init.rc revision f35c203558b0648c351a5262568b383d41639a8b 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.${ro.hardware}.rc
8import /init.usb.rc
9
10on early-init
11    # Set init and its forked children's oom_adj.
12    write /proc/1/oom_adj -16
13
14    start ueventd
15
16# create mountpoints
17    mkdir /mnt 0775 root system
18
19on init
20
21sysclktz 0
22
23loglevel 3
24
25# setup the global environment
26    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
27    export LD_LIBRARY_PATH /vendor/lib:/system/lib
28    export ANDROID_BOOTLOGO 1
29    export ANDROID_ROOT /system
30    export ANDROID_ASSETS /system/app
31    export ANDROID_DATA /data
32    export ASEC_MOUNTPOINT /mnt/asec
33    export LOOP_MOUNTPOINT /mnt/obb
34    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
35
36# Backward compatibility
37    symlink /system/etc /etc
38    symlink /sys/kernel/debug /d
39
40# Right now vendor lives on the same filesystem as system,
41# but someday that may change.
42    symlink /system/vendor /vendor
43
44# Create cgroup mount point for cpu accounting
45    mkdir /acct
46    mount cgroup none /acct cpuacct
47    mkdir /acct/uid
48
49    mkdir /system
50    mkdir /data 0771 system system
51    mkdir /cache 0770 system cache
52    mkdir /config 0500 root root
53
54    # Directory for putting things only root should see.
55    mkdir /mnt/secure 0700 root root
56
57    # Directory for staging bindmounts
58    mkdir /mnt/secure/staging 0700 root root
59
60    # Directory-target for where the secure container
61    # imagefile directory will be bind-mounted
62    mkdir /mnt/secure/asec  0700 root root
63
64    # Secure container public mount points.
65    mkdir /mnt/asec  0700 root system
66    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
67
68    # Filesystem image public mount points.
69    mkdir /mnt/obb 0700 root system
70    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
71
72    write /proc/sys/kernel/panic_on_oops 1
73    write /proc/sys/kernel/hung_task_timeout_secs 0
74    write /proc/cpu/alignment 4
75    write /proc/sys/kernel/sched_latency_ns 10000000
76    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
77    write /proc/sys/kernel/sched_compat_yield 1
78    write /proc/sys/kernel/sched_child_runs_first 0
79    write /proc/sys/kernel/randomize_va_space 2
80    write /proc/sys/kernel/kptr_restrict 2
81    write /proc/sys/kernel/dmesg_restrict 1
82    write /proc/sys/vm/mmap_min_addr 32768
83
84# Create cgroup mount points for process groups
85    mkdir /dev/cpuctl
86    mount cgroup none /dev/cpuctl cpu
87    chown system system /dev/cpuctl
88    chown system system /dev/cpuctl/tasks
89    chmod 0777 /dev/cpuctl/tasks
90    write /dev/cpuctl/cpu.shares 1024
91
92    mkdir /dev/cpuctl/fg_boost
93    chown system system /dev/cpuctl/fg_boost/tasks
94    chmod 0777 /dev/cpuctl/fg_boost/tasks
95    write /dev/cpuctl/fg_boost/cpu.shares 1024
96
97    mkdir /dev/cpuctl/bg_non_interactive
98    chown system system /dev/cpuctl/bg_non_interactive/tasks
99    chmod 0777 /dev/cpuctl/bg_non_interactive/tasks
100    # 5.0 %
101    write /dev/cpuctl/bg_non_interactive/cpu.shares 52
102
103# Allow everybody to read the xt_qtaguid resource tracking misc dev.
104# This is needed by any process that uses socket tagging.
