init.rc revision efbf36f2dad8f083de6f48dbb682461d7cfa9781 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.trace.rc
11
12on early-init
13    # Set init and its forked children's oom_adj.
14    write /proc/1/oom_adj -16
15
16    # Set the security context for the init process.
17    # This should occur before anything else (e.g. ueventd) is started.
18    setcon u:r:init:s0
19
20    start ueventd
21
22# create mountpoints
23    mkdir /mnt 0775 root system
24
25on init
26
27sysclktz 0
28
29loglevel 3
30
31# Backward compatibility
32    symlink /system/etc /etc
33    symlink /sys/kernel/debug /d
34
35# Right now vendor lives on the same filesystem as system,
36# but someday that may change.
37    symlink /system/vendor /vendor
38
39# Create cgroup mount point for cpu accounting
40    mkdir /acct
41    mount cgroup none /acct cpuacct
42    mkdir /acct/uid
43
44# Create cgroup mount point for memory
45    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
46    mkdir /sys/fs/cgroup/memory 0750 root system
47    mount cgroup none /sys/fs/cgroup/memory memory
48    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
49    chown root system /sys/fs/cgroup/memory/tasks
50    chmod 0660 /sys/fs/cgroup/memory/tasks
51    mkdir /sys/fs/cgroup/memory/sw 0750 root system
52    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
53    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
54    chown root system /sys/fs/cgroup/memory/sw/tasks
55    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
56
57    mkdir /system
58    mkdir /data 0771 system system
59    mkdir /cache 0770 system cache
60    mkdir /config 0500 root root
61
62    # See storage config details at http://source.android.com/tech/storage/
63    mkdir /mnt/shell 0700 shell shell
64    mkdir /mnt/media_rw 0700 media_rw media_rw
65    mkdir /storage 0751 root sdcard_r
66
67    # Directory for putting things only root should see.
68    mkdir /mnt/secure 0700 root root
69
70    # Directory for staging bindmounts
71    mkdir /mnt/secure/staging 0700 root root
72
73    # Directory-target for where the secure container
74    # imagefile directory will be bind-mounted
75    mkdir /mnt/secure/asec  0700 root root
76
77    # Secure container public mount points.
78    mkdir /mnt/asec  0700 root system
79    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
80
81    # Filesystem image public mount points.
82    mkdir /mnt/obb 0700 root system
83    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
84
85    write /proc/sys/kernel/panic_on_oops 1
86    write /proc/sys/kernel/hung_task_timeout_secs 0
87    write /proc/cpu/alignment 4
88    write /proc/sys/kernel/sched_latency_ns 10000000
89    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
90    write /proc/sys/kernel/sched_compat_yield 1
91    write /proc/sys/kernel/sched_child_runs_first 0
92    write /proc/sys/kernel/randomize_va_space 2
93    write /proc/sys/kernel/kptr_restrict 2
94    write /proc/sys/kernel/dmesg_restrict 1
95    write /proc/sys/vm/mmap_min_addr 32768
96    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
97    write /proc/sys/kernel/sched_rt_runtime_us 950000
98    write /proc/sys/kernel/sched_rt_period_us 1000000
99
100# Create cgroup mount points for process groups
101    mkdir /dev/cpuctl
102    mount cgroup none /dev/cpuctl cpu
103    chown system system /dev/cpuctl
104    chown system system /dev/cpuctl/tasks
105    chmod 0660 /dev/cpuctl/tasks
106    write /dev/cpuctl/cpu.shares 1024
107    write /dev/cpuctl/cpu.rt_runtime_us 950000
108    write /dev/cpuctl/cpu.rt_period_us 1000000
109
110    mkdir /dev/cpuctl/apps
111    chown system system /dev/cpuctl/apps/tasks
112    chmod 0666 /dev/cpuctl/apps/tasks
113    write /dev/cpuctl/apps/cpu.shares 1024
114    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
115    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
116
117    mkdir /dev/cpuctl/apps/bg_non_interactive
118    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
119    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
120    # 5.0 %
121    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
122    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
123    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
124
125# qtaguid will limit access to specific data based on group memberships.
126#   net_bw_acct grants impersonation of socket owners.
127#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
128    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
129    chown root net_bw_stats /proc/net/xt_qtaguid/stats
130
131# Allow everybody to read the xt_qtaguid resource tracking misc dev.
132# This is needed by any process that uses socket tagging.
133    chmod 0644 /dev/xt_qtaguid
134
135# Create location for fs_mgr to store abbreviated output from filesystem
136# checker programs.
