init.rc revision d6544d2a405df4c6e1fb517b1038a3640ae5f095
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Set the security context of /adb_keys if present. 18 restorecon /adb_keys 19 20 start ueventd 21 22 # create mountpoints 23 mkdir /mnt 0775 root system 24 25on init 26 sysclktz 0 27 28 # Backward compatibility. 29 symlink /system/etc /etc 30 symlink /sys/kernel/debug /d 31 32 # Link /vendor to /system/vendor for devices without a vendor partition. 33 symlink /system/vendor /vendor 34 35 # Create cgroup mount point for cpu accounting 36 mkdir /acct 37 mount cgroup none /acct cpuacct 38 mkdir /acct/uid 39 40 # Create cgroup mount point for memory 41 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 42 mkdir /sys/fs/cgroup/memory 0750 root system 43 mount cgroup none /sys/fs/cgroup/memory memory 44 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 45 chown root system /sys/fs/cgroup/memory/tasks 46 chmod 0660 /sys/fs/cgroup/memory/tasks 47 mkdir /sys/fs/cgroup/memory/sw 0750 root system 48 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 49 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 50 chown root system /sys/fs/cgroup/memory/sw/tasks 51 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 52 53 mkdir /system 54 mkdir /data 0771 system system 55 mkdir /cache 0770 system cache 56 mkdir /config 0500 root root 57 58 # See storage config details at http://source.android.com/tech/storage/ 59 mkdir /mnt/shell 0700 shell shell 60 mkdir /mnt/media_rw 0700 media_rw media_rw 61 mkdir /storage 0751 root sdcard_r 62 63 # Directory for putting things only root should see. 64 mkdir /mnt/secure 0700 root root 65 66 # Directory for staging bindmounts 67 mkdir /mnt/secure/staging 0700 root root 68 69 # Directory-target for where the secure container 70 # imagefile directory will be bind-mounted 71 mkdir /mnt/secure/asec 0700 root root 72 73 # Secure container public mount points. 74 mkdir /mnt/asec 0700 root system 75 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 76 77 # Filesystem image public mount points. 78 mkdir /mnt/obb 0700 root system 79 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 80 81 # memory control cgroup 82 mkdir /dev/memcg 0700 root system 83 mount cgroup none /dev/memcg memory 84 85 write /proc/sys/kernel/panic_on_oops 1 86 write /proc/sys/kernel/hung_task_timeout_secs 0 87 write /proc/cpu/alignment 4 88 write /proc/sys/kernel/sched_latency_ns 10000000 89 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 90 write /proc/sys/kernel/sched_compat_yield 1 91 write /proc/sys/kernel/sched_child_runs_first 0 92 write /proc/sys/kernel/randomize_va_space 2 93 write /proc/sys/kernel/kptr_restrict 2 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 96 write /proc/sys/net/unix/max_dgram_qlen 300 97 write /proc/sys/kernel/sched_rt_runtime_us 950000 98 write /proc/sys/kernel/sched_rt_period_us 1000000 99 100 # reflect fwmark from incoming packets onto generated replies 101 write /proc/sys/net/ipv4/fwmark_reflect 1 102 write /proc/sys/net/ipv6/fwmark_reflect 1 103 104 # set fwmark on accepted sockets 105 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 106 107 # Create cgroup mount points for process groups 108 mkdir /dev/cpuctl 109 mount cgroup none /dev/cpuctl cpu 110 chown system system /dev/cpuctl 111 chown system system /dev/cpuctl/tasks 112 chmod 0666 /dev/cpuctl/tasks 113 write /dev/cpuctl/cpu.shares 1024 114 write /dev/cpuctl/cpu.rt_runtime_us 800000 115 write /dev/cpuctl/cpu.rt_period_us 1000000 116 117 mkdir /dev/cpuctl/bg_non_interactive 118 chown system system /dev/cpuctl/bg_non_interactive/tasks 119 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 120 # 5.0 % 121 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 122 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000 123 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 124 125 # qtaguid will limit access to specific data based on group memberships. 126 # net_bw_acct grants impersonation of socket owners. 127 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 128 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 129 chown root net_bw_stats /proc/net/xt_qtaguid/stats 130 131 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 132 # This is needed by any process that uses socket tagging. 