105    chmod 0644 /dev/xt_qtaguid
106
107on fs
108# mount mtd partitions
109    # Mount /system rw first to give the filesystem a chance to save a checkpoint
110    mount yaffs2 mtd@system /system
111    mount yaffs2 mtd@system /system ro remount
112    mount yaffs2 mtd@userdata /data nosuid nodev
113    mount yaffs2 mtd@cache /cache nosuid nodev
114
115on post-fs
116    # once everything is setup, no need to modify /
117    mount rootfs rootfs / ro remount
118
119    # We chown/chmod /cache again so because mount is run as root + defaults
120    chown system cache /cache
121    chmod 0770 /cache
122
123    # This may have been created by the recovery system with odd permissions
124    chown system cache /cache/recovery
125    chmod 0770 /cache/recovery
126
127    #change permissions on vmallocinfo so we can grab it from bugreports
128    chown root log /proc/vmallocinfo
129    chmod 0440 /proc/vmallocinfo
130
131    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
132    chown root system /proc/kmsg
133    chmod 0440 /proc/kmsg
134    chown root system /proc/sysrq-trigger
135    chmod 0220 /proc/sysrq-trigger
136
137    # create the lost+found directories, so as to enforce our permissions
138    mkdir /cache/lost+found 0770 root root
139
140on post-fs-data
141    # We chown/chmod /data again so because mount is run as root + defaults
142    chown system system /data
143    chmod 0771 /data
144
145    # Create dump dir and collect dumps.
146    # Do this before we mount cache so eventually we can use cache for
147    # storing dumps on platforms which do not have a dedicated dump partition.
148    mkdir /data/dontpanic 0750 root log
149
150    # Collect apanic data, free resources and re-arm trigger
151    copy /proc/apanic_console /data/dontpanic/apanic_console
152    chown root log /data/dontpanic/apanic_console
153    chmod 0640 /data/dontpanic/apanic_console
154
155    copy /proc/apanic_threads /data/dontpanic/apanic_threads
156    chown root log /data/dontpanic/apanic_threads
157    chmod 0640 /data/dontpanic/apanic_threads
158
159    write /proc/apanic_console 1
160
161    # create basic filesystem structure
162    mkdir /data/misc 01771 system misc
163    mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth
164    mkdir /data/misc/bluetooth 0770 system system
165    mkdir /data/misc/keystore 0700 keystore keystore
166    mkdir /data/misc/keychain 0771 system system
167    mkdir /data/misc/vpn 0770 system vpn
168    mkdir /data/misc/systemkeys 0700 system system
169    # give system access to wpa_supplicant.conf for backup and restore
170    mkdir /data/misc/wifi 0770 wifi wifi
171    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
172    mkdir /data/local 0751 root root
173
174    # For security reasons, /data/local/tmp should always be empty.
175    # Do not place files or directories in /data/local/tmp
176    mkdir /data/local/tmp 0771 shell shell
177    mkdir /data/data 0771 system system
178    mkdir /data/app-private 0771 system system
179    mkdir /data/app 0771 system system
180    mkdir /data/property 0700 root root
181    mkdir /data/ssh 0750 root shell
182    mkdir /data/ssh/empty 0700 root root
183
184    # create dalvik-cache, so as to enforce our permissions
185    mkdir /data/dalvik-cache 0771 system system
186
187    # create resource-cache and double-check the perms
188    mkdir /data/resource-cache 0771 system system
189    chown system system /data/resource-cache
190    chmod 0771 /data/resource-cache
191
192    # create the lost+found directories, so as to enforce our permissions
193    mkdir /data/lost+found 0770 root root
194
195    # create directory for DRM plug-ins - give drm the read/write access to
196    # the following directory.
197    mkdir /data/drm 0770 drm drm
198
199    # If there is no fs-post-data action in the init.<device>.rc file, you
200    # must uncomment this line, otherwise encrypted filesystems
201    # won't work.
202    # Set indication (checked by vold) that we have finished this action
203    #setprop vold.post_fs_data_done 1
204
205on boot
206# basic network init
207    ifup lo
208    hostname localhost
209    domainname localdomain
210
211# set RLIMIT_NICE to allow priorities from 19 to -20
212    setrlimit 13 40 40
213
214# Memory management.  Basic kernel parameters, and allow the high
215# level system server to be able to adjust the kernel OOM driver
216# paramters to match how it is managing things.
