init.rc revision f4c1512db8f0d2fd19d80487d96db3af7ceaacb5 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.usb.rc
8import /init.${ro.hardware}.rc
9import /init.trace.rc
10
11on early-init
12    # Set init and its forked children's oom_adj.
13    write /proc/1/oom_adj -16
14
15    # Set the security context for the init process.
16    # This should occur before anything else (e.g. ueventd) is started.
17    setcon u:r:init:s0
18
19    start ueventd
20
21# create mountpoints
22    mkdir /mnt 0775 root system
23
24on init
25
26sysclktz 0
27
28loglevel 3
29
30# setup the global environment
31    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
32    export LD_LIBRARY_PATH /vendor/lib:/system/lib
33    export ANDROID_BOOTLOGO 1
34    export ANDROID_ROOT /system
35    export ANDROID_ASSETS /system/app
36    export ANDROID_DATA /data
37    export ANDROID_STORAGE /storage
38    export ASEC_MOUNTPOINT /mnt/asec
39    export LOOP_MOUNTPOINT /mnt/obb
40    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
41
42# Backward compatibility
43    symlink /system/etc /etc
44    symlink /sys/kernel/debug /d
45
46# Right now vendor lives on the same filesystem as system,
47# but someday that may change.
48    symlink /system/vendor /vendor
49
50# Create cgroup mount point for cpu accounting
51    mkdir /acct
52    mount cgroup none /acct cpuacct
53    mkdir /acct/uid
54
55    mkdir /system
56    mkdir /data 0771 system system
57    mkdir /cache 0770 system cache
58    mkdir /config 0500 root root
59
60    # See storage config details at http://source.android.com/tech/storage/
61    mkdir /mnt/shell 0700 shell shell
62    mkdir /storage 0050 root sdcard_r
63
64    # Directory for putting things only root should see.
65    mkdir /mnt/secure 0700 root root
66    # Create private mountpoint so we can MS_MOVE from staging
67    mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
68
69    # Directory for staging bindmounts
70    mkdir /mnt/secure/staging 0700 root root
71
72    # Directory-target for where the secure container
73    # imagefile directory will be bind-mounted
74    mkdir /mnt/secure/asec  0700 root root
75
76    # Secure container public mount points.
77    mkdir /mnt/asec  0700 root system
78    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
79
80    # Filesystem image public mount points.
81    mkdir /mnt/obb 0700 root system
82    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
83
84    write /proc/sys/kernel/panic_on_oops 1
85    write /proc/sys/kernel/hung_task_timeout_secs 0
86    write /proc/cpu/alignment 4
87    write /proc/sys/kernel/sched_latency_ns 10000000
88    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
89    write /proc/sys/kernel/sched_compat_yield 1
90    write /proc/sys/kernel/sched_child_runs_first 0
91    write /proc/sys/kernel/randomize_va_space 2
92    write /proc/sys/kernel/kptr_restrict 2
93    write /proc/sys/kernel/dmesg_restrict 1
94    write /proc/sys/vm/mmap_min_addr 32768
95    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
96    write /proc/sys/kernel/sched_rt_runtime_us 950000
97    write /proc/sys/kernel/sched_rt_period_us 1000000
98
99# Create cgroup mount points for process groups
100    mkdir /dev/cpuctl
101    mount cgroup none /dev/cpuctl cpu
102    chown system system /dev/cpuctl
103    chown system system /dev/cpuctl/tasks
104    chmod 0660 /dev/cpuctl/tasks
105    write /dev/cpuctl/cpu.shares 1024
106    write /dev/cpuctl/cpu.rt_runtime_us 950000
107    write /dev/cpuctl/cpu.rt_period_us 1000000
108
109    mkdir /dev/cpuctl/apps
110    chown system system /dev/cpuctl/apps/tasks
111    chmod 0666 /dev/cpuctl/apps/tasks
112    write /dev/cpuctl/apps/cpu.shares 1024
113    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
114    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
115
116    mkdir /dev/cpuctl/apps/bg_non_interactive
117    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
118    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
119    # 5.0 %
120    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
121    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
122    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
123
124# qtaguid will limit access to specific data based on group memberships.
125#   net_bw_acct grants impersonation of socket owners.