133 chmod 0644 /dev/xt_qtaguid 134 135 # Create location for fs_mgr to store abbreviated output from filesystem 136 # checker programs. 137 mkdir /dev/fscklogs 0770 root system 138 139 # pstore/ramoops previous console log 140 mount pstore pstore /sys/fs/pstore 141 chown system log /sys/fs/pstore/console-ramoops 142 chmod 0440 /sys/fs/pstore/console-ramoops 143 chown system log /sys/fs/pstore/pmsg-ramoops-0 144 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 145 146 # enable armv8_deprecated instruction hooks 147 write /proc/sys/abi/swp 1 148 149# Healthd can trigger a full boot from charger mode by signaling this 150# property when the power button is held. 151on property:sys.boot_from_charger_mode=1 152 class_stop charger 153 trigger late-init 154 155# Load properties from /system/ + /factory after fs mount. 156on load_all_props_action 157 load_all_props 158 start logd 159 start logd-reinit 160 161# Indicate to fw loaders that the relevant mounts are up. 162on firmware_mounts_complete 163 rm /dev/.booting 164 165# Mount filesystems and start core system services. 166on late-init 167 trigger early-fs 168 trigger fs 169 trigger post-fs 170 trigger post-fs-data 171 172 # Load properties from /system/ + /factory after fs mount. Place 173 # this in another action so that the load will be scheduled after the prior 174 # issued fs triggers have completed. 175 trigger load_all_props_action 176 177 # Remove a file to wake up anything waiting for firmware. 178 trigger firmware_mounts_complete 179 180 trigger early-boot 181 trigger boot 182 183 184on post-fs 185 start logd 186 # once everything is setup, no need to modify / 187 mount rootfs rootfs / ro remount 188 # mount shared so changes propagate into child namespaces 189 mount rootfs rootfs / shared rec 190 191 # We chown/chmod /cache again so because mount is run as root + defaults 192 chown system cache /cache 193 chmod 0770 /cache 194 # We restorecon /cache in case the cache partition has been reset. 195 restorecon_recursive /cache 196 197 # This may have been created by the recovery system with odd permissions 198 chown system cache /cache/recovery 199 chmod 0770 /cache/recovery 200 201 #change permissions on vmallocinfo so we can grab it from bugreports 202 chown root log /proc/vmallocinfo 203 chmod 0440 /proc/vmallocinfo 204 205 chown root log /proc/slabinfo 206 chmod 0440 /proc/slabinfo 207 208 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 209 chown root system /proc/kmsg 210 chmod 0440 /proc/kmsg 211 chown root system /proc/sysrq-trigger 212 chmod 0220 /proc/sysrq-trigger 213 chown system log /proc/last_kmsg 214 chmod 0440 /proc/last_kmsg 215 216 # make the selinux kernel policy world-readable 217 chmod 0444 /sys/fs/selinux/policy 218 219 # create the lost+found directories, so as to enforce our permissions 220 mkdir /cache/lost+found 0770 root root 221 222on post-fs-data 223 # We chown/chmod /data again so because mount is run as root + defaults 224 chown system system /data 225 chmod 0771 /data 226 # We restorecon /data in case the userdata partition has been reset. 227 restorecon /data 228 229 # Make sure we have the device encryption key 230 start logd 231 start vold 232 installkey /data 233 234 # Start bootcharting as soon as possible after the data partition is 235 # mounted to collect more data. 236 mkdir /data/bootchart 0755 shell shell 237 bootchart_init 238 239 # Avoid predictable entropy pool. Carry over entropy from previous boot. 240 copy /data/system/entropy.dat /dev/urandom 241 242 # create basic filesystem structure 243 mkdir /data/misc 01771 system misc 244 mkdir /data/misc/adb 02750 system shell 245 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 246 mkdir /data/misc/bluetooth 0770 system system 247 mkdir /data/misc/keystore 0700 keystore keystore 248 mkdir /data/misc/gatekeeper 0700 system system 249 mkdir /data/misc/keychain 0771 system system 250 mkdir /data/misc/net 0750 root shell 251 mkdir /data/misc/radio 0770 system radio 252 mkdir /data/misc/sms 0770 system radio 253 mkdir /data/misc/zoneinfo 0775 system system 254 mkdir /data/misc/vpn 0770 system vpn 255 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 256 mkdir /data/misc/systemkeys 0700 system system 257 mkdir /data/misc/wifi 0770 wifi wifi 258 mkdir /data/misc/wifi/sockets 0770 wifi wifi 259 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 260 mkdir /data/misc/ethernet 0770 system system 261 mkdir /data/misc/dhcp 0770 dhcp dhcp 262 mkdir /data/misc/user 0771 root root 263 # give system access to wpa_supplicant.conf for backup and restore 264 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 265 mkdir /data/local 0751 root root 266 mkdir /data/misc/media 0700 media media 267 268 # For security reasons, /data/local/tmp should always be empty. 