init.rc revision db49739f390992a3d68303765ac36f14ed09b68a
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8 9on early-init 10 # Set init and its forked children's oom_adj. 11 write /proc/1/oom_adj -16 12 13 start ueventd 14 15# create mountpoints 16 mkdir /mnt 0775 root system 17 18on init 19 20sysclktz 0 21 22loglevel 3 23 24# setup the global environment 25 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 26 export LD_LIBRARY_PATH /vendor/lib:/system/lib 27 export ANDROID_BOOTLOGO 1 28 export ANDROID_ROOT /system 29 export ANDROID_ASSETS /system/app 30 export ANDROID_DATA /data 31 export ASEC_MOUNTPOINT /mnt/asec 32 export LOOP_MOUNTPOINT /mnt/obb 33 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 34 35# Backward compatibility 36 symlink /system/etc /etc 37 symlink /sys/kernel/debug /d 38 39# Right now vendor lives on the same filesystem as system, 40# but someday that may change. 41 symlink /system/vendor /vendor 42 43# Create cgroup mount point for cpu accounting 44 mkdir /acct 45 mount cgroup none /acct cpuacct 46 mkdir /acct/uid 47 48 mkdir /system 49 mkdir /data 0771 system system 50 mkdir /cache 0770 system cache 51 mkdir /config 0500 root root 52 53 # Directory for putting things only root should see. 54 mkdir /mnt/secure 0700 root root 55 56 # Directory for staging bindmounts 57 mkdir /mnt/secure/staging 0700 root root 58 59 # Directory-target for where the secure container 60 # imagefile directory will be bind-mounted 61 mkdir /mnt/secure/asec 0700 root root 62 63 # Secure container public mount points. 64 mkdir /mnt/asec 0700 root system 65 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 66 67 # Filesystem image public mount points. 68 mkdir /mnt/obb 0700 root system 69 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 70 71 write /proc/sys/kernel/panic_on_oops 1 72 write /proc/sys/kernel/hung_task_timeout_secs 0 73 write /proc/cpu/alignment 4 74 write /proc/sys/kernel/sched_latency_ns 10000000 75 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 76 write /proc/sys/kernel/sched_compat_yield 1 77 write /proc/sys/kernel/sched_child_runs_first 0 78 write /proc/sys/kernel/randomize_va_space 2 79 write /proc/sys/kernel/kptr_restrict 2 80 write /proc/sys/kernel/dmesg_restrict 1 81 write /proc/sys/vm/mmap_min_addr 32768 82 83# Create cgroup mount points for process groups 84 mkdir /dev/cpuctl 85 mount cgroup none /dev/cpuctl cpu 86 chown system system /dev/cpuctl 87 chown system system /dev/cpuctl/tasks 88 chmod 0777 /dev/cpuctl/tasks 89 write /dev/cpuctl/cpu.shares 1024 90 91 mkdir /dev/cpuctl/fg_boost 92 chown system system /dev/cpuctl/fg_boost/tasks 93 chmod 0777 /dev/cpuctl/fg_boost/tasks 94 write /dev/cpuctl/fg_boost/cpu.shares 1024 95 96 mkdir /dev/cpuctl/bg_non_interactive 97 chown system system /dev/cpuctl/bg_non_interactive/tasks 98 chmod 0777 /dev/cpuctl/bg_non_interactive/tasks 99 # 5.0 % 100 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 101 102# Allow everybody to read the xt_qtaguid resource tracking misc dev. 103# This is needed by any process that uses socket tagging. 104 chmod 0644 /dev/xt_qtaguid 105 106on fs 107# mount mtd partitions 108 # Mount /system rw first to give the filesystem a chance to save a checkpoint 109 mount yaffs2 mtd@system /system 110 mount yaffs2 mtd@system /system ro remount 111 mount yaffs2 mtd@userdata /data nosuid nodev 112 mount yaffs2 mtd@cache /cache nosuid nodev 113 114on post-fs 115 # once everything is setup, no need to modify / 116 mount rootfs rootfs / ro remount 117 118 # We chown/chmod /cache again so because mount is run as root + defaults 119 chown system cache /cache 120 chmod 0770 /cache 121 122 # This may have been created by the recovery system with odd permissions 123 chown system cache /cache/recovery 124 chmod 0770 /cache/recovery 125 126 #change permissions on vmallocinfo so we can grab it from bugreports 127 chown root log /proc/vmallocinfo 128 chmod 0440 /proc/vmallocinfo 129 130 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 131 chown root system /proc/kmsg 132 chmod 0440 /proc/kmsg 133 chown root system /proc/sysrq-trigger 134 chmod 0220 /proc/sysrq-trigger 135 136 # create the lost+found directories, so as to enforce our permissions 137 mkdir /cache/lost+found 0770 root root 138 139on post-fs-data 140 # We chown/chmod /data again so because mount is run as root + defaults 141 chown system system /data 142 chmod 0771 /data 143 144 # Create dump dir and collect dumps. 