217    write /proc/sys/vm/overcommit_memory 1
218    write /proc/sys/vm/min_free_order_shift 4
219    chown root system /sys/module/lowmemorykiller/parameters/adj
220    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
221    chown root system /sys/module/lowmemorykiller/parameters/minfree
222    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
223
224    # Tweak background writeout
225    write /proc/sys/vm/dirty_expire_centisecs 200
226    write /proc/sys/vm/dirty_background_ratio  5
227
228    # Permissions for System Server and daemons.
229    chown radio system /sys/android_power/state
230    chown radio system /sys/android_power/request_state
231    chown radio system /sys/android_power/acquire_full_wake_lock
232    chown radio system /sys/android_power/acquire_partial_wake_lock
233    chown radio system /sys/android_power/release_wake_lock
234    chown system system /sys/power/state
235    chown system system /sys/power/wakeup_count
236    chown radio system /sys/power/wake_lock
237    chown radio system /sys/power/wake_unlock
238    chmod 0660 /sys/power/state
239    chmod 0660 /sys/power/wake_lock
240    chmod 0660 /sys/power/wake_unlock
241
242    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
243    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
244    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
245    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
246    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
247    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
248    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
249    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
250    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
251    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
252
253    # Assume SMP uses shared cpufreq policy for all CPUs
254    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
255    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
256
257    chown system system /sys/class/timed_output/vibrator/enable
258    chown system system /sys/class/leds/keyboard-backlight/brightness
259    chown system system /sys/class/leds/lcd-backlight/brightness
260    chown system system /sys/class/leds/button-backlight/brightness
261    chown system system /sys/class/leds/jogball-backlight/brightness
262    chown system system /sys/class/leds/red/brightness
263    chown system system /sys/class/leds/green/brightness
264    chown system system /sys/class/leds/blue/brightness
265    chown system system /sys/class/leds/red/device/grpfreq
266    chown system system /sys/class/leds/red/device/grppwm
267    chown system system /sys/class/leds/red/device/blink
268    chown system system /sys/class/leds/red/brightness
269    chown system system /sys/class/leds/green/brightness
270    chown system system /sys/class/leds/blue/brightness
271    chown system system /sys/class/leds/red/device/grpfreq
272    chown system system /sys/class/leds/red/device/grppwm
273    chown system system /sys/class/leds/red/device/blink
274    chown system system /sys/class/timed_output/vibrator/enable
275    chown system system /sys/module/sco/parameters/disable_esco
276    chown system system /sys/kernel/ipv4/tcp_wmem_min
277    chown system system /sys/kernel/ipv4/tcp_wmem_def
278    chown system system /sys/kernel/ipv4/tcp_wmem_max
279    chown system system /sys/kernel/ipv4/tcp_rmem_min
280    chown system system /sys/kernel/ipv4/tcp_rmem_def
281    chown system system /sys/kernel/ipv4/tcp_rmem_max
282    chown root radio /proc/cmdline
283
284# Define TCP buffer sizes for various networks
285#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
286    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
287    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
288    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
289    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
290    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
291    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
292    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
293
294# Set this property so surfaceflinger is not started by system_init
295    setprop system_init.startsurfaceflinger 0
296
297    class_start core
298    class_start main
299
300on nonencrypted
301    class_start late_start
302
303on charger
304    class_start charger
305
306on property:vold.decrypt=trigger_reset_main
307    class_reset main
308
309on property:vold.decrypt=trigger_load_persist_props
310    load_persist_props
311
312on property:vold.decrypt=trigger_post_fs_data
313    trigger post-fs-data
314
315on property:vold.decrypt=trigger_restart_min_framework
316    class_start main
317
318on property:vold.decrypt=trigger_restart_framework
319    class_start main
320    class_start late_start
321
322on property:vold.decrypt=trigger_shutdown_framework
323    class_reset late_start
324    class_reset main
325
326## Daemon processes to be run by init.
