init.rc revision f35c203558b0648c351a5262568b383d41639a8b
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9 10on early-init 11 # Set init and its forked children's oom_adj. 12 write /proc/1/oom_adj -16 13 14 start ueventd 15 16# create mountpoints 17 mkdir /mnt 0775 root system 18 19on init 20 21sysclktz 0 22 23loglevel 3 24 25# setup the global environment 26 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 27 export LD_LIBRARY_PATH /vendor/lib:/system/lib 28 export ANDROID_BOOTLOGO 1 29 export ANDROID_ROOT /system 30 export ANDROID_ASSETS /system/app 31 export ANDROID_DATA /data 32 export ASEC_MOUNTPOINT /mnt/asec 33 export LOOP_MOUNTPOINT /mnt/obb 34 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 35 36# Backward compatibility 37 symlink /system/etc /etc 38 symlink /sys/kernel/debug /d 39 40# Right now vendor lives on the same filesystem as system, 41# but someday that may change. 42 symlink /system/vendor /vendor 43 44# Create cgroup mount point for cpu accounting 45 mkdir /acct 46 mount cgroup none /acct cpuacct 47 mkdir /acct/uid 48 49 mkdir /system 50 mkdir /data 0771 system system 51 mkdir /cache 0770 system cache 52 mkdir /config 0500 root root 53 54 # Directory for putting things only root should see. 55 mkdir /mnt/secure 0700 root root 56 57 # Directory for staging bindmounts 58 mkdir /mnt/secure/staging 0700 root root 59 60 # Directory-target for where the secure container 61 # imagefile directory will be bind-mounted 62 mkdir /mnt/secure/asec 0700 root root 63 64 # Secure container public mount points. 65 mkdir /mnt/asec 0700 root system 66 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 67 68 # Filesystem image public mount points. 69 mkdir /mnt/obb 0700 root system 70 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 71 72 write /proc/sys/kernel/panic_on_oops 1 73 write /proc/sys/kernel/hung_task_timeout_secs 0 74 write /proc/cpu/alignment 4 75 write /proc/sys/kernel/sched_latency_ns 10000000 76 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 77 write /proc/sys/kernel/sched_compat_yield 1 78 write /proc/sys/kernel/sched_child_runs_first 0 79 write /proc/sys/kernel/randomize_va_space 2 80 write /proc/sys/kernel/kptr_restrict 2 81 write /proc/sys/kernel/dmesg_restrict 1 82 write /proc/sys/vm/mmap_min_addr 32768 83 84# Create cgroup mount points for process groups 85 mkdir /dev/cpuctl 86 mount cgroup none /dev/cpuctl cpu 87 chown system system /dev/cpuctl 88 chown system system /dev/cpuctl/tasks 89 chmod 0777 /dev/cpuctl/tasks 90 write /dev/cpuctl/cpu.shares 1024 91 92 mkdir /dev/cpuctl/fg_boost 93 chown system system /dev/cpuctl/fg_boost/tasks 94 chmod 0777 /dev/cpuctl/fg_boost/tasks 95 write /dev/cpuctl/fg_boost/cpu.shares 1024 96 97 mkdir /dev/cpuctl/bg_non_interactive 98 chown system system /dev/cpuctl/bg_non_interactive/tasks 99 chmod 0777 /dev/cpuctl/bg_non_interactive/tasks 100 # 5.0 % 101 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 102 103# Allow everybody to read the xt_qtaguid resource tracking misc dev. 104# This is needed by any process that uses socket tagging. 105 chmod 0644 /dev/xt_qtaguid 106 107on fs 108# mount mtd partitions 109 # Mount /system rw first to give the filesystem a chance to save a checkpoint 110 mount yaffs2 mtd@system /system 111 mount yaffs2 mtd@system /system ro remount 112 mount yaffs2 mtd@userdata /data nosuid nodev 113 mount yaffs2 mtd@cache /cache nosuid nodev 114 115on post-fs 116 # once everything is setup, no need to modify / 117 mount rootfs rootfs / ro remount 118 119 # We chown/chmod /cache again so because mount is run as root + defaults 120 chown system cache /cache 121 chmod 0770 /cache 122 123 # This may have been created by the recovery system with odd permissions 124 chown system cache /cache/recovery 125 chmod 0770 /cache/recovery 126 127 #change permissions on vmallocinfo so we can grab it from bugreports 128 chown root log /proc/vmallocinfo 129 chmod 0440 /proc/vmallocinfo 130 131 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 132 chown root system /proc/kmsg 133 chmod 0440 /proc/kmsg 134 chown root system /proc/sysrq-trigger 135 chmod 0220 /proc/sysrq-trigger 136 137 # create the lost+found directories, so as to enforce our permissions 138 mkdir /cache/lost+found 0770 root root 139 140on post-fs-data 141 # We chown/chmod /data again so because mount is run as root + defaults 142 chown system system /data 143 chmod 0771 /data 144 145 # Create dump dir and collect dumps. 