126#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
127    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
128    chown root net_bw_stats /proc/net/xt_qtaguid/stats
129
130# Allow everybody to read the xt_qtaguid resource tracking misc dev.
131# This is needed by any process that uses socket tagging.
132    chmod 0644 /dev/xt_qtaguid
133
134on fs
135# mount mtd partitions
136    # Mount /system rw first to give the filesystem a chance to save a checkpoint
137    mount ext4 mtd@system /system
138    mount ext4 mtd@system /system ro remount
139    mount ext4 mtd@userdata /data nosuid nodev
140    mount ext4 mtd@cache /cache nosuid nodev
141
142on post-fs
143    # once everything is setup, no need to modify /
144    mount rootfs rootfs / ro remount
145    # mount shared so changes propagate into child namespaces
146    mount rootfs rootfs / shared rec
147    mount tmpfs tmpfs /mnt/secure private rec
148
149    # We chown/chmod /cache again so because mount is run as root + defaults
150    chown system cache /cache
151    chmod 0770 /cache
152    # We restorecon /cache in case the cache partition has been reset.
153    restorecon /cache
154
155    # This may have been created by the recovery system with odd permissions
156    chown system cache /cache/recovery
157    chmod 0770 /cache/recovery
158    # This may have been created by the recovery system with the wrong context.
159    restorecon /cache/recovery
160
161    #change permissions on vmallocinfo so we can grab it from bugreports
162    chown root log /proc/vmallocinfo
163    chmod 0440 /proc/vmallocinfo
164
165    chown root log /proc/slabinfo
166    chmod 0440 /proc/slabinfo
167
168    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
169    chown root system /proc/kmsg
170    chmod 0440 /proc/kmsg
171    chown root system /proc/sysrq-trigger
172    chmod 0220 /proc/sysrq-trigger
173    chown system log /proc/last_kmsg
174    chmod 0440 /proc/last_kmsg
175
176    # create the lost+found directories, so as to enforce our permissions
177    mkdir /cache/lost+found 0770 root root
178
179on post-fs-data
180    # We chown/chmod /data again so because mount is run as root + defaults
181    chown system system /data
182    chmod 0771 /data
183    # We restorecon /data in case the userdata partition has been reset.
184    restorecon /data
185
186    # Create dump dir and collect dumps.
187    # Do this before we mount cache so eventually we can use cache for
188    # storing dumps on platforms which do not have a dedicated dump partition.
189    mkdir /data/dontpanic 0750 root log
190
191    # Collect apanic data, free resources and re-arm trigger
192    copy /proc/apanic_console /data/dontpanic/apanic_console
193    chown root log /data/dontpanic/apanic_console
194    chmod 0640 /data/dontpanic/apanic_console
195
196    copy /proc/apanic_threads /data/dontpanic/apanic_threads
197    chown root log /data/dontpanic/apanic_threads
198    chmod 0640 /data/dontpanic/apanic_threads
199
200    write /proc/apanic_console 1
201
202    # create basic filesystem structure
203    mkdir /data/misc 01771 system misc
204    mkdir /data/misc/adb 02750 system shell
205    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
206    mkdir /data/misc/bluetooth 0770 system system
207    mkdir /data/misc/keystore 0700 keystore keystore
208    mkdir /data/misc/keychain 0771 system system
209    mkdir /data/misc/sms 0770 system radio
210    mkdir /data/misc/zoneinfo 0775 system system
211    mkdir /data/misc/vpn 0770 system vpn
212    mkdir /data/misc/systemkeys 0700 system system
213    # give system access to wpa_supplicant.conf for backup and restore
214    mkdir /data/misc/wifi 0770 wifi wifi
215    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
216    mkdir /data/local 0751 root root
217
218    # For security reasons, /data/local/tmp should always be empty.
