init.rc revision f530c93c4aab818de51fd7123199bef6621047f8
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29 # create mountpoints 30 mkdir /mnt 0775 root system 31 32on init 33 sysclktz 0 34 35 loglevel 3 36 37 # Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41 # Create cgroup mount point for cpu accounting 42 mkdir /acct 43 mount cgroup none /acct cpuacct 44 mkdir /acct/uid 45 46 # Create cgroup mount point for memory 47 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 48 mkdir /sys/fs/cgroup/memory 0750 root system 49 mount cgroup none /sys/fs/cgroup/memory memory 50 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 51 chown root system /sys/fs/cgroup/memory/tasks 52 chmod 0660 /sys/fs/cgroup/memory/tasks 53 mkdir /sys/fs/cgroup/memory/sw 0750 root system 54 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 55 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 56 chown root system /sys/fs/cgroup/memory/sw/tasks 57 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 58 59 mkdir /system 60 mkdir /data 0771 system system 61 mkdir /cache 0770 system cache 62 mkdir /config 0500 root root 63 64 # See storage config details at http://source.android.com/tech/storage/ 65 mkdir /mnt/shell 0700 shell shell 66 mkdir /mnt/media_rw 0700 media_rw media_rw 67 mkdir /storage 0751 root sdcard_r 68 69 # Directory for putting things only root should see. 70 mkdir /mnt/secure 0700 root root 71 72 # Directory for staging bindmounts 73 mkdir /mnt/secure/staging 0700 root root 74 75 # Directory-target for where the secure container 76 # imagefile directory will be bind-mounted 77 mkdir /mnt/secure/asec 0700 root root 78 79 # Secure container public mount points. 80 mkdir /mnt/asec 0700 root system 81 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 82 83 # Filesystem image public mount points. 84 mkdir /mnt/obb 0700 root system 85 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 86 87 # memory control cgroup 88 mkdir /dev/memcg 0700 root system 89 mount cgroup none /dev/memcg memory 90 91 write /proc/sys/kernel/panic_on_oops 1 92 write /proc/sys/kernel/hung_task_timeout_secs 0 93 write /proc/cpu/alignment 4 94 write /proc/sys/kernel/sched_latency_ns 10000000 95 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 96 write /proc/sys/kernel/sched_compat_yield 1 97 write /proc/sys/kernel/sched_child_runs_first 0 98 write /proc/sys/kernel/randomize_va_space 2 99 write /proc/sys/kernel/kptr_restrict 2 100 write /proc/sys/vm/mmap_min_addr 32768 101 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 102 write /proc/sys/net/unix/max_dgram_qlen 300 103 write /proc/sys/kernel/sched_rt_runtime_us 950000 104 write /proc/sys/kernel/sched_rt_period_us 1000000 105 106 # reflect fwmark from incoming packets onto generated replies 107 write /proc/sys/net/ipv4/fwmark_reflect 1 108 write /proc/sys/net/ipv6/fwmark_reflect 1 109 110 # set fwmark on accepted sockets 111 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 112 113 # Create cgroup mount points for process groups 114 mkdir /dev/cpuctl 115 mount cgroup none /dev/cpuctl cpu 116 chown system system /dev/cpuctl 117 chown system system /dev/cpuctl/tasks 118 chmod 0660 /dev/cpuctl/tasks 119 write /dev/cpuctl/cpu.shares 1024 120 write /dev/cpuctl/cpu.rt_runtime_us 950000 121 write /dev/cpuctl/cpu.rt_period_us 1000000 122 123 mkdir /dev/cpuctl/apps 124 chown system system /dev/cpuctl/apps/tasks 125 chmod 0666 /dev/cpuctl/apps/tasks 126 write /dev/cpuctl/apps/cpu.shares 1024 127 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 128 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 129 130 mkdir /dev/cpuctl/apps/bg_non_interactive 131 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 132 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 133 # 5.0 % 134 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 135 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 136 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 137 138 # qtaguid will limit access to specific data based on group memberships. 139 # net_bw_acct grants impersonation of socket owners. 140 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 141 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 142 chown root net_bw_stats /proc/net/xt_qtaguid/stats 143 144 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 145 # This is needed by any process that uses socket tagging. 