327##
328service ueventd /sbin/ueventd
329    class core
330    critical
331
332service console /system/bin/sh
333    class core
334    console
335    disabled
336    user shell
337    group log
338
339on property:ro.debuggable=1
340    start console
341
342# Allow writing to the kernel trace log.  Enabling tracing still requires root.
343on property:ro.debuggable=1
344    chmod 0222 /sys/kernel/debug/tracing/trace_marker
345
346# adbd is controlled via property triggers in init.<platform>.usb.rc
347service adbd /sbin/adbd
348    class core
349    disabled
350
351# adbd on at boot in emulator
352on property:ro.kernel.qemu=1
353    start adbd
354
355service servicemanager /system/bin/servicemanager
356    class core
357    user system
358    group system
359    critical
360    onrestart restart zygote
361    onrestart restart media
362    onrestart restart surfaceflinger
363    onrestart restart drm
364
365service vold /system/bin/vold
366    class core
367    socket vold stream 0660 root mount
368    ioprio be 2
369
370service netd /system/bin/netd
371    class main
372    socket netd stream 0660 root system
373    socket dnsproxyd stream 0660 root inet
374    socket mdns stream 0660 root system
375
376service debuggerd /system/bin/debuggerd
377    class main
378
379service ril-daemon /system/bin/rild
380    class main
381    socket rild stream 660 root radio
382    socket rild-debug stream 660 radio system
383    user root
384    group radio cache inet misc audio sdcard_rw log
385
386service surfaceflinger /system/bin/surfaceflinger
387    class main
388    user system
389    group graphics
390    onrestart restart zygote
391
392service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
393    class main
394    socket zygote stream 660 root system
395    onrestart write /sys/android_power/request_state wake
396    onrestart write /sys/power/state on
397    onrestart restart media
398    onrestart restart netd
399
400service drm /system/bin/drmserver
401    class main
402    user drm
403    group drm system inet drmrpc
404
405service media /system/bin/mediaserver
406    class main
407    user media
408    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc
409    ioprio rt 4
410
411service bootanim /system/bin/bootanimation
412    class main
413    user graphics
414    group graphics
415    disabled
416    oneshot
417
418service dbus /system/bin/dbus-daemon --system --nofork
419    class main
420    socket dbus stream 660 bluetooth bluetooth
421    user bluetooth
422    group bluetooth net_bt_admin
423
424service bluetoothd /system/bin/bluetoothd -n
425    class main
426    socket bluetooth stream 660 bluetooth bluetooth
427    socket dbus_bluetooth stream 660 bluetooth bluetooth
428    # init.rc does not yet support applying capabilities, so run as root and
429    # let bluetoothd drop uid to bluetooth with the right linux capabilities
430    group bluetooth net_bt_admin misc
431    disabled
432
433service installd /system/bin/installd
434    class main
435    socket installd stream 600 system system
436
437service flash_recovery /system/etc/install-recovery.sh
438    class main
439    oneshot
440
441service racoon /system/bin/racoon
442    class main
443    socket racoon stream 600 system system
444    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
445    group vpn net_admin inet
446    disabled
447    oneshot
448
449service mtpd /system/bin/mtpd
450    class main
451    socket mtpd stream 600 system system
452    user vpn
453    group vpn net_admin inet net_raw
454    disabled
455    oneshot
456
457service keystore /system/bin/keystore /data/misc/keystore
458    class main
459    user keystore
460    group keystore drmrpc
461    socket keystore stream 666
462
463service dumpstate /system/bin/dumpstate -s
464    class main
465    socket dumpstate stream 0660 shell log
466    disabled
467    oneshot
468
469service sshd /system/bin/start-ssh
470    class main
471    disabled
472
473service mdnsd /system/bin/mdnsd
474    class main
475    user mdnsr
476    group inet net_raw
477    socket mdnsd stream 0660 mdnsr inet
478    disabled
479    oneshot
480
481