146 # Do this before we mount cache so eventually we can use cache for 147 # storing dumps on platforms which do not have a dedicated dump partition. 148 mkdir /data/dontpanic 0750 root log 149 150 # Collect apanic data, free resources and re-arm trigger 151 copy /proc/apanic_console /data/dontpanic/apanic_console 152 chown root log /data/dontpanic/apanic_console 153 chmod 0640 /data/dontpanic/apanic_console 154 155 copy /proc/apanic_threads /data/dontpanic/apanic_threads 156 chown root log /data/dontpanic/apanic_threads 157 chmod 0640 /data/dontpanic/apanic_threads 158 159 write /proc/apanic_console 1 160 161 # create basic filesystem structure 162 mkdir /data/misc 01771 system misc 163 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 164 mkdir /data/misc/bluetooth 0770 system system 165 mkdir /data/misc/keystore 0700 keystore keystore 166 mkdir /data/misc/keychain 0771 system system 167 mkdir /data/misc/vpn 0770 system vpn 168 mkdir /data/misc/systemkeys 0700 system system 169 # give system access to wpa_supplicant.conf for backup and restore 170 mkdir /data/misc/wifi 0770 wifi wifi 171 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 172 mkdir /data/local 0751 root root 173 174 # For security reasons, /data/local/tmp should always be empty. 175 # Do not place files or directories in /data/local/tmp 176 mkdir /data/local/tmp 0771 shell shell 177 mkdir /data/data 0771 system system 178 mkdir /data/app-private 0771 system system 179 mkdir /data/app 0771 system system 180 mkdir /data/property 0700 root root 181 mkdir /data/ssh 0750 root shell 182 mkdir /data/ssh/empty 0700 root root 183 184 # create dalvik-cache, so as to enforce our permissions 185 mkdir /data/dalvik-cache 0771 system system 186 187 # create resource-cache and double-check the perms 188 mkdir /data/resource-cache 0771 system system 189 chown system system /data/resource-cache 190 chmod 0771 /data/resource-cache 191 192 # create the lost+found directories, so as to enforce our permissions 193 mkdir /data/lost+found 0770 root root 194 195 # create directory for DRM plug-ins - give drm the read/write access to 196 # the following directory. 197 mkdir /data/drm 0770 drm drm 198 199 # If there is no fs-post-data action in the init.<device>.rc file, you 200 # must uncomment this line, otherwise encrypted filesystems 201 # won't work. 202 # Set indication (checked by vold) that we have finished this action 203 #setprop vold.post_fs_data_done 1 204 205on boot 206# basic network init 207 ifup lo 208 hostname localhost 209 domainname localdomain 210 211# set RLIMIT_NICE to allow priorities from 19 to -20 212 setrlimit 13 40 40 213 214# Memory management. Basic kernel parameters, and allow the high 215# level system server to be able to adjust the kernel OOM driver 216# paramters to match how it is managing things. 217 write /proc/sys/vm/overcommit_memory 1 218 write /proc/sys/vm/min_free_order_shift 4 219 chown root system /sys/module/lowmemorykiller/parameters/adj 220 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 221 chown root system /sys/module/lowmemorykiller/parameters/minfree 222 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 223 224 # Tweak background writeout 225 write /proc/sys/vm/dirty_expire_centisecs 200 226 write /proc/sys/vm/dirty_background_ratio 5 227 228 # Permissions for System Server and daemons. 