init.rc revision f4c1512db8f0d2fd19d80487d96db3af7ceaacb5
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 96 write /proc/sys/kernel/sched_rt_runtime_us 950000 97 write /proc/sys/kernel/sched_rt_period_us 1000000 98 99# Create cgroup mount points for process groups 100 mkdir /dev/cpuctl 101 mount cgroup none /dev/cpuctl cpu 102 chown system system /dev/cpuctl 103 chown system system /dev/cpuctl/tasks 104 chmod 0660 /dev/cpuctl/tasks 105 write /dev/cpuctl/cpu.shares 1024 106 write /dev/cpuctl/cpu.rt_runtime_us 950000 107 write /dev/cpuctl/cpu.rt_period_us 1000000 108 109 mkdir /dev/cpuctl/apps 110 chown system system /dev/cpuctl/apps/tasks 111 chmod 0666 /dev/cpuctl/apps/tasks 112 write /dev/cpuctl/apps/cpu.shares 1024 113 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 114 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 115 116 mkdir /dev/cpuctl/apps/bg_non_interactive 117 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 118 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 119 # 5.0 % 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 122 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 123 124# qtaguid will limit access to specific data based on group memberships. 125# net_bw_acct grants impersonation of socket owners. 126# net_bw_stats grants access to other apps' detailed tagged-socket stats. 127 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 128 chown root net_bw_stats /proc/net/xt_qtaguid/stats 129 130# Allow everybody to read the xt_qtaguid resource tracking misc dev. 131# This is needed by any process that uses socket tagging. 132 chmod 0644 /dev/xt_qtaguid 133 134on fs 135# mount mtd partitions 136 # Mount /system rw first to give the filesystem a chance to save a checkpoint 137 mount ext4 mtd@system /system 138 mount ext4 mtd@system /system ro remount 139 mount ext4 mtd@userdata /data nosuid nodev 140 mount ext4 mtd@cache /cache nosuid nodev 141 142on post-fs 143 # once everything is setup, no need to modify / 144 mount rootfs rootfs / ro remount 145 # mount shared so changes propagate into child namespaces 146 mount rootfs rootfs / shared rec 147 mount tmpfs tmpfs /mnt/secure private rec 148 149 # We chown/chmod /cache again so because mount is run as root + defaults 150 chown system cache /cache 151 chmod 0770 /cache 152 # We restorecon /cache in case the cache partition has been reset. 153 restorecon /cache 154 155 # This may have been created by the recovery system with odd permissions 156 chown system cache /cache/recovery 157 chmod 0770 /cache/recovery 158 # This may have been created by the recovery system with the wrong context. 159 restorecon /cache/recovery 160 161 #change permissions on vmallocinfo so we can grab it from bugreports 162 chown root log /proc/vmallocinfo 163 chmod 0440 /proc/vmallocinfo 164 165 chown root log /proc/slabinfo 166 chmod 0440 /proc/slabinfo 167 168 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 169 chown root system /proc/kmsg 170 chmod 0440 /proc/kmsg 171 chown root system /proc/sysrq-trigger 172 chmod 0220 /proc/sysrq-trigger 173 chown system log /proc/last_kmsg 174 chmod 0440 /proc/last_kmsg 175 176 # create the lost+found directories, so as to enforce our permissions 177 mkdir /cache/lost+found 0770 root root 178 179on post-fs-data 180 # We chown/chmod /data again so because mount is run as root + defaults 181 chown system system /data 182 chmod 0771 /data 183 # We restorecon /data in case the userdata partition has been reset. 184 restorecon /data 185 186 # Create dump dir and collect dumps. 187 # Do this before we mount cache so eventually we can use cache for 188 # storing dumps on platforms which do not have a dedicated dump partition. 189 mkdir /data/dontpanic 0750 root log 190 191 # Collect apanic data, free resources and re-arm trigger 192 copy /proc/apanic_console /data/dontpanic/apanic_console 193 chown root log /data/dontpanic/apanic_console 194 chmod 0640 /data/dontpanic/apanic_console 195 196 copy /proc/apanic_threads /data/dontpanic/apanic_threads 197 chown root log /data/dontpanic/apanic_threads 198 chmod 0640 /data/dontpanic/apanic_threads 199 200 write /proc/apanic_console 1 201 202 # create basic filesystem structure 203 mkdir /data/misc 01771 system misc 204 mkdir /data/misc/adb 02750 system shell 205 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 206 mkdir /data/misc/bluetooth 0770 system system 207 mkdir /data/misc/keystore 0700 keystore keystore 208 mkdir /data/misc/keychain 0771 system system 209 mkdir /data/misc/sms 0770 system radio 210 mkdir /data/misc/zoneinfo 0775 system system 211 mkdir /data/misc/vpn 0770 system vpn 212 mkdir /data/misc/systemkeys 0700 system system 213 # give system access to wpa_supplicant.conf for backup and restore 214 mkdir /data/misc/wifi 0770 wifi wifi 215 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 216 mkdir /data/local 0751 root root 217 218 # For security reasons, /data/local/tmp should always be empty. 