init.rc revision f3ef1271f225d9f00bb4ebb0573eb3e03829f9a8
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8 9on early-init 10 # Set init and its forked children's oom_adj. 11 write /proc/1/oom_adj -16 12 13 start ueventd 14 15# create mountpoints 16 mkdir /mnt 0775 root system 17 18on init 19 20sysclktz 0 21 22loglevel 3 23 24# setup the global environment 25 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 26 export LD_LIBRARY_PATH /vendor/lib:/system/lib 27 export ANDROID_BOOTLOGO 1 28 export ANDROID_ROOT /system 29 export ANDROID_ASSETS /system/app 30 export ANDROID_DATA /data 31 export ASEC_MOUNTPOINT /mnt/asec 32 export LOOP_MOUNTPOINT /mnt/obb 33 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar:/system/framework/filterfw.jar 34 35# Backward compatibility 36 symlink /system/etc /etc 37 symlink /sys/kernel/debug /d 38 39# Right now vendor lives on the same filesystem as system, 40# but someday that may change. 41 symlink /system/vendor /vendor 42 43# Create cgroup mount point for cpu accounting 44 mkdir /acct 45 mount cgroup none /acct cpuacct 46 mkdir /acct/uid 47 48 mkdir /system 49 mkdir /data 0771 system system 50 mkdir /cache 0770 system cache 51 mkdir /config 0500 root root 52 53 # Directory for putting things only root should see. 54 mkdir /mnt/secure 0700 root root 55 56 # Directory for staging bindmounts 57 mkdir /mnt/secure/staging 0700 root root 58 59 # Directory-target for where the secure container 60 # imagefile directory will be bind-mounted 61 mkdir /mnt/secure/asec 0700 root root 62 63 # Secure container public mount points. 64 mkdir /mnt/asec 0700 root system 65 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 66 67 # Filesystem image public mount points. 68 mkdir /mnt/obb 0700 root system 69 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 70 71 write /proc/sys/kernel/panic_on_oops 1 72 write /proc/sys/kernel/hung_task_timeout_secs 0 73 write /proc/cpu/alignment 4 74 write /proc/sys/kernel/sched_latency_ns 10000000 75 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 76 write /proc/sys/kernel/sched_compat_yield 1 77 write /proc/sys/kernel/sched_child_runs_first 0 78 write /proc/sys/kernel/randomize_va_space 2 79 write /proc/sys/kernel/kptr_restrict 2 80 write /proc/sys/kernel/dmesg_restrict 1 81 write /proc/sys/vm/mmap_min_addr 32768 82 83# Create cgroup mount points for process groups 84 mkdir /dev/cpuctl 85 mount cgroup none /dev/cpuctl cpu 86 chown system system /dev/cpuctl 87 chown system system /dev/cpuctl/tasks 88 chmod 0777 /dev/cpuctl/tasks 89 write /dev/cpuctl/cpu.shares 1024 90 91 mkdir /dev/cpuctl/fg_boost 92 chown system system /dev/cpuctl/fg_boost/tasks 93 chmod 0777 /dev/cpuctl/fg_boost/tasks 94 write /dev/cpuctl/fg_boost/cpu.shares 1024 95 96 mkdir /dev/cpuctl/bg_non_interactive 97 chown system system /dev/cpuctl/bg_non_interactive/tasks 98 chmod 0777 /dev/cpuctl/bg_non_interactive/tasks 99 # 5.0 % 100 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 101 102# Allow everybody to read the xt_qtaguid resource tracking misc dev. 103# This is needed by any process that uses socket tagging. 104 chmod 0644 /dev/xt_qtaguid 105 106on fs 107# mount mtd partitions 108 # Mount /system rw first to give the filesystem a chance to save a checkpoint 109 mount yaffs2 mtd@system /system 110 mount yaffs2 mtd@system /system ro remount 111 mount yaffs2 mtd@userdata /data nosuid nodev 112 mount yaffs2 mtd@cache /cache nosuid nodev 113 114on post-fs 115 # once everything is setup, no need to modify / 116 mount rootfs rootfs / ro remount 117 118 # We chown/chmod /cache again so because mount is run as root + defaults 119 chown system cache /cache 120 chmod 0770 /cache 121 122 # This may have been created by the recovery system with odd permissions 123 chown system cache /cache/recovery 124 chmod 0770 /cache/recovery 125 126 #change permissions on vmallocinfo so we can grab it from bugreports 127 chown root log /proc/vmallocinfo 128 chmod 0440 /proc/vmallocinfo 129 130 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 131 chown root system /proc/kmsg 132 chmod 0440 /proc/kmsg 133 chown root system /proc/sysrq-trigger 134 chmod 0220 /proc/sysrq-trigger 135 136 # create the lost+found directories, so as to enforce our permissions 137 mkdir /cache/lost+found 0770 root root 138 139on post-fs-data 140 # We chown/chmod /data again so because mount is run as root + defaults 141 chown system system /data 142 chmod 0771 /data 143 144 # Create dump dir and collect dumps. 