229 chown radio system /sys/android_power/state 230 chown radio system /sys/android_power/request_state 231 chown radio system /sys/android_power/acquire_full_wake_lock 232 chown radio system /sys/android_power/acquire_partial_wake_lock 233 chown radio system /sys/android_power/release_wake_lock 234 chown system system /sys/power/state 235 chown system system /sys/power/wakeup_count 236 chown radio system /sys/power/wake_lock 237 chown radio system /sys/power/wake_unlock 238 chmod 0660 /sys/power/state 239 chmod 0660 /sys/power/wake_lock 240 chmod 0660 /sys/power/wake_unlock 241 242 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 243 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 244 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 245 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 246 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 247 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 248 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 249 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 250 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 251 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 252 253 # Assume SMP uses shared cpufreq policy for all CPUs 254 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 255 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 256 257 chown system system /sys/class/timed_output/vibrator/enable 258 chown system system /sys/class/leds/keyboard-backlight/brightness 259 chown system system /sys/class/leds/lcd-backlight/brightness 260 chown system system /sys/class/leds/button-backlight/brightness 261 chown system system /sys/class/leds/jogball-backlight/brightness 262 chown system system /sys/class/leds/red/brightness 263 chown system system /sys/class/leds/green/brightness 264 chown system system /sys/class/leds/blue/brightness 265 chown system system /sys/class/leds/red/device/grpfreq 266 chown system system /sys/class/leds/red/device/grppwm 267 chown system system /sys/class/leds/red/device/blink 268 chown system system /sys/class/leds/red/brightness 269 chown system system /sys/class/leds/green/brightness 270 chown system system /sys/class/leds/blue/brightness 271 chown system system /sys/class/leds/red/device/grpfreq 272 chown system system /sys/class/leds/red/device/grppwm 273 chown system system /sys/class/leds/red/device/blink 274 chown system system /sys/class/timed_output/vibrator/enable 275 chown system system /sys/module/sco/parameters/disable_esco 276 chown system system /sys/kernel/ipv4/tcp_wmem_min 277 chown system system /sys/kernel/ipv4/tcp_wmem_def 278 chown system system /sys/kernel/ipv4/tcp_wmem_max 279 chown system system /sys/kernel/ipv4/tcp_rmem_min 280 chown system system /sys/kernel/ipv4/tcp_rmem_def 281 chown system system /sys/kernel/ipv4/tcp_rmem_max 282 chown root radio /proc/cmdline 283 284# Define TCP buffer sizes for various networks 285# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 286 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 287 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 288 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 289 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 290 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 291 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 292 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 293 294# Set this property so surfaceflinger is not started by system_init 295 setprop system_init.startsurfaceflinger 0 296 297 class_start core 298 class_start main 299 300on nonencrypted 301 class_start late_start 302 303on charger 304 class_start charger 305 306on property:vold.decrypt=trigger_reset_main 307 class_reset main 308 309on property:vold.decrypt=trigger_load_persist_props 310 load_persist_props 311 312on property:vold.decrypt=trigger_post_fs_data 313 trigger post-fs-data 314 315on property:vold.decrypt=trigger_restart_min_framework 316 class_start main 317 318on property:vold.decrypt=trigger_restart_framework 319 class_start main 320 class_start late_start 321 322on property:vold.decrypt=trigger_shutdown_framework 323 class_reset late_start 324 class_reset main 325 326## Daemon processes to be run by init. 327## 328service ueventd /sbin/ueventd 329 class core 330 critical 331 332service console /system/bin/sh 333 class core 334 console 335 disabled 336 user shell 337 group log 338 339on property:ro.debuggable=1 340 start console 341 342# Allow writing to the kernel trace log. Enabling tracing still requires root. 343on property:ro.debuggable=1 344 chmod 0222 /sys/kernel/debug/tracing/trace_marker 345 346# adbd is controlled via property triggers in init.