146 chmod 0644 /dev/xt_qtaguid 147 148 # Create location for fs_mgr to store abbreviated output from filesystem 149 # checker programs. 150 mkdir /dev/fscklogs 0770 root system 151 152 # pstore/ramoops previous console log 153 mount pstore pstore /sys/fs/pstore 154 chown system log /sys/fs/pstore/console-ramoops 155 chmod 0440 /sys/fs/pstore/console-ramoops 156 157# Healthd can trigger a full boot from charger mode by signaling this 158# property when the power button is held. 159on property:sys.boot_from_charger_mode=1 160 class_stop charger 161 trigger late-init 162 163# Load properties from /system/ + /factory after fs mount. 164on load_all_props_action 165 load_all_props 166 167# Mount filesystems and start core system services. 168on late-init 169 trigger early-fs 170 trigger fs 171 trigger post-fs 172 trigger post-fs-data 173 174 # Load properties from /system/ + /factory after fs mount. Place 175 # this in another action so that the load will be scheduled after the prior 176 # issued fs triggers have completed. 177 trigger load_all_props_action 178 179 trigger early-boot 180 trigger boot 181 182on post-fs 183 # Right now vendor lives on the same filesystem as system, 184 # but someday that may change. If it has, this symlink will fail. 185 symlink /system/vendor /vendor 186 187 # once everything is setup, no need to modify / 188 mount rootfs rootfs / ro remount 189 # mount shared so changes propagate into child namespaces 190 mount rootfs rootfs / shared rec 191 192 # We chown/chmod /cache again so because mount is run as root + defaults 193 chown system cache /cache 194 chmod 0770 /cache 195 # We restorecon /cache in case the cache partition has been reset. 196 restorecon /cache 197 198 # This may have been created by the recovery system with odd permissions 199 chown system cache /cache/recovery 200 chmod 0770 /cache/recovery 201 # This may have been created by the recovery system with the wrong context. 202 restorecon /cache/recovery 203 204 #change permissions on vmallocinfo so we can grab it from bugreports 205 chown root log /proc/vmallocinfo 206 chmod 0440 /proc/vmallocinfo 207 208 chown root log /proc/slabinfo 209 chmod 0440 /proc/slabinfo 210 211 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 212 chown root system /proc/kmsg 213 chmod 0440 /proc/kmsg 214 chown root system /proc/sysrq-trigger 215 chmod 0220 /proc/sysrq-trigger 216 chown system log /proc/last_kmsg 217 chmod 0440 /proc/last_kmsg 218 219 # make the selinux kernel policy world-readable 220 chmod 0444 /sys/fs/selinux/policy 221 222 # create the lost+found directories, so as to enforce our permissions 223 mkdir /cache/lost+found 0770 root root 224 225on post-fs-data 226 # We chown/chmod /data again so because mount is run as root + defaults 227 chown system system /data 228 chmod 0771 /data 229 # We restorecon /data in case the userdata partition has been reset. 230 restorecon /data 231 232 # Avoid predictable entropy pool. Carry over entropy from previous boot. 233 copy /data/system/entropy.dat /dev/urandom 234 235 # Create dump dir and collect dumps. 236 # Do this before we mount cache so eventually we can use cache for 237 # storing dumps on platforms which do not have a dedicated dump partition. 238 mkdir /data/dontpanic 0750 root log 239 240 # Collect apanic data, free resources and re-arm trigger 241 copy /proc/apanic_console /data/dontpanic/apanic_console 242 chown root log /data/dontpanic/apanic_console 243 chmod 0640 /data/dontpanic/apanic_console 244 245 copy /proc/apanic_threads /data/dontpanic/apanic_threads 246 chown root log /data/dontpanic/apanic_threads 247 chmod 0640 /data/dontpanic/apanic_threads 248 249 write /proc/apanic_console 1 250 251 # create basic filesystem structure 252 mkdir /data/misc 01771 system misc 253 mkdir /data/misc/adb 02750 system shell 254 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 255 mkdir /data/misc/bluetooth 0770 system system 256 mkdir /data/misc/keystore 0700 keystore keystore 257 mkdir /data/misc/keychain 0771 system system 258 mkdir /data/misc/radio 0770 system radio 259 mkdir /data/misc/sms 0770 system radio 260 mkdir /data/misc/zoneinfo 0775 system system 261 mkdir /data/misc/vpn 0770 system vpn 262 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 263 mkdir /data/misc/systemkeys 0700 system system 264 mkdir /data/misc/wifi 0770 wifi wifi 265 mkdir /data/misc/wifi/sockets 0770 wifi wifi 266 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 267 mkdir /data/misc/ethernet 0770 system system 268 mkdir /data/misc/dhcp 0770 dhcp dhcp 269 mkdir /data/misc/user 0771 root root 270 # give system access to wpa_supplicant.conf for backup and restore 271 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 272 mkdir /data/local 0751 root root 273 mkdir /data/misc/media 0700 media media 274 275 # For security reasons, /data/local/tmp should always be empty. 