init.rc revision f530c93c4aab818de51fd7123199bef6621047f8
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_score_adj -1000
16
17    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18    write /sys/fs/selinux/checkreqprot 0
19
20    # Set the security context for the init process.
21    # This should occur before anything else (e.g. ueventd) is started.
22    setcon u:r:init:s0
23
24    # Set the security context of /adb_keys if present.
25    restorecon /adb_keys
26
27    start ueventd
28
29    # create mountpoints
30    mkdir /mnt 0775 root system
31
32on init
33    sysclktz 0
34
35    loglevel 3
36
37    # Backward compatibility
38    symlink /system/etc /etc
39    symlink /sys/kernel/debug /d
40
41    # Create cgroup mount point for cpu accounting
42    mkdir /acct
43    mount cgroup none /acct cpuacct
44    mkdir /acct/uid
45
46    # Create cgroup mount point for memory
47    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
48    mkdir /sys/fs/cgroup/memory 0750 root system
49    mount cgroup none /sys/fs/cgroup/memory memory
50    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
51    chown root system /sys/fs/cgroup/memory/tasks
52    chmod 0660 /sys/fs/cgroup/memory/tasks
53    mkdir /sys/fs/cgroup/memory/sw 0750 root system
54    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
55    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
56    chown root system /sys/fs/cgroup/memory/sw/tasks
57    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
58
59    mkdir /system
60    mkdir /data 0771 system system
61    mkdir /cache 0770 system cache
62    mkdir /config 0500 root root
63
64    # See storage config details at http://source.android.com/tech/storage/
65    mkdir /mnt/shell 0700 shell shell
66    mkdir /mnt/media_rw 0700 media_rw media_rw
67    mkdir /storage 0751 root sdcard_r
68
69    # Directory for putting things only root should see.
70    mkdir /mnt/secure 0700 root root
71
72    # Directory for staging bindmounts
73    mkdir /mnt/secure/staging 0700 root root
74
75    # Directory-target for where the secure container
76    # imagefile directory will be bind-mounted
77    mkdir /mnt/secure/asec  0700 root root
78
79    # Secure container public mount points.
80    mkdir /mnt/asec  0700 root system
81    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
82
83    # Filesystem image public mount points.
84    mkdir /mnt/obb 0700 root system
85    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
86
87    # memory control cgroup
88    mkdir /dev/memcg 0700 root system
89    mount cgroup none /dev/memcg memory
90
91    write /proc/sys/kernel/panic_on_oops 1
92    write /proc/sys/kernel/hung_task_timeout_secs 0
93    write /proc/cpu/alignment 4
94    write /proc/sys/kernel/sched_latency_ns 10000000
95    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
96    write /proc/sys/kernel/sched_compat_yield 1
97    write /proc/sys/kernel/sched_child_runs_first 0
98    write /proc/sys/kernel/randomize_va_space 2
99    write /proc/sys/kernel/kptr_restrict 2
100    write /proc/sys/vm/mmap_min_addr 32768
101    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
102    write /proc/sys/net/unix/max_dgram_qlen 300
103    write /proc/sys/kernel/sched_rt_runtime_us 950000
104    write /proc/sys/kernel/sched_rt_period_us 1000000
105
106    # reflect fwmark from incoming packets onto generated replies
107    write /proc/sys/net/ipv4/fwmark_reflect 1
108    write /proc/sys/net/ipv6/fwmark_reflect 1
109
110    # set fwmark on accepted sockets
111    write /proc/sys/net/ipv4/tcp_fwmark_accept 1
112
113    # Create cgroup mount points for process groups
114    mkdir /dev/cpuctl
115    mount cgroup none /dev/cpuctl cpu
116    chown system system /dev/cpuctl
117    chown system system /dev/cpuctl/tasks
118    chmod 0660 /dev/cpuctl/tasks
119    write /dev/cpuctl/cpu.shares 1024
120    write /dev/cpuctl/cpu.rt_runtime_us 950000
121    write /dev/cpuctl/cpu.rt_period_us 1000000
122
123    mkdir /dev/cpuctl/apps
124    chown system system /dev/cpuctl/apps/tasks
125    chmod 0666 /dev/cpuctl/apps/tasks
126    write /dev/cpuctl/apps/cpu.shares 1024
127    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
128    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
129
130    mkdir /dev/cpuctl/apps/bg_non_interactive
131    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
132    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
133    # 5.0 %
134    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
135    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
136    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
137
138    # qtaguid will limit access to specific data based on group memberships.
139    #   net_bw_acct grants impersonation of socket owners.
140    #   net_bw_stats grants access to other apps' detailed tagged-socket stats.