137    mkdir /dev/fscklogs 0770 root system
138
139# pstore/ramoops previous console log
140    mount pstore pstore /sys/fs/pstore
141    chown system log /sys/fs/pstore/console-ramoops
142    chmod 0440 /sys/fs/pstore/console-ramoops
143
144on post-fs
145    # once everything is setup, no need to modify /
146    mount rootfs rootfs / ro remount
147    # mount shared so changes propagate into child namespaces
148    mount rootfs rootfs / shared rec
149
150    # We chown/chmod /cache again so because mount is run as root + defaults
151    chown system cache /cache
152    chmod 0770 /cache
153    # We restorecon /cache in case the cache partition has been reset.
154    restorecon /cache
155
156    # This may have been created by the recovery system with odd permissions
157    chown system cache /cache/recovery
158    chmod 0770 /cache/recovery
159    # This may have been created by the recovery system with the wrong context.
160    restorecon /cache/recovery
161
162    #change permissions on vmallocinfo so we can grab it from bugreports
163    chown root log /proc/vmallocinfo
164    chmod 0440 /proc/vmallocinfo
165
166    chown root log /proc/slabinfo
167    chmod 0440 /proc/slabinfo
168
169    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
170    chown root system /proc/kmsg
171    chmod 0440 /proc/kmsg
172    chown root system /proc/sysrq-trigger
173    chmod 0220 /proc/sysrq-trigger
174    chown system log /proc/last_kmsg
175    chmod 0440 /proc/last_kmsg
176
177    # create the lost+found directories, so as to enforce our permissions
178    mkdir /cache/lost+found 0770 root root
179
180on post-fs-data
181    # We chown/chmod /data again so because mount is run as root + defaults
182    chown system system /data
183    chmod 0771 /data
184    # We restorecon /data in case the userdata partition has been reset.
185    restorecon /data
186
187    # Avoid predictable entropy pool. Carry over entropy from previous boot.
188    copy /data/system/entropy.dat /dev/urandom
189
190    # Create dump dir and collect dumps.
191    # Do this before we mount cache so eventually we can use cache for
192    # storing dumps on platforms which do not have a dedicated dump partition.
193    mkdir /data/dontpanic 0750 root log
194
195    # Collect apanic data, free resources and re-arm trigger
196    copy /proc/apanic_console /data/dontpanic/apanic_console
197    chown root log /data/dontpanic/apanic_console
198    chmod 0640 /data/dontpanic/apanic_console
199
200    copy /proc/apanic_threads /data/dontpanic/apanic_threads
201    chown root log /data/dontpanic/apanic_threads
202    chmod 0640 /data/dontpanic/apanic_threads
203
204    write /proc/apanic_console 1
205
206    # create basic filesystem structure
207    mkdir /data/misc 01771 system misc
208    mkdir /data/misc/adb 02750 system shell
209    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
210    mkdir /data/misc/bluetooth 0770 system system
211    mkdir /data/misc/keystore 0700 keystore keystore
212    mkdir /data/misc/keychain 0771 system system
213    mkdir /data/misc/radio 0770 system radio
214    mkdir /data/misc/sms 0770 system radio
215    mkdir /data/misc/zoneinfo 0775 system system
216    mkdir /data/misc/vpn 0770 system vpn
217    mkdir /data/misc/systemkeys 0700 system system
218    # give system access to wpa_supplicant.conf for backup and restore
219    mkdir /data/misc/wifi 0770 wifi wifi
220    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
221    mkdir /data/local 0751 root root
222    mkdir /data/misc/media 0700 media media
223
224    # For security reasons, /data/local/tmp should always be empty.
225    # Do not place files or directories in /data/local/tmp
226    mkdir /data/local/tmp 0771 shell shell
227    mkdir /data/data 0771 system system
228    mkdir /data/app-private 0771 system system
229    mkdir /data/app-asec 0700 root root
230    mkdir /data/app-lib 0771 system system
231    mkdir /data/app 0771 system system
232    mkdir /data/property 0700 root root
233    mkdir /data/ssh 0750 root shell
234    mkdir /data/ssh/empty 0700 root root
235
236    # create dalvik-cache, so as to enforce our permissions
237    mkdir /data/dalvik-cache 0771 system system
238
239    # create resource-cache and double-check the perms
240    mkdir /data/resource-cache 0771 system system
241    chown system system /data/resource-cache
242    chmod 0771 /data/resource-cache
243
244    # create the lost+found directories, so as to enforce our permissions
245    mkdir /data/lost+found 0770 root root
246
247    # create directory for DRM plug-ins - give drm the read/write access to
248    # the following directory.