145 # Do this before we mount cache so eventually we can use cache for 146 # storing dumps on platforms which do not have a dedicated dump partition. 147 mkdir /data/dontpanic 0750 root log 148 149 # Collect apanic data, free resources and re-arm trigger 150 copy /proc/apanic_console /data/dontpanic/apanic_console 151 chown root log /data/dontpanic/apanic_console 152 chmod 0640 /data/dontpanic/apanic_console 153 154 copy /proc/apanic_threads /data/dontpanic/apanic_threads 155 chown root log /data/dontpanic/apanic_threads 156 chmod 0640 /data/dontpanic/apanic_threads 157 158 write /proc/apanic_console 1 159 160 # create basic filesystem structure 161 mkdir /data/misc 01771 system misc 162 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 163 mkdir /data/misc/bluetooth 0770 system system 164 mkdir /data/misc/keystore 0700 keystore keystore 165 mkdir /data/misc/keychain 0771 system system 166 mkdir /data/misc/vpn 0770 system vpn 167 mkdir /data/misc/systemkeys 0700 system system 168 # give system access to wpa_supplicant.conf for backup and restore 169 mkdir /data/misc/wifi 0770 wifi wifi 170 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 171 mkdir /data/local 0751 root root 172 173 # For security reasons, /data/local/tmp should always be empty. 174 # Do not place files or directories in /data/local/tmp 175 mkdir /data/local/tmp 0771 shell shell 176 mkdir /data/data 0771 system system 177 mkdir /data/app-private 0771 system system 178 mkdir /data/app 0771 system system 179 mkdir /data/property 0700 root root 180 181 # create dalvik-cache, so as to enforce our permissions 182 mkdir /data/dalvik-cache 0771 system system 183 184 # create resource-cache and double-check the perms 185 mkdir /data/resource-cache 0771 system system 186 chown system system /data/resource-cache 187 chmod 0771 /data/resource-cache 188 189 # create the lost+found directories, so as to enforce our permissions 190 mkdir /data/lost+found 0770 root root 191 192 # create directory for DRM plug-ins - give drm the read/write access to 193 # the following directory. 194 mkdir /data/drm 0770 drm drm 195 196 # If there is no fs-post-data action in the init.<device>.rc file, you 197 # must uncomment this line, otherwise encrypted filesystems 198 # won't work. 199 # Set indication (checked by vold) that we have finished this action 200 #setprop vold.post_fs_data_done 1 201 202 chown system system /sys/class/android_usb/android0/f_mass_storage/lun/file 203 chmod 0660 /sys/class/android_usb/android0/f_mass_storage/lun/file 204 chown system system /sys/class/android_usb/android0/f_rndis/ethaddr 205 chmod 0660 /sys/class/android_usb/android0/f_rndis/ethaddr 206 207on boot 208# basic network init 209 ifup lo 210 hostname localhost 211 domainname localdomain 212 213# set RLIMIT_NICE to allow priorities from 19 to -20 214 setrlimit 13 40 40 215 216# Memory management. Basic kernel parameters, and allow the high 217# level system server to be able to adjust the kernel OOM driver 218# paramters to match how it is managing things. 219 write /proc/sys/vm/overcommit_memory 1 220 write /proc/sys/vm/min_free_order_shift 4 221 chown root system /sys/module/lowmemorykiller/parameters/adj 222 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 223 chown root system /sys/module/lowmemorykiller/parameters/minfree 224 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 225 226 # Tweak background writeout 227 write /proc/sys/vm/dirty_expire_centisecs 200 228 write /proc/sys/vm/dirty_background_ratio 5 229 230 # Permissions for System Server and daemons. 231 chown radio system /sys/android_power/state 232 chown radio system /sys/android_power/request_state 233 chown radio system /sys/android_power/acquire_full_wake_lock 234 chown radio system /sys/android_power/acquire_partial_wake_lock 235 chown radio system /sys/android_power/release_wake_lock 236 chown radio system /sys/power/state 237 chown radio system /sys/power/wake_lock 238 chown radio system /sys/power/wake_unlock 239 chmod 0660 /sys/power/state 240 chmod 0660 /sys/power/wake_lock 241 chmod 0660 /sys/power/wake_unlock 242 chown system system /sys/class/timed_output/vibrator/enable 243 chown system system /sys/class/leds/keyboard-backlight/brightness 