145 # Do this before we mount cache so eventually we can use cache for 146 # storing dumps on platforms which do not have a dedicated dump partition. 147 mkdir /data/dontpanic 0750 root log 148 149 # Collect apanic data, free resources and re-arm trigger 150 copy /proc/apanic_console /data/dontpanic/apanic_console 151 chown root log /data/dontpanic/apanic_console 152 chmod 0640 /data/dontpanic/apanic_console 153 154 copy /proc/apanic_threads /data/dontpanic/apanic_threads 155 chown root log /data/dontpanic/apanic_threads 156 chmod 0640 /data/dontpanic/apanic_threads 157 158 write /proc/apanic_console 1 159 160 # create basic filesystem structure 161 mkdir /data/misc 01771 system misc 162 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 163 mkdir /data/misc/bluetooth 0770 system system 164 mkdir /data/misc/keystore 0700 keystore keystore 165 mkdir /data/misc/keychain 0771 system system 166 mkdir /data/misc/vpn 0770 system vpn 167 mkdir /data/misc/systemkeys 0700 system system 168 # give system access to wpa_supplicant.conf for backup and restore 169 mkdir /data/misc/wifi 0770 wifi wifi 170 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 171 mkdir /data/local 0751 root root 172 173 # For security reasons, /data/local/tmp should always be empty. 174 # Do not place files or directories in /data/local/tmp 175 mkdir /data/local/tmp 0771 shell shell 176 mkdir /data/data 0771 system system 177 mkdir /data/app-private 0771 system system 178 mkdir /data/app 0771 system system 179 mkdir /data/property 0700 root root 180 mkdir /data/ssh 0750 root shell 181 mkdir /data/ssh/empty 0700 root root 182 183 # create dalvik-cache, so as to enforce our permissions 184 mkdir /data/dalvik-cache 0771 system system 185 186 # create resource-cache and double-check the perms 187 mkdir /data/resource-cache 0771 system system 188 chown system system /data/resource-cache 189 chmod 0771 /data/resource-cache 190 191 # create the lost+found directories, so as to enforce our permissions 192 mkdir /data/lost+found 0770 root root 193 194 # create directory for DRM plug-ins - give drm the read/write access to 195 # the following directory. 196 mkdir /data/drm 0770 drm drm 197 198 # If there is no fs-post-data action in the init.<device>.rc file, you 199 # must uncomment this line, otherwise encrypted filesystems 200 # won't work. 201 # Set indication (checked by vold) that we have finished this action 202 #setprop vold.post_fs_data_done 1 203 204 chown system system /sys/class/android_usb/android0/f_mass_storage/lun/file 205 chmod 0660 /sys/class/android_usb/android0/f_mass_storage/lun/file 206 chown system system /sys/class/android_usb/android0/f_rndis/ethaddr 207 chmod 0660 /sys/class/android_usb/android0/f_rndis/ethaddr 208 209on boot 210# basic network init 211 ifup lo 212 hostname localhost 213 domainname localdomain 214 215# set RLIMIT_NICE to allow priorities from 19 to -20 216 setrlimit 13 40 40 217 218# Memory management. Basic kernel parameters, and allow the high 219# level system server to be able to adjust the kernel OOM driver 220# paramters to match how it is managing things. 221 write /proc/sys/vm/overcommit_memory 1 222 write /proc/sys/vm/min_free_order_shift 4 223 chown root system /sys/module/lowmemorykiller/parameters/adj 224 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 225 chown root system /sys/module/lowmemorykiller/parameters/minfree 226 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 227 228 # Tweak background writeout 229 write /proc/sys/vm/dirty_expire_centisecs 200 230 write /proc/sys/vm/dirty_background_ratio 5 231 232 # Permissions for System Server and daemons. 