219 # Do not place files or directories in /data/local/tmp 220 mkdir /data/local/tmp 0771 shell shell 221 mkdir /data/data 0771 system system 222 mkdir /data/app-private 0771 system system 223 mkdir /data/app-asec 0700 root root 224 mkdir /data/app-lib 0771 system system 225 mkdir /data/app 0771 system system 226 mkdir /data/property 0700 root root 227 mkdir /data/ssh 0750 root shell 228 mkdir /data/ssh/empty 0700 root root 229 230 # create dalvik-cache, so as to enforce our permissions 231 mkdir /data/dalvik-cache 0771 system system 232 233 # create resource-cache and double-check the perms 234 mkdir /data/resource-cache 0771 system system 235 chown system system /data/resource-cache 236 chmod 0771 /data/resource-cache 237 238 # create the lost+found directories, so as to enforce our permissions 239 mkdir /data/lost+found 0770 root root 240 241 # create directory for DRM plug-ins - give drm the read/write access to 242 # the following directory. 243 mkdir /data/drm 0770 drm drm 244 245 # Separate location for storing security policy files on data 246 mkdir /data/security 0711 system system 247 248 # If there is no fs-post-data action in the init.<device>.rc file, you 249 # must uncomment this line, otherwise encrypted filesystems 250 # won't work. 251 # Set indication (checked by vold) that we have finished this action 252 #setprop vold.post_fs_data_done 1 253 254on boot 255# basic network init 256 ifup lo 257 hostname localhost 258 domainname localdomain 259 260# set RLIMIT_NICE to allow priorities from 19 to -20 261 setrlimit 13 40 40 262 263# Memory management. Basic kernel parameters, and allow the high 264# level system server to be able to adjust the kernel OOM driver 265# parameters to match how it is managing things. 266 write /proc/sys/vm/overcommit_memory 1 267 write /proc/sys/vm/min_free_order_shift 4 268 chown root system /sys/module/lowmemorykiller/parameters/adj 269 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 270 chown root system /sys/module/lowmemorykiller/parameters/minfree 271 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 272 273 # Tweak background writeout 274 write /proc/sys/vm/dirty_expire_centisecs 200 275 write /proc/sys/vm/dirty_background_ratio 5 276 277 # Permissions for System Server and daemons. 278 chown radio system /sys/android_power/state 279 chown radio system /sys/android_power/request_state 280 chown radio system /sys/android_power/acquire_full_wake_lock 281 chown radio system /sys/android_power/acquire_partial_wake_lock 282 chown radio system /sys/android_power/release_wake_lock 283 chown system system /sys/power/autosleep 284 chown system system /sys/power/state 285 chown system system /sys/power/wakeup_count 286 chown radio system /sys/power/wake_lock 287 chown radio system /sys/power/wake_unlock 288 chmod 0660 /sys/power/state 289 chmod 0660 /sys/power/wake_lock 290 chmod 0660 /sys/power/wake_unlock 291 292 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 293 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 294 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 295 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 296 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 297 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 298 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 299 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 300 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 301 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 302 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 303 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 304 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 305 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 306 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 307 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 308 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 309 310 # Assume SMP uses shared cpufreq policy for all CPUs 311 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 312 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 313 314 chown system system /sys/class/timed_output/vibrator/enable 315 chown system system /sys/class/leds/keyboard-backlight/brightness 316 chown system system /sys/class/leds/lcd-backlight/brightness 317 chown system system /sys/class/leds/button-backlight/brightness 318 chown system system /sys/class/leds/jogball-backlight/brightness 319 chown system system /sys/class/leds/red/brightness 320 chown system system /sys/class/leds/green/brightness 321 chown system system /sys/class/leds/blue/brightness 322 chown system system /sys/class/leds/red/device/grpfreq 323 chown system system /sys/class/leds/red/device/grppwm 324 chown system system /sys/class/leds/red/device/blink 325 chown system system /sys/class/timed_output/vibrator/enable 326 chown system system /sys/module/sco/parameters/disable_esco 327 chown system system /sys/kernel/ipv4/tcp_wmem_min 328 chown system system /sys/kernel/ipv4/tcp_wmem_def 329 chown system system /sys/kernel/ipv4/tcp_wmem_max 330 chown system system /sys/kernel/ipv4/tcp_rmem_min 331 chown system system /sys/kernel/ipv4/tcp_rmem_def 332 chown system system /sys/kernel/ipv4/tcp_rmem_max 333 chown root radio /proc/cmdline 334 335# Define TCP buffer sizes for various networks 336# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 337 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 338 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 339 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 340 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 341 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 342 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 343 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 344 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 345 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 346 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 347 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 348 349# Set this property so surfaceflinger is not started by system_init 350 setprop system_init.startsurfaceflinger 0 351 352 class_start core 353 class_start main 354 355on nonencrypted 356 class_start late_start 357 358on charger 359 class_start charger 360 361on property:vold.decrypt=trigger_reset_main 362 class_reset main 363 364on property:vold.decrypt=trigger_load_persist_props 365 load_persist_props 366 367on property:vold.decrypt=trigger_post_fs_data 368 trigger post-fs-data 369 370on property:vold.decrypt=trigger_restart_min_framework 371 class_start main 372 373on property:vold.decrypt=trigger_restart_framework 374 class_start main 375 class_start late_start 376 377on property:vold.decrypt=trigger_shutdown_framework 378 class_reset late_start 379 class_reset main 380 381## Daemon processes to be run by init. 382## 383service ueventd /sbin/ueventd 384 class core 385 critical 386 seclabel u:r:ueventd:s0 387 388on property:selinux.reload_policy=1 389 restart ueventd 390 restart installd 391 392service console /system/bin/sh 393 class core 394 console 395 disabled 396 user shell 397 group log 398 399on property:ro.debuggable=1 400 start console 401 402# adbd is controlled via property triggers in init.<platform>.usb.rc 403service adbd /sbin/adbd 404 class core 405 socket adbd stream 660 system system 406 disabled 407 seclabel u:r:adbd:s0 408 409# adbd on at boot in emulator 410on property:ro.kernel.qemu=1 411 start adbd 412 413service servicemanager /system/bin/servicemanager 414 class core 415 user system 416 group system 417 critical 418 onrestart restart zygote 419 onrestart restart media 420 onrestart restart surfaceflinger 421 onrestart restart drm 422 423service vold /system/bin/vold 424 class core 425 socket vold stream 0660 root mount 426 ioprio be 2 427 428service netd /system/bin/netd 429 class main 430 socket netd stream 0660 root system 431 socket dnsproxyd stream 0660 root inet 432 socket mdns stream 0660 root system 433 434service debuggerd /system/bin/debuggerd 435 class main 436 437service ril-daemon /system/bin/rild 438 class main 439 socket rild stream 660 root radio 440 socket rild-debug stream 660 radio system 441 user root 442 group radio cache inet misc audio log 443 444service surfaceflinger /system/bin/surfaceflinger 445 class main 446 user system 447 group graphics drmrpc 448 onrestart restart zygote 449 450service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 451 class main 452 socket zygote stream 660 root system 453 onrestart write /sys/android_power/request_state wake 454 onrestart write /sys/power/state on 455 onrestart restart media 456 onrestart restart netd 457 458service drm /system/bin/drmserver 459 class main 460 user drm 461 group drm system inet drmrpc 462 463service media /system/bin/mediaserver 464 class main 465 user media 466 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 467 ioprio rt 4 468 469service bootanim /system/bin/bootanimation 470 class main 471 user graphics 472 group graphics 473 disabled 474 oneshot 475 476service installd /system/bin/installd 477 class main 478 socket installd stream 600 system system 479 480service flash_recovery /system/etc/install-recovery.sh 481 class main 482 oneshot 483 484service racoon /system/bin/racoon 485 class main 486 socket racoon stream 600 system system 487 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 488 group vpn net_admin inet 489 disabled 490 oneshot 491 492service mtpd /system/bin/mtpd 493 class main 494 socket mtpd stream 600 system system 495 user vpn 496 group vpn net_admin inet net_raw 497 disabled 498 oneshot 499 500service keystore /system/bin/keystore /data/misc/keystore 501 class main 502 user keystore 503 group keystore drmrpc 504 505service dumpstate /system/bin/dumpstate -s 506 class main 507 socket dumpstate stream 0660 shell log 508 disabled 509 oneshot 510 511service sshd /system/bin/start-ssh 512 class main 513 disabled 514 515service mdnsd /system/bin/mdnsd 516 class main 517 user mdnsr 518 group inet net_raw 519 socket mdnsd stream 0660 mdnsr inet 520 disabled 521 oneshot 522