249    mkdir /data/drm 0770 drm drm
250
251    # create directory for MediaDrm plug-ins - give drm the read/write access to
252    # the following directory.
253    mkdir /data/mediadrm 0770 mediadrm mediadrm
254
255    # symlink to bugreport storage location
256    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
257
258    # Separate location for storing security policy files on data
259    mkdir /data/security 0711 system system
260
261    # If there is no fs-post-data action in the init.<device>.rc file, you
262    # must uncomment this line, otherwise encrypted filesystems
263    # won't work.
264    # Set indication (checked by vold) that we have finished this action
265    #setprop vold.post_fs_data_done 1
266
267on boot
268# basic network init
269    ifup lo
270    hostname localhost
271    domainname localdomain
272
273# set RLIMIT_NICE to allow priorities from 19 to -20
274    setrlimit 13 40 40
275
276# Memory management.  Basic kernel parameters, and allow the high
277# level system server to be able to adjust the kernel OOM driver
278# parameters to match how it is managing things.
279    write /proc/sys/vm/overcommit_memory 1
280    write /proc/sys/vm/min_free_order_shift 4
281    chown root system /sys/module/lowmemorykiller/parameters/adj
282    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
283    chown root system /sys/module/lowmemorykiller/parameters/minfree
284    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
285
286    # Tweak background writeout
287    write /proc/sys/vm/dirty_expire_centisecs 200
288    write /proc/sys/vm/dirty_background_ratio  5
289
290    # Permissions for System Server and daemons.
291    chown radio system /sys/android_power/state
292    chown radio system /sys/android_power/request_state
293    chown radio system /sys/android_power/acquire_full_wake_lock
294    chown radio system /sys/android_power/acquire_partial_wake_lock
295    chown radio system /sys/android_power/release_wake_lock
296    chown system system /sys/power/autosleep
297    chown system system /sys/power/state
298    chown system system /sys/power/wakeup_count
299    chown radio system /sys/power/wake_lock
300    chown radio system /sys/power/wake_unlock
301    chmod 0660 /sys/power/state
302    chmod 0660 /sys/power/wake_lock
303    chmod 0660 /sys/power/wake_unlock
304
305    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
306    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
307    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
308    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
309    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
310    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
311    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
312    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
313    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
314    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
315    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
316    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
317    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
318    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
319    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
320    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
321    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
322    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
323    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
324    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
325    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
326    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
327    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
328
329    # Assume SMP uses shared cpufreq policy for all CPUs
330    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
331    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
332
333    chown system system /sys/class/timed_output/vibrator/enable
334    chown system system /sys/class/leds/keyboard-backlight/brightness
335    chown system system /sys/class/leds/lcd-backlight/brightness
336    chown system system /sys/class/leds/button-backlight/brightness
337    chown system system /sys/class/leds/jogball-backlight/brightness
338    chown system system /sys/class/leds/red/brightness
339    chown system system /sys/class/leds/green/brightness
340    chown system system /sys/class/leds/blue/brightness
341    chown system system /sys/class/leds/red/device/grpfreq
342    chown system system /sys/class/leds/red/device/grppwm
343    chown system system /sys/class/leds/red/device/blink
344    chown system system /sys/class/timed_output/vibrator/enable
345    chown system system /sys/module/sco/parameters/disable_esco
346    chown system system /sys/kernel/ipv4/tcp_wmem_min
347    chown system system /sys/kernel/ipv4/tcp_wmem_def
348    chown system system /sys/kernel/ipv4/tcp_wmem_max
349    chown system system /sys/kernel/ipv4/tcp_rmem_min
350    chown system system /sys/kernel/ipv4/tcp_rmem_def
351    chown system system /sys/kernel/ipv4/tcp_rmem_max
352    chown root radio /proc/cmdline
353
354# Set these so we can remotely update SELinux policy
355    chown system system /sys/fs/selinux/load
356    chown system system /sys/fs/selinux/enforce
357
358# Define TCP buffer sizes for various networks
359#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
360    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
361    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
362    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
363    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
364    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
365    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
366    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
367    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
368    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
369    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
370    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
371
372# Define default initial receive window size in segments.