276 # Do not place files or directories in /data/local/tmp 277 mkdir /data/local/tmp 0771 shell shell 278 mkdir /data/data 0771 system system 279 mkdir /data/app-private 0771 system system 280 mkdir /data/app-asec 0700 root root 281 mkdir /data/app-lib 0771 system system 282 mkdir /data/app 0771 system system 283 mkdir /data/property 0700 root root 284 mkdir /data/ssh 0750 root shell 285 mkdir /data/ssh/empty 0700 root root 286 287 # create dalvik-cache, so as to enforce our permissions 288 mkdir /data/dalvik-cache 0771 system system 289 mkdir /data/dalvik-cache/profiles 0711 system system 290 291 # create resource-cache and double-check the perms 292 mkdir /data/resource-cache 0771 system system 293 chown system system /data/resource-cache 294 chmod 0771 /data/resource-cache 295 296 # create the lost+found directories, so as to enforce our permissions 297 mkdir /data/lost+found 0770 root root 298 299 # create directory for DRM plug-ins - give drm the read/write access to 300 # the following directory. 301 mkdir /data/drm 0770 drm drm 302 303 # create directory for MediaDrm plug-ins - give drm the read/write access to 304 # the following directory. 305 mkdir /data/mediadrm 0770 mediadrm mediadrm 306 307 # symlink to bugreport storage location 308 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 309 310 # Separate location for storing security policy files on data 311 mkdir /data/security 0711 system system 312 313 # Reload policy from /data/security if present. 314 setprop selinux.reload_policy 1 315 316 # Set SELinux security contexts on upgrade or policy update. 317 restorecon_recursive /data 318 319 # If there is no fs-post-data action in the init.<device>.rc file, you 320 # must uncomment this line, otherwise encrypted filesystems 321 # won't work. 322 # Set indication (checked by vold) that we have finished this action 323 #setprop vold.post_fs_data_done 1 324 325on boot 326 # basic network init 327 ifup lo 328 hostname localhost 329 domainname localdomain 330 331 # set RLIMIT_NICE to allow priorities from 19 to -20 332 setrlimit 13 40 40 333 334 # Memory management. Basic kernel parameters, and allow the high 335 # level system server to be able to adjust the kernel OOM driver 336 # parameters to match how it is managing things. 337 write /proc/sys/vm/overcommit_memory 1 338 write /proc/sys/vm/min_free_order_shift 4 339 chown root system /sys/module/lowmemorykiller/parameters/adj 340 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 341 chown root system /sys/module/lowmemorykiller/parameters/minfree 342 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 343 344 # Tweak background writeout 345 write /proc/sys/vm/dirty_expire_centisecs 200 346 write /proc/sys/vm/dirty_background_ratio 5 347 348 # Permissions for System Server and daemons. 349 chown radio system /sys/android_power/state 350 chown radio system /sys/android_power/request_state 351 chown radio system /sys/android_power/acquire_full_wake_lock 352 chown radio system /sys/android_power/acquire_partial_wake_lock 353 chown radio system /sys/android_power/release_wake_lock 354 chown system system /sys/power/autosleep 355 chown system system /sys/power/state 356 chown system system /sys/power/wakeup_count 357 chown radio system /sys/power/wake_lock 358 chown radio system /sys/power/wake_unlock 359 chmod 0660 /sys/power/state 360 chmod 0660 /sys/power/wake_lock 361 chmod 0660 /sys/power/wake_unlock 362 363 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 364 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 365 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 366 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 367 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 368 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 369 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 370 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 371 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 372 