244 chown system system /sys/class/leds/lcd-backlight/brightness 245 chown system system /sys/class/leds/button-backlight/brightness 246 chown system system /sys/class/leds/jogball-backlight/brightness 247 chown system system /sys/class/leds/red/brightness 248 chown system system /sys/class/leds/green/brightness 249 chown system system /sys/class/leds/blue/brightness 250 chown system system /sys/class/leds/red/device/grpfreq 251 chown system system /sys/class/leds/red/device/grppwm 252 chown system system /sys/class/leds/red/device/blink 253 chown system system /sys/class/leds/red/brightness 254 chown system system /sys/class/leds/green/brightness 255 chown system system /sys/class/leds/blue/brightness 256 chown system system /sys/class/leds/red/device/grpfreq 257 chown system system /sys/class/leds/red/device/grppwm 258 chown system system /sys/class/leds/red/device/blink 259 chown system system /sys/class/timed_output/vibrator/enable 260 chown system system /sys/module/sco/parameters/disable_esco 261 chown system system /sys/kernel/ipv4/tcp_wmem_min 262 chown system system /sys/kernel/ipv4/tcp_wmem_def 263 chown system system /sys/kernel/ipv4/tcp_wmem_max 264 chown system system /sys/kernel/ipv4/tcp_rmem_min 265 chown system system /sys/kernel/ipv4/tcp_rmem_def 266 chown system system /sys/kernel/ipv4/tcp_rmem_max 267 chown root radio /proc/cmdline 268 269# Define TCP buffer sizes for various networks 270# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 271 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 272 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 273 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 274 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 275 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 276 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 277 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 278 279# Set this property so surfaceflinger is not started by system_init 280 setprop system_init.startsurfaceflinger 0 281 282 class_start core 283 class_start main 284 285on nonencrypted 286 class_start late_start 287 288on charger 289 class_start charger 290 291on property:vold.decrypt=trigger_reset_main 292 class_reset main 293 294on property:vold.decrypt=trigger_load_persist_props 295 load_persist_props 296 297on property:vold.decrypt=trigger_post_fs_data 298 trigger post-fs-data 299 300on property:vold.decrypt=trigger_restart_min_framework 301 class_start main 302 303on property:vold.decrypt=trigger_restart_framework 304 class_start main 305 class_start late_start 306 307on property:vold.decrypt=trigger_shutdown_framework 308 class_reset late_start 309 class_reset main 310 311# Used to disable USB when switching states 312on property:sys.usb.config=none 313 stop adbd 314 write /sys/class/android_usb/android0/enable 0 315 write /sys/class/android_usb/android0/bDeviceClass 0 316 setprop sys.usb.state ${sys.usb.config} 317 318# adb only USB configuration 319# This should only be used during device bringup 320# and as a fallback if the USB manager fails to set a standard configuration 321on property:sys.usb.config=adb 322 write /sys/class/android_usb/android0/enable 0 323 write /sys/class/android_usb/android0/idVendor 18d1 324 write /sys/class/android_usb/android0/idProduct D002 325 write /sys/class/android_usb/android0/functions ${sys.usb.config} 326 write /sys/class/android_usb/android0/enable 1 327 start adbd 328 setprop sys.usb.state ${sys.usb.config} 329 330# USB accessory configuration 331on property:sys.usb.config=accessory 332 write /sys/class/android_usb/android0/enable 0 333 write /sys/class/android_usb/android0/idVendor 18d1 334 write /sys/class/android_usb/android0/idProduct 2d00 335 write /sys/class/android_usb/android0/functions ${sys.usb.config} 336 write /sys/class/android_usb/android0/enable 1 337 setprop sys.usb.state ${sys.usb.config} 338 339# USB accessory configuration, with adb 340on property:sys.usb.config=accessory,adb 341 write /sys/class/android_usb/android0/enable 0 342 write /sys/class/android_usb/android0/idVendor 18d1 343 write /sys/class/android_usb/android0/idProduct 2d01 344 write /sys/class/android_usb/android0/functions ${sys.usb.config} 345 write /sys/class/android_usb/android0/enable 1 346 start adbd 347 setprop sys.usb.state ${sys.usb.config} 348 349# Used to set USB configuration at boot and to switch the configuration 350# when changing the default configuration 351on property:persist.sys.usb.config=* 352 setprop sys.usb.config ${persist.sys.usb.config} 353 354## Daemon processes to be run by init. 355## 356service ueventd /sbin/ueventd 357 class core 358 critical 359 360service console /system/bin/sh 361 class core 362 console 363 disabled 364 user shell 365 group log 366 367on property:ro.debuggable=1 368 start console 369 370# adbd is controlled via property triggers in init.