233 chown radio system /sys/android_power/state 234 chown radio system /sys/android_power/request_state 235 chown radio system /sys/android_power/acquire_full_wake_lock 236 chown radio system /sys/android_power/acquire_partial_wake_lock 237 chown radio system /sys/android_power/release_wake_lock 238 chown system system /sys/power/state 239 chown system system /sys/power/wakeup_count 240 chown radio system /sys/power/wake_lock 241 chown radio system /sys/power/wake_unlock 242 chmod 0660 /sys/power/state 243 chmod 0660 /sys/power/wake_lock 244 chmod 0660 /sys/power/wake_unlock 245 chown system system /sys/class/timed_output/vibrator/enable 246 chown system system /sys/class/leds/keyboard-backlight/brightness 247 chown system system /sys/class/leds/lcd-backlight/brightness 248 chown system system /sys/class/leds/button-backlight/brightness 249 chown system system /sys/class/leds/jogball-backlight/brightness 250 chown system system /sys/class/leds/red/brightness 251 chown system system /sys/class/leds/green/brightness 252 chown system system /sys/class/leds/blue/brightness 253 chown system system /sys/class/leds/red/device/grpfreq 254 chown system system /sys/class/leds/red/device/grppwm 255 chown system system /sys/class/leds/red/device/blink 256 chown system system /sys/class/leds/red/brightness 257 chown system system /sys/class/leds/green/brightness 258 chown system system /sys/class/leds/blue/brightness 259 chown system system /sys/class/leds/red/device/grpfreq 260 chown system system /sys/class/leds/red/device/grppwm 261 chown system system /sys/class/leds/red/device/blink 262 chown system system /sys/class/timed_output/vibrator/enable 263 chown system system /sys/module/sco/parameters/disable_esco 264 chown system system /sys/kernel/ipv4/tcp_wmem_min 265 chown system system /sys/kernel/ipv4/tcp_wmem_def 266 chown system system /sys/kernel/ipv4/tcp_wmem_max 267 chown system system /sys/kernel/ipv4/tcp_rmem_min 268 chown system system /sys/kernel/ipv4/tcp_rmem_def 269 chown system system /sys/kernel/ipv4/tcp_rmem_max 270 chown root radio /proc/cmdline 271 272# Define TCP buffer sizes for various networks 273# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 274 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 275 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 276 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 277 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 278 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 279 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 280 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 281 282# Set this property so surfaceflinger is not started by system_init 283 setprop system_init.startsurfaceflinger 0 284 285 class_start core 286 class_start main 287 288on nonencrypted 289 class_start late_start 290 291on charger 292 class_start charger 293 294on property:vold.decrypt=trigger_reset_main 295 class_reset main 296 297on property:vold.decrypt=trigger_load_persist_props 298 load_persist_props 299 300on property:vold.decrypt=trigger_post_fs_data 301 trigger post-fs-data 302 303on property:vold.decrypt=trigger_restart_min_framework 304 class_start main 305 306on property:vold.decrypt=trigger_restart_framework 307 class_start main 308 class_start late_start 309 310on property:vold.decrypt=trigger_shutdown_framework 311 class_reset late_start 312 class_reset main 313 314# Used to disable USB when switching states 315on property:sys.usb.config=none 316 stop adbd 317 write /sys/class/android_usb/android0/enable 0 318 write /sys/class/android_usb/android0/bDeviceClass 0 319 setprop sys.usb.state ${sys.usb.config} 320 321# adb only USB configuration 322# This should only be used during device bringup 323# and as a fallback if the USB manager fails to set a standard configuration 324on property:sys.usb.config=adb 325 write /sys/class/android_usb/android0/enable 0 326 write /sys/class/android_usb/android0/idVendor 18d1 327 write /sys/class/android_usb/android0/idProduct D002 328 write /sys/class/android_usb/android0/functions ${sys.usb.config} 329 write /sys/class/android_usb/android0/enable 1 330 start adbd 331 setprop sys.usb.state ${sys.usb.config} 332 333# USB accessory configuration 334on property:sys.usb.config=accessory 335 write /sys/class/android_usb/android0/enable 0 336 write /sys/class/android_usb/android0/idVendor 18d1 337 write /sys/class/android_usb/android0/idProduct 2d00 338 write /sys/class/android_usb/android0/functions ${sys.usb.config} 339 write /sys/class/android_usb/android0/enable 1 340 setprop sys.usb.state ${sys.usb.config} 341 342# USB accessory configuration, with adb 343on property:sys.usb.config=accessory,adb 