219    # Do not place files or directories in /data/local/tmp
220    mkdir /data/local/tmp 0771 shell shell
221    mkdir /data/data 0771 system system
222    mkdir /data/app-private 0771 system system
223    mkdir /data/app-asec 0700 root root
224    mkdir /data/app-lib 0771 system system
225    mkdir /data/app 0771 system system
226    mkdir /data/property 0700 root root
227    mkdir /data/ssh 0750 root shell
228    mkdir /data/ssh/empty 0700 root root
229
230    # create dalvik-cache, so as to enforce our permissions
231    mkdir /data/dalvik-cache 0771 system system
232
233    # create resource-cache and double-check the perms
234    mkdir /data/resource-cache 0771 system system
235    chown system system /data/resource-cache
236    chmod 0771 /data/resource-cache
237
238    # create the lost+found directories, so as to enforce our permissions
239    mkdir /data/lost+found 0770 root root
240
241    # create directory for DRM plug-ins - give drm the read/write access to
242    # the following directory.
243    mkdir /data/drm 0770 drm drm
244
245    # Separate location for storing security policy files on data
246    mkdir /data/security 0711 system system
247
248    # If there is no fs-post-data action in the init.<device>.rc file, you
249    # must uncomment this line, otherwise encrypted filesystems
250    # won't work.
251    # Set indication (checked by vold) that we have finished this action
252    #setprop vold.post_fs_data_done 1
253
254on boot
255# basic network init
256    ifup lo
257    hostname localhost
258    domainname localdomain
259
260# set RLIMIT_NICE to allow priorities from 19 to -20
261    setrlimit 13 40 40
262
263# Memory management.  Basic kernel parameters, and allow the high
264# level system server to be able to adjust the kernel OOM driver
265# parameters to match how it is managing things.
266    write /proc/sys/vm/overcommit_memory 1
267    write /proc/sys/vm/min_free_order_shift 4
268    chown root system /sys/module/lowmemorykiller/parameters/adj
269    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
270    chown root system /sys/module/lowmemorykiller/parameters/minfree
271    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
272
273    # Tweak background writeout
274    write /proc/sys/vm/dirty_expire_centisecs 200
275    write /proc/sys/vm/dirty_background_ratio  5
276
277    # Permissions for System Server and daemons.
278    chown radio system /sys/android_power/state
279    chown radio system /sys/android_power/request_state
280    chown radio system /sys/android_power/acquire_full_wake_lock
281    chown radio system /sys/android_power/acquire_partial_wake_lock
282    chown radio system /sys/android_power/release_wake_lock
283    chown system system /sys/power/autosleep
284    chown system system /sys/power/state
285    chown system system /sys/power/wakeup_count
286    chown radio system /sys/power/wake_lock
287    chown radio system /sys/power/wake_unlock
288    chmod 0660 /sys/power/state
289    chmod 0660 /sys/power/wake_lock
290    chmod 0660 /sys/power/wake_unlock
291
292    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
293    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
294    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
295    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
296    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
297    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
298    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
299    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
300    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
301    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
302    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
303    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
304    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
305    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
306    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
307    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
308    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
309
310    # Assume SMP uses shared cpufreq policy for all CPUs
311    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
312    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
313
314    chown system system /sys/class/timed_output/vibrator/enable
315    chown system system /sys/class/leds/keyboard-backlight/brightness
316    chown system system /sys/class/leds/lcd-backlight/brightness
317    chown system system /sys/class/leds/button-backlight/brightness
318    chown system system /sys/class/leds/jogball-backlight/brightness
319    chown system system /sys/class/leds/red/brightness
320    chown system system /sys/class/leds/green/brightness
321    chown system system /sys/class/leds/blue/brightness
322    chown system system /sys/class/leds/red/device/grpfreq
323    chown system system /sys/class/leds/red/device/grppwm
324    chown system system /sys/class/leds/red/device/blink
325    chown system system /sys/class/timed_output/vibrator/enable
326    chown system system /sys/module/sco/parameters/disable_esco
327    chown system system /sys/kernel/ipv4/tcp_wmem_min
328    chown system system /sys/kernel/ipv4/tcp_wmem_def
329    chown system system /sys/kernel/ipv4/tcp_wmem_max
330    chown system system /sys/kernel/ipv4/tcp_rmem_min
331    chown system system /sys/kernel/ipv4/tcp_rmem_def
332    chown system system /sys/kernel/ipv4/tcp_rmem_max
333    chown root radio /proc/cmdline
334
335# Define TCP buffer sizes for various networks
336#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
337    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
338    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
339    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
340    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
341    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
342    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
343    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
344    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
345    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
346    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
347    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
348
349# Set this property so surfaceflinger is not started by system_init
350    setprop system_init.startsurfaceflinger 0
351
352    class_start core
353    class_start main
354
355on nonencrypted
356    class_start late_start
357
358on charger
359    class_start charger
360
361on property:vold.decrypt=trigger_reset_main
362    class_reset main
363
364on property:vold.decrypt=trigger_load_persist_props
365    load_persist_props
366
367on property:vold.decrypt=trigger_post_fs_data
368    trigger post-fs-data
369
370on property:vold.decrypt=trigger_restart_min_framework
371    class_start main
372
373on property:vold.decrypt=trigger_restart_framework
374    class_start main
375    class_start late_start
376
377on property:vold.decrypt=trigger_shutdown_framework
378    class_reset late_start
379    class_reset main
380
381## Daemon processes to be run by init.
