440 /proc/slabinfo 167 168 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 169 chown root system /proc/kmsg 170 chmod 0440 /proc/kmsg 171 chown root system /proc/sysrq-trigger 172 chmod 0220 /proc/sysrq-trigger 173 chown system log /proc/last_kmsg 174 chmod 0440 /proc/last_kmsg 175 176 # create the lost+found directories, so as to enforce our permissions 177 mkdir /cache/lost+found 0770 root root 178 179on post-fs-data 180 # We chown/chmod /data again so because mount is run as root + defaults 181 chown system system /data 182 chmod 0771 /data 183 # We restorecon /data in case the userdata partition has been reset. 184 restorecon /data 185 186 # Create dump dir and collect dumps. 187 # Do this before we mount cache so eventually we can use cache for 188 # storing dumps on platforms which do not have a dedicated dump partition. 189 mkdir /data/dontpanic 0750 root log 190 191 # Collect apanic data, free resources and re-arm trigger 192 copy /proc/apanic_console /data/dontpanic/apanic_console 193 chown root log /data/dontpanic/apanic_console 194 chmod 0640 /data/dontpanic/apanic_console 195 196 copy /proc/apanic_threads /data/dontpanic/apanic_threads 197 chown root log /data/dontpanic/apanic_threads 198 chmod 0640 /data/dontpanic/apanic_threads 199 200 write /proc/apanic_console 1 201 202 # create basic filesystem structure 203 mkdir /data/misc 01771 system misc 204 mkdir /data/misc/adb 02750 system shell 205 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 206 mkdir /data/misc/bluetooth 0770 system system 207 mkdir /data/misc/keystore 0700 keystore keystore 208 mkdir /data/misc/keychain 0771 system system 209 mkdir /data/misc/sms 0770 system radio 210 mkdir /data/misc/zoneinfo 0775 system system 211 mkdir /data/misc/vpn 0770 system vpn 212 mkdir /data/misc/systemkeys 0700 system system 213 # give system access to wpa_supplicant.conf for backup and restore 214 mkdir /data/misc/wifi 0770 wifi wifi 215 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 216 mkdir /data/local 0751 root root 217 218 # For security reasons, /data/local/tmp should always be empty. 219 # Do not place files or directories in /data/local/tmp 220 mkdir /data/local/tmp 0771 shell shell 221 mkdir /data/data 0771 system system 222 mkdir /data/app-private 0771 system system 223 mkdir /data/app-asec 0700 root root 224 mkdir /data/app-lib 0771 system system 225 mkdir /data/app 0771 system system 226 mkdir /data/property 0700 root root 227 mkdir /data/ssh 0750 root shell 228 mkdir /data/ssh/empty 0700 root root 229 230 # create dalvik-cache, so as to enforce our permissions 231 mkdir /data/dalvik-cache 0771 system system 232 233 # create resource-cache and double-check the perms 234 mkdir /data/resource-cache 0771 system system 235 chown system system /data/resource-cache 236 chmod 0771 /data/resource-cache 237 238 # create the lost+found directories, so as to enforce our permissions 239 mkdir /data/lost+found 0770 root root 240 241 # create directory for DRM plug-ins - give drm the read/write access to 242 # the following directory. 243 mkdir /data/drm 0770 drm drm 244 245 # Separate location for storing security policy files on data 246 mkdir /data/security 0711 system system 247 248 # If there is no fs-post-data action in the init.<device>.rc file, you 249 # must uncomment this line, otherwise encrypted filesystems 250 # won't work. 251 # Set indication (checked by vold) that we have finished this action 252 #setprop vold.post_fs_data_done 1 253 254on boot 255# basic network init 256 ifup lo 257 hostname localhost 258 domainname localdomain 259 260# set RLIMIT_NICE to allow priorities from 19 to -20 261 setrlimit 13 40 40 262 263# Memory management. Basic kernel parameters, and allow the high 264# level system server to be able to adjust the kernel OOM driver 265# parameters to match how it is managing things. 266 write /proc/sys/vm/overcommit_memory 1 267 write /proc/sys/vm/min_free_order_shift 4 268 chown root system /sys/module/lowmemorykiller/parameters/adj 269 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 270 chown root system /sys/module/lowmemorykiller/parameters/minfree 271 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 272 273 # Tweak background writeout 274 write /proc/sys/vm/dirty_expire_centisecs 200 275 write /proc/sys/vm/dirty_background_ratio 5 276 277 # Permissions for System Server and daemons. 278 chown radio system /sys/android_power/state 279 chown radio system /sys/android_power/request_state 280 chown radio system /sys/android_power/acquire_full_wake_lock 281 chown radio system /sys/android_power/acquire_partial_wake_lock 282 chown radio system /sys/android_power/release_wake_lock 283 chown system system /sys/power/autosleep 284 chown system system /sys/power/state 285 chown system system /sys/power/wakeup_count 286 chown radio system /sys/power/wake_lock 287 chown radio system /sys/power/wake_unlock 288 chmod 0660 /sys/power/state 289 chmod 0660 /sys/power/wake_lock 290 chmod 0660 /sys/power/wake_unlock 291 292 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 293 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 294 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 295 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 296 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 297 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 298 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 299 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 300 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 301 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 302 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 303 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 304 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 305 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 306 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 307 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 308 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 309 310 # Assume SMP uses shared cpufreq policy for all CPUs 311 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 312 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 313 314 chown system system /sys/class/timed_output/vibrator/enable 315 chown system