269 # Do not place files or directories in /data/local/tmp 270 mkdir /data/local/tmp 0771 shell shell 271 mkdir /data/data 0771 system system 272 mkdir /data/app-private 0771 system system 273 mkdir /data/app-asec 0700 root root 274 mkdir /data/app-lib 0771 system system 275 mkdir /data/app 0771 system system 276 mkdir /data/property 0700 root root 277 mkdir /data/tombstones 0771 system system 278 279 # create dalvik-cache, so as to enforce our permissions 280 mkdir /data/dalvik-cache 0771 root root 281 mkdir /data/dalvik-cache/profiles 0711 system system 282 283 # create resource-cache and double-check the perms 284 mkdir /data/resource-cache 0771 system system 285 chown system system /data/resource-cache 286 chmod 0771 /data/resource-cache 287 288 # create the lost+found directories, so as to enforce our permissions 289 mkdir /data/lost+found 0770 root root 290 291 # create directory for DRM plug-ins - give drm the read/write access to 292 # the following directory. 293 mkdir /data/drm 0770 drm drm 294 295 # create directory for MediaDrm plug-ins - give drm the read/write access to 296 # the following directory. 297 mkdir /data/mediadrm 0770 mediadrm mediadrm 298 299 mkdir /data/adb 0700 root root 300 301 # symlink to bugreport storage location 302 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 303 304 # Separate location for storing security policy files on data 305 mkdir /data/security 0711 system system 306 307 # Create all remaining /data root dirs so that they are made through init 308 # and get proper encryption policy installed 309 mkdir /data/backup 0700 system system 310 mkdir /data/media 0770 media_rw media_rw 311 mkdir /data/ss 0700 system system 312 mkdir /data/system 0775 system system 313 mkdir /data/system/heapdump 0700 system system 314 mkdir /data/user 0711 system system 315 316 # Reload policy from /data/security if present. 317 setprop selinux.reload_policy 1 318 319 # Set SELinux security contexts on upgrade or policy update. 320 restorecon_recursive /data 321 322 # Check any timezone data in /data is newer than the copy in /system, delete if not. 323 exec u:r:tzdatacheck:s0 system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo 324 325 # If there is no fs-post-data action in the init.<device>.rc file, you 326 # must uncomment this line, otherwise encrypted filesystems 327 # won't work. 328 # Set indication (checked by vold) that we have finished this action 329 #setprop vold.post_fs_data_done 1 330 331on boot 332 # basic network init 333 ifup lo 334 hostname localhost 335 domainname localdomain 336 337 # set RLIMIT_NICE to allow priorities from 19 to -20 338 setrlimit 13 40 40 339 340 # Memory management. Basic kernel parameters, and allow the high 341 # level system server to be able to adjust the kernel OOM driver 342 # parameters to match how it is managing things. 343 write /proc/sys/vm/overcommit_memory 1 344 write /proc/sys/vm/min_free_order_shift 4 345 chown root system /sys/module/lowmemorykiller/parameters/adj 346 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 347 chown root system /sys/module/lowmemorykiller/parameters/minfree 348 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 349 350 # Tweak background writeout 351 write /proc/sys/vm/dirty_expire_centisecs 200 352 write /proc/sys/vm/dirty_background_ratio 5 353 354 # Permissions for System Server and daemons. 