382##
383service ueventd /sbin/ueventd
384    class core
385    critical
386    seclabel u:r:ueventd:s0
387
388on property:selinux.reload_policy=1
389    restart ueventd
390    restart installd
391
392service console /system/bin/sh
393    class core
394    console
395    disabled
396    user shell
397    group log
398
399on property:ro.debuggable=1
400    start console
401
402# adbd is controlled via property triggers in init.<platform>.usb.rc
403service adbd /sbin/adbd
404    class core
405    socket adbd stream 660 system system
406    disabled
407    seclabel u:r:adbd:s0
408
409# adbd on at boot in emulator
410on property:ro.kernel.qemu=1
411    start adbd
412
413service servicemanager /system/bin/servicemanager
414    class core
415    user system
416    group system
417    critical
418    onrestart restart zygote
419    onrestart restart media
420    onrestart restart surfaceflinger
421    onrestart restart drm
422
423service vold /system/bin/vold
424    class core
425    socket vold stream 0660 root mount
426    ioprio be 2
427
428service netd /system/bin/netd
429    class main
430    socket netd stream 0660 root system
431    socket dnsproxyd stream 0660 root inet
432    socket mdns stream 0660 root system
433
434service debuggerd /system/bin/debuggerd
435    class main
436
437service ril-daemon /system/bin/rild
438    class main
439    socket rild stream 660 root radio
440    socket rild-debug stream 660 radio system
441    user root
442    group radio cache inet misc audio log
443
444service surfaceflinger /system/bin/surfaceflinger
445    class main
446    user system
447    group graphics drmrpc
448    onrestart restart zygote
449
450service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
451    class main
452    socket zygote stream 660 root system
453    onrestart write /sys/android_power/request_state wake
454    onrestart write /sys/power/state on
455    onrestart restart media
456    onrestart restart netd
457
458service drm /system/bin/drmserver
459    class main
460    user drm
461    group drm system inet drmrpc
462
463service media /system/bin/mediaserver
464    class main
465    user media
466    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc
467    ioprio rt 4
468
469service bootanim /system/bin/bootanimation
470    class main
471    user graphics
472    group graphics
473    disabled
474    oneshot
475
476service installd /system/bin/installd
477    class main
478    socket installd stream 600 system system
479
480service flash_recovery /system/etc/install-recovery.sh
481    class main
482    oneshot
483
484service racoon /system/bin/racoon
485    class main
486    socket racoon stream 600 system system
487    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
488    group vpn net_admin inet
489    disabled
490    oneshot
491
492service mtpd /system/bin/mtpd
493    class main
494    socket mtpd stream 600 system system
495    user vpn
496    group vpn net_admin inet net_raw
497    disabled
498    oneshot
499
500service keystore /system/bin/keystore /data/misc/keystore
501    class main
502    user keystore
503    group keystore drmrpc
504
505service dumpstate /system/bin/dumpstate -s
506    class main
507    socket dumpstate stream 0660 shell log
508    disabled
509    oneshot
510
511service sshd /system/bin/start-ssh
512    class main
513    disabled
514
515service mdnsd /system/bin/mdnsd
516    class main
517    user mdnsr
518    group inet net_raw
519    socket mdnsd stream 0660 mdnsr inet
520    disabled
521    oneshot
522