<platform>.usb.rc 347service adbd /sbin/adbd 348 class core 349 disabled 350 351# adbd on at boot in emulator 352on property:ro.kernel.qemu=1 353 start adbd 354 355service servicemanager /system/bin/servicemanager 356 class core 357 user system 358 group system 359 critical 360 onrestart restart zygote 361 onrestart restart media 362 onrestart restart surfaceflinger 363 onrestart restart drm 364 365service vold /system/bin/vold 366 class core 367 socket vold stream 0660 root mount 368 ioprio be 2 369 370service netd /system/bin/netd 371 class main 372 socket netd stream 0660 root system 373 socket dnsproxyd stream 0660 root inet 374 socket mdns stream 0660 root system 375 376service debuggerd /system/bin/debuggerd 377 class main 378 379service ril-daemon /system/bin/rild 380 class main 381 socket rild stream 660 root radio 382 socket rild-debug stream 660 radio system 383 user root 384 group radio cache inet misc audio sdcard_rw log 385 386service surfaceflinger /system/bin/surfaceflinger 387 class main 388 user system 389 group graphics 390 onrestart restart zygote 391 392service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 393 class main 394 socket zygote stream 660 root system 395 onrestart write /sys/android_power/request_state wake 396 onrestart write /sys/power/state on 397 onrestart restart media 398 onrestart restart netd 399 400service drm /system/bin/drmserver 401 class main 402 user drm 403 group drm system inet drmrpc 404 405service media /system/bin/mediaserver 406 class main 407 user media 408 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 409 ioprio rt 4 410 411service bootanim /system/bin/bootanimation 412 class main 413 user graphics 414 group graphics 415 disabled 416 oneshot 417 418service dbus /system/bin/dbus-daemon --system --nofork 419 class main 420 socket dbus stream 660 bluetooth bluetooth 421 user bluetooth 422 group bluetooth net_bt_admin 423 424service bluetoothd /system/bin/bluetoothd -n 425 class main 426 socket bluetooth stream 660 bluetooth bluetooth 427 socket dbus_bluetooth stream 660 bluetooth bluetooth 428 # init.rc does not yet support applying capabilities, so run as root and 429 # let bluetoothd drop uid to bluetooth with the right linux capabilities 430 group bluetooth net_bt_admin misc 431 disabled 432 433service installd /system/bin/installd 434 class main 435 socket installd stream 600 system system 436 437service flash_recovery /system/etc/install-recovery.sh 438 class main 439 oneshot 440 441service racoon /system/bin/racoon 442 class main 443 socket racoon stream 600 system system 444 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 445 group vpn net_admin inet 446 disabled 447 oneshot 448 449service mtpd /system/bin/mtpd 450 class main 451 socket mtpd stream 600 system system 452 user vpn 453 group vpn net_admin inet net_raw 454 disabled 455 oneshot 456 457service keystore /system/bin/keystore /data/misc/keystore 458 class main 459 user keystore 460 group keystore drmrpc 461 socket keystore stream 666 462 463service dumpstate /system/bin/dumpstate -s 464 class main 465 socket dumpstate stream 0660 shell log 466 disabled 467 oneshot 468 469service sshd /system/bin/start-ssh 470 class main 471 disabled 472 473service mdnsd /system/bin/mdnsd 474 class main 475 user mdnsr 476 group inet net_raw 477 socket mdnsd stream 0660 mdnsr inet 478 disabled 479 oneshot 480 481