system /sys/class/leds/keyboard-backlight/brightness 316 chown system system /sys/class/leds/lcd-backlight/brightness 317 chown system system /sys/class/leds/button-backlight/brightness 318 chown system system /sys/class/leds/jogball-backlight/brightness 319 chown system system /sys/class/leds/red/brightness 320 chown system system /sys/class/leds/green/brightness 321 chown system system /sys/class/leds/blue/brightness 322 chown system system /sys/class/leds/red/device/grpfreq 323 chown system system /sys/class/leds/red/device/grppwm 324 chown system system /sys/class/leds/red/device/blink 325 chown system system /sys/class/leds/red/brightness 326 chown system system /sys/class/leds/green/brightness 327 chown system system /sys/class/leds/blue/brightness 328 chown system system /sys/class/leds/red/device/grpfreq 329 chown system system /sys/class/leds/red/device/grppwm 330 chown system system /sys/class/leds/red/device/blink 331 chown system system /sys/class/timed_output/vibrator/enable 332 chown system system /sys/module/sco/parameters/disable_esco 333 chown system system /sys/kernel/ipv4/tcp_wmem_min 334 chown system system /sys/kernel/ipv4/tcp_wmem_def 335 chown system system /sys/kernel/ipv4/tcp_wmem_max 336 chown system system /sys/kernel/ipv4/tcp_rmem_min 337 chown system system /sys/kernel/ipv4/tcp_rmem_def 338 chown system system /sys/kernel/ipv4/tcp_rmem_max 339 chown root radio /proc/cmdline 340 341# Define TCP buffer sizes for various networks 342# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 343 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 344 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 345 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 346 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 347 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 348 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 349 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 350 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 351 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 352 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 353 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 354 355# Set this property so surfaceflinger is not started by system_init 356 setprop system_init.startsurfaceflinger 0 357 358 class_start core 359 class_start main 360 361on nonencrypted 362 class_start late_start 363 364on charger 365 class_start charger 366 367on property:vold.decrypt=trigger_reset_main 368 class_reset main 369 370on property:vold.decrypt=trigger_load_persist_props 371 load_persist_props 372 373on property:vold.decrypt=trigger_post_fs_data 374 trigger post-fs-data 375 376on property:vold.decrypt=trigger_restart_min_framework 377 class_start main 378 379on property:vold.decrypt=trigger_restart_framework 380 class_start main 381 class_start late_start 382 383on property:vold.decrypt=trigger_shutdown_framework 384 class_reset late_start 385 class_reset main 386 387## Daemon processes to be run by init. 388## 389service ueventd /sbin/ueventd 390 class core 391 critical 392 seclabel u:r:ueventd:s0 393 394on property:selinux.reload_policy=1 395 restart ueventd 396 restart installd 397 398service console /system/bin/sh 399 class core 400 console 401 disabled 402 user shell 403 group log 404 405on property:ro.debuggable=1 406 start console 407 408# adbd is controlled via property triggers in init.<platform>.usb.rc 409service adbd /sbin/adbd 410 class core 411 socket adbd stream 660 system system 412 disabled 413 seclabel u:r:adbd:s0 414 415# adbd on at boot in emulator 416on property:ro.kernel.qemu=1 417 start adbd 418 419service servicemanager /system/bin/servicemanager 420 class core 421 user system 422 group system 423 critical 424 onrestart restart zygote 425 onrestart restart media 426 onrestart restart surfaceflinger 427 onrestart restart drm 428 429service vold /system/bin/vold 430 class core 431 socket vold stream 0660 root mount 432 ioprio be 2 433 434service netd /system/bin/netd 435 class main 436 socket netd stream 0660 root system 437 socket dnsproxyd stream 0660 root inet 438 socket mdns stream 0660 root system 439 440service debuggerd /system/bin/debuggerd 441 class main 442 443service ril-daemon /system/bin/rild 444 class main 445 socket rild stream 660 root radio 446 socket rild-debug stream 660 radio system 447 user root 448 group radio cache inet misc audio log 449 450service surfaceflinger /system/bin/surfaceflinger 451 class main 452 user system 453 group graphics drmrpc 454 onrestart restart zygote 455 456service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 457 class main 458 socket zygote stream 660 root system 459 onrestart write /sys/android_power/request_state wake 460 onrestart write /sys/power/state on 461 onrestart restart media 462 onrestart restart netd 463 464service drm /system/bin/drmserver 465 class main 466 user drm 467 group drm system inet drmrpc 468 469service media /system/bin/mediaserver 470 class main 471 user media 472 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 473 ioprio rt 4 474 475service bootanim /system/bin/bootanimation 476 class main 477 user graphics 478 group graphics 479 disabled 480 oneshot 481 482service installd /system/bin/installd 483 class main 484 socket installd stream 600 system system 485 486service flash_recovery /system/etc/install-recovery.sh 487 class main 488 oneshot 489 490service racoon /system/bin/racoon 491 class main 492 socket racoon stream 600 system system 493 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 494 group vpn net_admin inet 495 disabled 496 oneshot 497 498service mtpd /system/bin/mtpd 499 class main 500 socket mtpd stream 600 system system 501 user vpn 502 group vpn net_admin inet net_raw 503 disabled 504 oneshot 505 506service keystore /system/bin/keystore /data/misc/keystore 507 class main 508 user keystore 509 group keystore drmrpc 510 511service dumpstate /system/bin/dumpstate -s 512 class main 513 socket dumpstate stream 0660 shell log 514 disabled 515 oneshot 516 517service sshd /system/bin/start-ssh 518 class main 519 disabled 520 521service mdnsd /system/bin/mdnsd 522 class main 523 user mdnsr 524 group inet net_raw 525 socket mdnsd stream 0660 mdnsr inet 526 disabled 527 oneshot 528