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 373 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 374 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 375 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 376 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 377 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 378 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 379 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 380 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 381 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 382 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 383 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 384 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 385 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 386 387 # Assume SMP uses shared cpufreq policy for all CPUs 388 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 389 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 390 391 chown system system /sys/class/timed_output/vibrator/enable 392 chown system system /sys/class/leds/keyboard-backlight/brightness 393 chown system system /sys/class/leds/lcd-backlight/brightness 394 chown system system /sys/class/leds/button-backlight/brightness 395 chown system system /sys/class/leds/jogball-backlight/brightness 396 chown system system /sys/class/leds/red/brightness 397 chown system system /sys/class/leds/green/brightness 398 chown system system /sys/class/leds/blue/brightness 399 chown system system /sys/class/leds/red/device/grpfreq 400 chown system system /sys/class/leds/red/device/grppwm 401 chown system system /sys/class/leds/red/device/blink 402 chown system system /sys/class/timed_output/vibrator/enable 403 chown system system /sys/module/sco/parameters/disable_esco 404 chown system system /sys/kernel/ipv4/tcp_wmem_min 405 chown system system /sys/kernel/ipv4/tcp_wmem_def 406 chown system system /sys/kernel/ipv4/tcp_wmem_max 407 chown system system /sys/kernel/ipv4/tcp_rmem_min 408 chown system system /sys/kernel/ipv4/tcp_rmem_def 409 chown system system /sys/kernel/ipv4/tcp_rmem_max 410 chown root radio /proc/cmdline 411 412 # Define TCP buffer sizes for various networks 413 # ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 414 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 415 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 416 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 417 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 418 setprop net.tcp.buffersize.umts 58254,349525,1048576,58254,349525,1048576 419 setprop net.tcp.buffersize.hspa 40778,244668,734003,16777,100663,301990 420 setprop net.tcp.buffersize.hsupa 40778,244668,734003,16777,100663,301990 421 setprop net.tcp.buffersize.hsdpa 61167,367002,1101005,8738,52429,262114 422 setprop net.tcp.buffersize.hspap 122334,734003,2202010,32040,192239,576717 423 setprop net.tcp.buffersize.edge 4093,26280,70800,4096,16384,70800 424 setprop net.tcp.buffersize.gprs 4092,8760,48000,4096,8760,48000 425 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 426 427 # Define default initial receive window size in segments. 428 setprop net.tcp.default_init_rwnd 60 429 430 class_start core 431 432on nonencrypted 433 class_start main 434 class_start late_start 435 436on property:vold.decrypt=trigger_default_encryption 437 start defaultcrypto 438 439on property:vold.decrypt=trigger_encryption 440 start surfaceflinger 441 start encrypt 442 class_start main 443 444on charger 445 class_start charger 446 447on property:vold.decrypt=trigger_reset_main 448 class_reset main 449 450on property:vold.decrypt=trigger_load_persist_props 451 load_persist_props 452 453on property:vold.decrypt=trigger_post_fs_data 454 trigger post-fs-data 455 456on property:vold.decrypt=trigger_restart_min_framework 457 class_start main 458 459on property:vold.decrypt=trigger_restart_framework 460 class_start main 461 class_start late_start 462 463on property:vold.decrypt=trigger_shutdown_framework 464 class_reset late_start 465 class_reset main 466 467on property:sys.powerctl=* 468 powerctl ${sys.powerctl} 469 470# system server cannot write to /proc/sys files, 471# and chown/chmod does not work for /proc/sys/ entries. 