141    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
142    chown root net_bw_stats /proc/net/xt_qtaguid/stats
143
144    # Allow everybody to read the xt_qtaguid resource tracking misc dev.
145    # This is needed by any process that uses socket tagging.
146    chmod 0644 /dev/xt_qtaguid
147
148    # Create location for fs_mgr to store abbreviated output from filesystem
149    # checker programs.
150    mkdir /dev/fscklogs 0770 root system
151
152    # pstore/ramoops previous console log
153    mount pstore pstore /sys/fs/pstore
154    chown system log /sys/fs/pstore/console-ramoops
155    chmod 0440 /sys/fs/pstore/console-ramoops
156
157# Healthd can trigger a full boot from charger mode by signaling this
158# property when the power button is held.
159on property:sys.boot_from_charger_mode=1
160    class_stop charger
161    trigger late-init
162
163# Load properties from /system/ + /factory after fs mount.
164on load_all_props_action
165    load_all_props
166
167# Mount filesystems and start core system services.
168on late-init
169    trigger early-fs
170    trigger fs
171    trigger post-fs
172    trigger post-fs-data
173
174    # Load properties from /system/ + /factory after fs mount. Place
175    # this in another action so that the load will be scheduled after the prior
176    # issued fs triggers have completed.
177    trigger load_all_props_action
178
179    trigger early-boot
180    trigger boot
181
182on post-fs
183    # Right now vendor lives on the same filesystem as system,
184    # but someday that may change. If it has, this symlink will fail.
185    symlink /system/vendor /vendor
186
187    # once everything is setup, no need to modify /
188    mount rootfs rootfs / ro remount
189    # mount shared so changes propagate into child namespaces
190    mount rootfs rootfs / shared rec
191
192    # We chown/chmod /cache again so because mount is run as root + defaults
193    chown system cache /cache
194    chmod 0770 /cache
195    # We restorecon /cache in case the cache partition has been reset.
196    restorecon /cache
197
198    # This may have been created by the recovery system with odd permissions
199    chown system cache /cache/recovery
200    chmod 0770 /cache/recovery
201    # This may have been created by the recovery system with the wrong context.
202    restorecon /cache/recovery
203
204    #change permissions on vmallocinfo so we can grab it from bugreports
205    chown root log /proc/vmallocinfo
206    chmod 0440 /proc/vmallocinfo
207
208    chown root log /proc/slabinfo
209    chmod 0440 /proc/slabinfo
210
211    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
212    chown root system /proc/kmsg
213    chmod 0440 /proc/kmsg
214    chown root system /proc/sysrq-trigger
215    chmod 0220 /proc/sysrq-trigger
216    chown system log /proc/last_kmsg
217    chmod 0440 /proc/last_kmsg
218
219    # make the selinux kernel policy world-readable
220    chmod 0444 /sys/fs/selinux/policy
221
222    # create the lost+found directories, so as to enforce our permissions
223    mkdir /cache/lost+found 0770 root root
224
225on post-fs-data
226    # We chown/chmod /data again so because mount is run as root + defaults
227    chown system system /data
228    chmod 0771 /data
229    # We restorecon /data in case the userdata partition has been reset.
230    restorecon /data
231
232    # Avoid predictable entropy pool. Carry over entropy from previous boot.
233    copy /data/system/entropy.dat /dev/urandom
234
235    # Create dump dir and collect dumps.
236    # Do this before we mount cache so eventually we can use cache for
237    # storing dumps on platforms which do not have a dedicated dump partition.
238    mkdir /data/dontpanic 0750 root log
239
240    # Collect apanic data, free resources and re-arm trigger
241    copy /proc/apanic_console /data/dontpanic/apanic_console
242    chown root log /data/dontpanic/apanic_console
243    chmod 0640 /data/dontpanic/apanic_console
244
245    copy /proc/apanic_threads /data/dontpanic/apanic_threads
246    chown root log /data/dontpanic/apanic_threads
247    chmod 0640 /data/dontpanic/apanic_threads
248
249    write /proc/apanic_console 1
250
251    # create basic filesystem structure
252    mkdir /data/misc 01771 system misc
253    mkdir /data/misc/adb 02750 system shell
254    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
255    mkdir /data/misc/bluetooth 0770 system system
256    mkdir /data/misc/keystore 0700 keystore keystore
257    mkdir /data/misc/keychain 0771 system system
258    mkdir /data/misc/radio 0770 system radio
259    mkdir /data/misc/sms 0770 system radio
260    mkdir /data/misc/zoneinfo 0775 system system
261    mkdir /data/misc/vpn 0770 system vpn
262    mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
263    mkdir /data/misc/systemkeys 0700 system system
264    mkdir /data/misc/wifi 0770 wifi wifi
265    mkdir /data/misc/wifi/sockets 0770 wifi wifi
266    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
267    mkdir /data/misc/ethernet 0770 system system
268    mkdir /data/misc/dhcp 0770 dhcp dhcp
269    mkdir /data/misc/user 0771 root root
270    # give system access to wpa_supplicant.conf for backup and restore
271    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
272    mkdir /data/local 0751 root root
273    mkdir /data/misc/media 0700 media media
274
275    # For security reasons, /data/local/tmp should always be empty.