355 chown radio system /sys/android_power/state 356 chown radio system /sys/android_power/request_state 357 chown radio system /sys/android_power/acquire_full_wake_lock 358 chown radio system /sys/android_power/acquire_partial_wake_lock 359 chown radio system /sys/android_power/release_wake_lock 360 chown system system /sys/power/autosleep 361 chown system system /sys/power/state 362 chown system system /sys/power/wakeup_count 363 chown radio system /sys/power/wake_lock 364 chown radio system /sys/power/wake_unlock 365 chmod 0660 /sys/power/state 366 chmod 0660 /sys/power/wake_lock 367 chmod 0660 /sys/power/wake_unlock 368 369 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 370 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 371 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 372 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 373 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 374 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 375 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 376 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 377 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 378 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 379 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 380 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 381 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 382 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 383 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 384 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 385 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 386 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 387 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 388 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 389 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 390 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 391 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 392 393 # Assume SMP uses shared cpufreq policy for all CPUs 394 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 395 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 396 397 chown system system /sys/class/timed_output/vibrator/enable 398 chown system system /sys/class/leds/keyboard-backlight/brightness 399 chown system system /sys/class/leds/lcd-backlight/brightness 400 chown system system /sys/class/leds/button-backlight/brightness 401 chown system system /sys/class/leds/jogball-backlight/brightness 402 chown system system /sys/class/leds/red/brightness 403 chown system system /sys/class/leds/green/brightness 404 chown system system /sys/class/leds/blue/brightness 405 chown system system /sys/class/leds/red/device/grpfreq 406 chown system system /sys/class/leds/red/device/grppwm 407 chown system system /sys/class/leds/red/device/blink 408 chown system system /sys/class/timed_output/vibrator/enable 409 chown system system /sys/module/sco/parameters/disable_esco 410 chown system system /sys/kernel/ipv4/tcp_wmem_min 411 chown system system /sys/kernel/ipv4/tcp_wmem_def 412 chown system system /sys/kernel/ipv4/tcp_wmem_max 413 chown system system /sys/kernel/ipv4/tcp_rmem_min 414 chown system system /sys/kernel/ipv4/tcp_rmem_def 415 chown system system /sys/kernel/ipv4/tcp_rmem_max 416 chown root radio /proc/cmdline 417 418 # Define default initial receive window size in segments. 419 setprop net.tcp.default_init_rwnd 60 420 421 class_start core 422 423on nonencrypted 424 class_start main 425 class_start late_start 426 427on property:vold.decrypt=trigger_default_encryption 428 start defaultcrypto 429 430on property:vold.decrypt=trigger_encryption 431 start surfaceflinger 432 start encrypt 433 434on property:sys.init_log_level=* 435 loglevel ${sys.init_log_level} 436 437on charger 438 class_start charger 439 440on property:vold.decrypt=trigger_reset_main 441 class_reset main 442 443on property:vold.decrypt=trigger_load_persist_props 444 load_persist_props 445 start logd 446 start logd-reinit 447 448on property:vold.decrypt=trigger_post_fs_data 449 trigger post-fs-data 450 451on property:vold.decrypt=trigger_restart_min_framework 452 class_start main 453 454on property:vold.decrypt=trigger_restart_framework 455 class_start main 456 class_start late_start 457 458on property:vold.decrypt=trigger_shutdown_framework 459 class_reset late_start 460 class_reset main 461 462on property:sys.powerctl=* 463 powerctl ${sys.powerctl} 464 465# system server cannot write to /proc/sys files, 466# and chown/chmod does not work for /proc/sys/ entries. 