472# So proxy writes through init. 473on property:sys.sysctl.extra_free_kbytes=* 474 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 475 476# "tcp_default_init_rwnd" Is too long! 477on property:sys.sysctl.tcp_def_init_rwnd=* 478 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 479 480 481## Daemon processes to be run by init. 482## 483service ueventd /sbin/ueventd 484 class core 485 critical 486 seclabel u:r:ueventd:s0 487 488service logd /system/bin/logd 489 class core 490 socket logd stream 0666 logd logd 491 socket logdr seqpacket 0666 logd logd 492 socket logdw dgram 0222 logd logd 493 seclabel u:r:logd:s0 494 495service healthd /sbin/healthd 496 class core 497 critical 498 seclabel u:r:healthd:s0 499 500service console /system/bin/sh 501 class core 502 console 503 disabled 504 user shell 505 group shell log 506 seclabel u:r:shell:s0 507 508on property:ro.debuggable=1 509 start console 510 511# adbd is controlled via property triggers in init.<platform>.usb.rc 512service adbd /sbin/adbd --root_seclabel=u:r:su:s0 513 class core 514 socket adbd stream 660 system system 515 disabled 516 seclabel u:r:adbd:s0 517 518# adbd on at boot in emulator 519on property:ro.kernel.qemu=1 520 start adbd 521 522service lmkd /system/bin/lmkd 523 class core 524 critical 525 socket lmkd seqpacket 0660 system system 526 527service servicemanager /system/bin/servicemanager 528 class core 529 user system 530 group system 531 critical 532 onrestart restart healthd 533 onrestart restart zygote 534 onrestart restart media 535 onrestart restart surfaceflinger 536 onrestart restart inputflinger 537 onrestart restart drm 538 539service vold /system/bin/vold 540 class core 541 socket vold stream 0660 root mount 542 ioprio be 2 543 544service netd /system/bin/netd 545 class main 546 socket netd stream 0660 root system 547 socket dnsproxyd stream 0660 root inet 548 socket mdns stream 0660 root system 549 socket fwmarkd stream 0660 root inet 550 551service debuggerd /system/bin/debuggerd 552 class main 553 554service debuggerd64 /system/bin/debuggerd64 555 class main 556 557service ril-daemon /system/bin/rild 558 class main 559 socket rild stream 660 root radio 560 socket rild-debug stream 660 radio system 561 user root 562 group radio cache inet misc audio log 563 564service surfaceflinger /system/bin/surfaceflinger 565 class main 566 user system 567 group graphics drmrpc 568 onrestart restart zygote 569 570service inputflinger /system/bin/inputflinger 571 class main 572 user system 573 group input 574 onrestart restart zygote 575 576service drm /system/bin/drmserver 577 class main 578 user drm 579 group drm system inet drmrpc 580 581service media /system/bin/mediaserver 582 class main 583 user media 584 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 585 ioprio rt 4 586 587# One shot invocation to deal with encrypted volume. 588service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 589 disabled 590 oneshot 591 # vold will set vold.decrypt to trigger_restart_framework (default 592 # encryption) or trigger_restart_min_framework (other encryption) 593 594# One shot invocation to encrypt unencrypted volumes 595service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 596 disabled 597 oneshot 598 # vold will set vold.decrypt to trigger_restart_framework (default 599 # encryption) 600 601service bootanim /system/bin/bootanimation 602 class main 603 user graphics 604 group graphics 605 disabled 606 oneshot 607 608service installd /system/bin/installd 609 class main 610 socket installd stream 600 system system 611 612service flash_recovery /system/bin/install-recovery.sh 613 class main 614 oneshot 615 616service racoon /system/bin/racoon 617 class main 618 socket racoon stream 600 system system 619 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 620 group vpn net_admin inet 621 disabled 622 oneshot 623 624service mtpd /system/bin/mtpd 625 class main 626 socket mtpd stream 600 system system 627 user vpn 628 group vpn net_admin inet net_raw 629 disabled 630 oneshot 631 632service keystore /system/bin/keystore /data/misc/keystore 633 class main 634 user keystore 635 group keystore drmrpc 636 637service dumpstate /system/bin/dumpstate -s 638 class main 639 socket dumpstate stream 0660 shell log 640 disabled 641 oneshot 642 643service sshd /system/bin/start-ssh 644 class main 645 disabled 646 647service mdnsd /system/bin/mdnsd 648 class main 649 user mdnsr 650 group inet net_raw 651 socket mdnsd stream 0660 mdnsr inet 652 disabled 653 oneshot 654 655service pre-recovery /system/bin/uncrypt 656 class main 657 disabled 658 oneshot 659