276    # Do not place files or directories in /data/local/tmp
277    mkdir /data/local/tmp 0771 shell shell
278    mkdir /data/data 0771 system system
279    mkdir /data/app-private 0771 system system
280    mkdir /data/app-asec 0700 root root
281    mkdir /data/app-lib 0771 system system
282    mkdir /data/app 0771 system system
283    mkdir /data/property 0700 root root
284    mkdir /data/ssh 0750 root shell
285    mkdir /data/ssh/empty 0700 root root
286
287    # create dalvik-cache, so as to enforce our permissions
288    mkdir /data/dalvik-cache 0771 system system
289    mkdir /data/dalvik-cache/profiles 0711 system system
290
291    # create resource-cache and double-check the perms
292    mkdir /data/resource-cache 0771 system system
293    chown system system /data/resource-cache
294    chmod 0771 /data/resource-cache
295
296    # create the lost+found directories, so as to enforce our permissions
297    mkdir /data/lost+found 0770 root root
298
299    # create directory for DRM plug-ins - give drm the read/write access to
300    # the following directory.
301    mkdir /data/drm 0770 drm drm
302
303    # create directory for MediaDrm plug-ins - give drm the read/write access to
304    # the following directory.
305    mkdir /data/mediadrm 0770 mediadrm mediadrm
306
307    # symlink to bugreport storage location
308    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
309
310    # Separate location for storing security policy files on data
311    mkdir /data/security 0711 system system
312
313    # Reload policy from /data/security if present.
314    setprop selinux.reload_policy 1
315
316    # Set SELinux security contexts on upgrade or policy update.
317    restorecon_recursive /data
318
319    # If there is no fs-post-data action in the init.<device>.rc file, you
320    # must uncomment this line, otherwise encrypted filesystems
321    # won't work.
322    # Set indication (checked by vold) that we have finished this action
323    #setprop vold.post_fs_data_done 1
324
325on boot
326    # basic network init
327    ifup lo
328    hostname localhost
329    domainname localdomain
330
331    # set RLIMIT_NICE to allow priorities from 19 to -20
332    setrlimit 13 40 40
333
334    # Memory management.  Basic kernel parameters, and allow the high
335    # level system server to be able to adjust the kernel OOM driver
336    # parameters to match how it is managing things.
337    write /proc/sys/vm/overcommit_memory 1
338    write /proc/sys/vm/min_free_order_shift 4
339    chown root system /sys/module/lowmemorykiller/parameters/adj
340    chmod 0220 /sys/module/lowmemorykiller/parameters/adj
341    chown root system /sys/module/lowmemorykiller/parameters/minfree
342    chmod 0220 /sys/module/lowmemorykiller/parameters/minfree
343
344    # Tweak background writeout
345    write /proc/sys/vm/dirty_expire_centisecs 200
346    write /proc/sys/vm/dirty_background_ratio  5
347
348    # Permissions for System Server and daemons.