344 write /sys/class/android_usb/android0/enable 0 345 write /sys/class/android_usb/android0/idVendor 18d1 346 write /sys/class/android_usb/android0/idProduct 2d01 347 write /sys/class/android_usb/android0/functions ${sys.usb.config} 348 write /sys/class/android_usb/android0/enable 1 349 start adbd 350 setprop sys.usb.state ${sys.usb.config} 351 352# Used to set USB configuration at boot and to switch the configuration 353# when changing the default configuration 354on property:persist.sys.usb.config=* 355 setprop sys.usb.config ${persist.sys.usb.config} 356 357## Daemon processes to be run by init. 358## 359service ueventd /sbin/ueventd 360 class core 361 critical 362 363service console /system/bin/sh 364 class core 365 console 366 disabled 367 user shell 368 group log 369 370on property:ro.debuggable=1 371 start console 372 373# Allow writing to the kernel trace log. Enabling tracing still requires root. 374on property:ro.debuggable=1 375 chmod 0222 /sys/kernel/debug/tracing/trace_marker 376 377# adbd is controlled via property triggers in init.<platform>.usb.rc 378service adbd /sbin/adbd 379 class core 380 disabled 381 382# adbd on at boot in emulator 383on property:ro.kernel.qemu=1 384 start adbd 385 386service servicemanager /system/bin/servicemanager 387 class core 388 user system 389 group system 390 critical 391 onrestart restart zygote 392 onrestart restart media 393 onrestart restart surfaceflinger 394 onrestart restart drm 395 396service vold /system/bin/vold 397 class core 398 socket vold stream 0660 root mount 399 ioprio be 2 400 401service netd /system/bin/netd 402 class main 403 socket netd stream 0660 root system 404 socket dnsproxyd stream 0660 root inet 405 406service debuggerd /system/bin/debuggerd 407 class main 408 409service ril-daemon /system/bin/rild 410 class main 411 socket rild stream 660 root radio 412 socket rild-debug stream 660 radio system 413 user root 414 group radio cache inet misc audio sdcard_rw log 415 416service surfaceflinger /system/bin/surfaceflinger 417 class main 418 user system 419 group graphics 420 onrestart restart zygote 421 422service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 423 class main 424 socket zygote stream 660 root system 425 onrestart write /sys/android_power/request_state wake 426 onrestart write /sys/power/state on 427 onrestart restart media 428 onrestart restart netd 429 430service drm /system/bin/drmserver 431 class main 432 user drm 433 group drm system inet drmrpc 434 435service media /system/bin/mediaserver 436 class main 437 user media 438 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 439 ioprio rt 4 440 441service bootanim /system/bin/bootanimation 442 class main 443 user graphics 444 group graphics 445 disabled 446 oneshot 447 448service dbus /system/bin/dbus-daemon --system --nofork 449 class main 450 socket dbus stream 660 bluetooth bluetooth 451 user bluetooth 452 group bluetooth net_bt_admin 453 454service bluetoothd /system/bin/bluetoothd -n 455 class main 456 socket bluetooth stream 660 bluetooth bluetooth 457 socket dbus_bluetooth stream 660 bluetooth bluetooth 458 # init.rc does not yet support applying capabilities, so run as root and 459 # let bluetoothd drop uid to bluetooth with the right linux capabilities 460 group bluetooth net_bt_admin misc 461 disabled 462 463service installd /system/bin/installd 464 class main 465 socket installd stream 600 system system 466 467service flash_recovery /system/etc/install-recovery.sh 468 class main 469 oneshot 470 471service racoon /system/bin/racoon 472 class main 473 socket racoon stream 600 system system 474 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 475 group vpn net_admin inet 476 disabled 477 oneshot 478 479service mtpd /system/bin/mtpd 480 class main 481 socket mtpd stream 600 system system 482 user vpn 483 group vpn net_admin inet net_raw 484 disabled 485 oneshot 486 487service keystore /system/bin/keystore /data/misc/keystore 488 class main 489 user keystore 490 group keystore drmrpc 491 socket keystore stream 666 492 493service dumpstate /system/bin/dumpstate -s 494 class main 495 socket dumpstate stream 0660 shell log 496 disabled 497 oneshot 498 499service sshd /system/bin/start-ssh 500 class main 501 disabled 502