467# So proxy writes through init. 468on property:sys.sysctl.extra_free_kbytes=* 469 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 470 471# "tcp_default_init_rwnd" Is too long! 472on property:sys.sysctl.tcp_def_init_rwnd=* 473 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 474 475 476## Daemon processes to be run by init. 477## 478service ueventd /sbin/ueventd 479 class core 480 critical 481 seclabel u:r:ueventd:s0 482 483service logd /system/bin/logd 484 class core 485 socket logd stream 0666 logd logd 486 socket logdr seqpacket 0666 logd logd 487 socket logdw dgram 0222 logd logd 488 489service logd-reinit /system/bin/logd --reinit 490 oneshot 491 disabled 492 493service healthd /sbin/healthd 494 class core 495 critical 496 seclabel u:r:healthd:s0 497 498service console /system/bin/sh 499 class core 500 console 501 disabled 502 user shell 503 group shell log 504 seclabel u:r:shell:s0 505 506on property:ro.debuggable=1 507 start console 508 509# adbd is controlled via property triggers in init.<platform>.usb.rc 510service adbd /sbin/adbd --root_seclabel=u:r:su:s0 511 class core 512 socket adbd stream 660 system system 513 disabled 514 seclabel u:r:adbd:s0 515 516# adbd on at boot in emulator 517on property:ro.kernel.qemu=1 518 start adbd 519 520service lmkd /system/bin/lmkd 521 class core 522 critical 523 socket lmkd seqpacket 0660 system system 524 525service servicemanager /system/bin/servicemanager 526 class core 527 user system 528 group system 529 critical 530 onrestart restart healthd 531 onrestart restart zygote 532 onrestart restart media 533 onrestart restart surfaceflinger 534 onrestart restart drm 535 536service vold /system/bin/vold 537 class core 538 socket vold stream 0660 root mount 539 ioprio be 2 540 541service netd /system/bin/netd 542 class main 543 socket netd stream 0660 root system 544 socket dnsproxyd stream 0660 root inet 545 socket mdns stream 0660 root system 546 socket fwmarkd stream 0660 root inet 547 548service debuggerd /system/bin/debuggerd 549 class main 550 551service debuggerd64 /system/bin/debuggerd64 552 class main 553 554service ril-daemon /system/bin/rild 555 class main 556 socket rild stream 660 root radio 557 socket rild-debug stream 660 radio system 558 user root 559 group radio cache inet misc audio log 560 561service surfaceflinger /system/bin/surfaceflinger 562 class core 563 user system 564 group graphics drmrpc 565 onrestart restart zygote 566 567service drm /system/bin/drmserver 568 class main 569 user drm 570 group drm system inet drmrpc 571 572service media /system/bin/mediaserver 573 class main 574 user media 575 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 576 ioprio rt 4 577 578# One shot invocation to deal with encrypted volume. 579service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 580 disabled 581 oneshot 582 # vold will set vold.decrypt to trigger_restart_framework (default 583 # encryption) or trigger_restart_min_framework (other encryption) 584 585# One shot invocation to encrypt unencrypted volumes 586service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 587 disabled 588 oneshot 589 # vold will set vold.decrypt to trigger_restart_framework (default 590 # encryption) 591 592service bootanim /system/bin/bootanimation 593 class core 594 user graphics 595 group graphics audio 596 disabled 597 oneshot 598 599service installd /system/bin/installd 600 class main 601 socket installd stream 600 system system 602 603service flash_recovery /system/bin/install-recovery.sh 604 class main 605 oneshot 606 607service racoon /system/bin/racoon 608 class main 609 socket racoon stream 600 system system 610 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 611 group vpn net_admin inet 612 disabled 613 oneshot 614 615service mtpd /system/bin/mtpd 616 class main 617 socket mtpd stream 600 system system 618 user vpn 619 group vpn net_admin inet net_raw 620 disabled 621 oneshot 622 623service keystore /system/bin/keystore /data/misc/keystore 624 class main 625 user keystore 626 group keystore drmrpc 627 628service dumpstate /system/bin/dumpstate -s 629 class main 630 socket dumpstate stream 0660 shell log 631 disabled 632 oneshot 633 634service mdnsd /system/bin/mdnsd 635 class main 636 user mdnsr 637 group inet net_raw 638 socket mdnsd stream 0660 mdnsr inet 639 disabled 640 oneshot 641 642service pre-recovery /system/bin/uncrypt 643 class main 644 disabled 645 oneshot 646 647on property:ro.debuggable=1 648 start perfprofd 649 650service perfprofd /system/xbin/perfprofd 651 disabled 652 user root 653 oneshot 654