<platform>.usb.rc 371service adbd /sbin/adbd 372 class core 373 disabled 374 375# adbd on at boot in emulator 376on property:ro.kernel.qemu=1 377 start adbd 378 379# This property trigger has added to imitiate the previous behavior of "adb root". 380# The adb gadget driver used to reset the USB bus when the adbd daemon exited, 381# and the host side adb relied on this behavior to force it to reconnect with the 382# new adbd instance after init relaunches it. So now we force the USB bus to reset 383# here when adbd sets the service.adb.root property to 1. We also restart adbd here 384# rather than waiting for init to notice its death and restarting it so the timing 385# of USB resetting and adb restarting more closely matches the previous behavior. 386on property:service.adb.root=1 387 write /sys/class/android_usb/android0/enable 0 388 restart adbd 389 write /sys/class/android_usb/android0/enable 1 390 391service servicemanager /system/bin/servicemanager 392 class core 393 user system 394 group system 395 critical 396 onrestart restart zygote 397 onrestart restart media 398 onrestart restart surfaceflinger 399 onrestart restart drm 400 401service vold /system/bin/vold 402 class core 403 socket vold stream 0660 root mount 404 ioprio be 2 405 406service netd /system/bin/netd 407 class main 408 socket netd stream 0660 root system 409 socket dnsproxyd stream 0660 root inet 410 411service debuggerd /system/bin/debuggerd 412 class main 413 414service ril-daemon /system/bin/rild 415 class main 416 socket rild stream 660 root radio 417 socket rild-debug stream 660 radio system 418 user root 419 group radio cache inet misc audio sdcard_rw log 420 421service surfaceflinger /system/bin/surfaceflinger 422 class main 423 user system 424 group graphics 425 onrestart restart zygote 426 427service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 428 class main 429 socket zygote stream 660 root system 430 onrestart write /sys/android_power/request_state wake 431 onrestart write /sys/power/state on 432 onrestart restart media 433 onrestart restart netd 434 435service drm /system/bin/drmserver 436 class main 437 user drm 438 group system inet drmrpc 439 440service media /system/bin/mediaserver 441 class main 442 user media 443 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 444 ioprio rt 4 445 446service bootanim /system/bin/bootanimation 447 class main 448 user graphics 449 group graphics 450 disabled 451 oneshot 452 453service dbus /system/bin/dbus-daemon --system --nofork 454 class main 455 socket dbus stream 660 bluetooth bluetooth 456 user bluetooth 457 group bluetooth net_bt_admin 458 459service bluetoothd /system/bin/bluetoothd -n 460 class main 461 socket bluetooth stream 660 bluetooth bluetooth 462 socket dbus_bluetooth stream 660 bluetooth bluetooth 463 # init.rc does not yet support applying capabilities, so run as root and 464 # let bluetoothd drop uid to bluetooth with the right linux capabilities 465 group bluetooth net_bt_admin misc 466 disabled 467 468service installd /system/bin/installd 469 class main 470 socket installd stream 600 system system 471 472service flash_recovery /system/etc/install-recovery.sh 473 class main 474 oneshot 475 476service racoon /system/bin/racoon 477 class main 478 socket racoon stream 600 system system 479 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 480 group vpn net_admin inet 481 disabled 482 oneshot 483 484service mtpd /system/bin/mtpd 485 class main 486 socket mtpd stream 600 system system 487 user vpn 488 group vpn net_admin inet net_raw 489 disabled 490 oneshot 491 492service keystore /system/bin/keystore /data/misc/keystore 493 class main 494 user keystore 495 group keystore 496 socket keystore stream 666 497 498service dumpstate /system/bin/dumpstate -s 499 class main 500 socket dumpstate stream 0660 shell log 501 disabled 502 oneshot 503