373    setprop net.tcp.default_init_rwnd 60
374
375    class_start core
376    class_start main
377
378on nonencrypted
379    class_start late_start
380
381on charger
382    class_start charger
383
384on property:vold.decrypt=trigger_reset_main
385    class_reset main
386
387on property:vold.decrypt=trigger_load_persist_props
388    load_persist_props
389
390on property:vold.decrypt=trigger_post_fs_data
391    trigger post-fs-data
392
393on property:vold.decrypt=trigger_restart_min_framework
394    class_start main
395
396on property:vold.decrypt=trigger_restart_framework
397    class_start main
398    class_start late_start
399
400on property:vold.decrypt=trigger_shutdown_framework
401    class_reset late_start
402    class_reset main
403
404on property:sys.powerctl=*
405    powerctl ${sys.powerctl}
406
407# system server cannot write to /proc/sys files,
408# and chown/chmod does not work for /proc/sys/ entries.
409# So proxy writes through init.
410on property:sys.sysctl.extra_free_kbytes=*
411    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
412# "tcp_default_init_rwnd" Is too long!
413on property:sys.sysctl.tcp_def_init_rwnd=*
414    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
415
416
417## Daemon processes to be run by init.
418##
419service ueventd /sbin/ueventd
420    class core
421    critical
422    seclabel u:r:ueventd:s0
423
424service healthd /sbin/healthd
425    class core
426    critical
427    seclabel u:r:healthd:s0
428
429service healthd-charger /sbin/healthd -n
430    class charger
431    critical
432    seclabel u:r:healthd:s0
433
434on property:selinux.reload_policy=1
435    restart ueventd
436    restart installd
437
438service console /system/bin/sh
439    class core
440    console
441    disabled
442    user shell
443    group log
444
445on property:ro.debuggable=1
446    start console
447
448# adbd is controlled via property triggers in init.<platform>.usb.rc
449service adbd /sbin/adbd
450    class core
451    socket adbd stream 660 system system
452    disabled
453    seclabel u:r:adbd:s0
454
455# adbd on at boot in emulator
456on property:ro.kernel.qemu=1
457    start adbd
458
459service servicemanager /system/bin/servicemanager
460    class core
461    user system
462    group system
463    critical
464    onrestart restart healthd
465    onrestart restart zygote
466    onrestart restart media
467    onrestart restart surfaceflinger
468    onrestart restart drm
469
470service vold /system/bin/vold
471    class core
472    socket vold stream 0660 root mount
473    ioprio be 2
474
475service netd /system/bin/netd
476    class main
477    socket netd stream 0660 root system
478    socket dnsproxyd stream 0660 root inet
479    socket mdns stream 0660 root system
480
481service debuggerd /system/bin/debuggerd
482    class main
483
484service ril-daemon /system/bin/rild
485    class main
486    socket rild stream 660 root radio
487    socket rild-debug stream 660 radio system
488    user root
489    group radio cache inet misc audio log
490
491service surfaceflinger /system/bin/surfaceflinger
492    class main
493    user system
494    group graphics drmrpc
495    onrestart restart zygote
496
497service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
498    class main
499    socket zygote stream 660 root system
500    onrestart write /sys/android_power/request_state wake
501    onrestart write /sys/power/state on
502    onrestart restart media
503    onrestart restart netd
504
505service drm /system/bin/drmserver
506    class main
507    user drm
508    group drm system inet drmrpc
509
510service media /system/bin/mediaserver
511    class main
512    user media
513    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
514    ioprio rt 4
515
516service bootanim /system/bin/bootanimation
517    class main
518    user graphics
519    group graphics
520    disabled
521    oneshot
522
523service installd /system/bin/installd
524    class main
525    socket installd stream 600 system system
526
527service flash_recovery /system/etc/install-recovery.sh
528    class main
529    oneshot
530
531service racoon /system/bin/racoon
532    class main
533    socket racoon stream 600 system system
534    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
535    group vpn net_admin inet
536    disabled
537    oneshot
538
539service mtpd /system/bin/mtpd
540    class main
541    socket mtpd stream 600 system system
542    user vpn
543    group vpn net_admin inet net_raw
544    disabled
545    oneshot
546
547service keystore /system/bin/keystore /data/misc/keystore
548    class main
549    user keystore
550    group keystore drmrpc
551
552service dumpstate /system/bin/dumpstate -s
553    class main
554    socket dumpstate stream 0660 shell log
555    disabled
556    oneshot
557
558service sshd /system/bin/start-ssh
559    class main
560    disabled
561
562service mdnsd /system/bin/mdnsd
563    class main
564    user mdnsr
565    group inet net_raw
566    socket mdnsd stream 0660 mdnsr inet
567    disabled
568    oneshot
569