349    chown radio system /sys/android_power/state
350    chown radio system /sys/android_power/request_state
351    chown radio system /sys/android_power/acquire_full_wake_lock
352    chown radio system /sys/android_power/acquire_partial_wake_lock
353    chown radio system /sys/android_power/release_wake_lock
354    chown system system /sys/power/autosleep
355    chown system system /sys/power/state
356    chown system system /sys/power/wakeup_count
357    chown radio system /sys/power/wake_lock
358    chown radio system /sys/power/wake_unlock
359    chmod 0660 /sys/power/state
360    chmod 0660 /sys/power/wake_lock
361    chmod 0660 /sys/power/wake_unlock
362
363    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
364    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
365    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
366    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
367    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
368    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
369    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
370    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
371    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
372    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
373    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
374    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
375    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
376    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
377    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
378    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
379    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
380    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
381    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
382    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
383    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
384    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
385    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
386
387    # Assume SMP uses shared cpufreq policy for all CPUs
388    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
389    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
390
391    chown system system /sys/class/timed_output/vibrator/enable
392    chown system system /sys/class/leds/keyboard-backlight/brightness
393    chown system system /sys/class/leds/lcd-backlight/brightness
394    chown system system /sys/class/leds/button-backlight/brightness
395    chown system system /sys/class/leds/jogball-backlight/brightness
396    chown system system /sys/class/leds/red/brightness
397    chown system system /sys/class/leds/green/brightness
398    chown system system /sys/class/leds/blue/brightness
399    chown system system /sys/class/leds/red/device/grpfreq
400    chown system system /sys/class/leds/red/device/grppwm
401    chown system system /sys/class/leds/red/device/blink
402    chown system system /sys/class/timed_output/vibrator/enable
403    chown system system /sys/module/sco/parameters/disable_esco
404    chown system system /sys/kernel/ipv4/tcp_wmem_min
405    chown system system /sys/kernel/ipv4/tcp_wmem_def
406    chown system system /sys/kernel/ipv4/tcp_wmem_max
407    chown system system /sys/kernel/ipv4/tcp_rmem_min
408    chown system system /sys/kernel/ipv4/tcp_rmem_def
409    chown system system /sys/kernel/ipv4/tcp_rmem_max
410    chown root radio /proc/cmdline
411
412    # Define TCP buffer sizes for various networks
413    #   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
414    setprop net.tcp.buffersize.default  4096,87380,110208,4096,16384,110208
415    setprop net.tcp.buffersize.wifi     524288,1048576,2097152,262144,524288,1048576
416    setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152
417    setprop net.tcp.buffersize.lte      524288,1048576,2097152,262144,524288,1048576
418    setprop net.tcp.buffersize.umts     58254,349525,1048576,58254,349525,1048576
419    setprop net.tcp.buffersize.hspa     40778,244668,734003,16777,100663,301990
420    setprop net.tcp.buffersize.hsupa    40778,244668,734003,16777,100663,301990
421    setprop net.tcp.buffersize.hsdpa    61167,367002,1101005,8738,52429,262114
422    setprop net.tcp.buffersize.hspap    122334,734003,2202010,32040,192239,576717
423    setprop net.tcp.buffersize.edge     4093,26280,70800,4096,16384,70800
424    setprop net.tcp.buffersize.gprs     4092,8760,48000,4096,8760,48000
425    setprop net.tcp.buffersize.evdo     4094,87380,262144,4096,16384,262144
426
427    # Define default initial receive window size in segments.
428    setprop net.tcp.default_init_rwnd 60
429
430    class_start core
431
432on nonencrypted
433    class_start main
434    class_start late_start
435
436on property:vold.decrypt=trigger_default_encryption
437    start defaultcrypto
438
439on property:vold.decrypt=trigger_encryption
440    start surfaceflinger
441    start encrypt
442    class_start main
443
444on charger
445    class_start charger
446
447on property:vold.decrypt=trigger_reset_main
448    class_reset main
449
450on property:vold.decrypt=trigger_load_persist_props
451    load_persist_props
452
453on property:vold.decrypt=trigger_post_fs_data
454    trigger post-fs-data
455
456on property:vold.decrypt=trigger_restart_min_framework
457    class_start main
458
459on property:vold.decrypt=trigger_restart_framework
460    class_start main
461    class_start late_start
462
463on property:vold.decrypt=trigger_shutdown_framework
464    class_reset late_start
465    class_reset main
466
467on property:sys.powerctl=*
468    powerctl ${sys.powerctl}
469
470# system server cannot write to /proc/sys files,
471# and chown/chmod does not work for /proc/sys/ entries.
472# So proxy writes through init.
473on property:sys.sysctl.extra_free_kbytes=*
474    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
475
476# "tcp_default_init_rwnd" Is too long!
477on property:sys.sysctl.tcp_def_init_rwnd=*
478    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
479
480
481## Daemon processes to be run by init.
482##
483service ueventd /sbin/ueventd
484    class core
485    critical
486    seclabel u:r:ueventd:s0
487
488service logd /system/bin/logd
489    class core
490    socket logd stream 0666 logd logd
491    socket logdr seqpacket 0666 logd logd
492    socket logdw dgram 0222 logd logd
493    seclabel u:r:logd:s0
494
495service healthd /sbin/healthd
496    class core
497    critical
498    seclabel u:r:healthd:s0
499
500service console /system/bin/sh
501    class core
502    console
503    disabled
504    user shell
505    group shell log
506    seclabel u:r:shell:s0
507
508on property:ro.debuggable=1
509    start console
510
511# adbd is controlled via property triggers in init.<platform>.usb.rc
512service adbd /sbin/adbd --root_seclabel=u:r:su:s0
513    class core
514    socket adbd stream 660 system system
515    disabled
516    seclabel u:r:adbd:s0
517
518# adbd on at boot in emulator
519on property:ro.kernel.qemu=1
520    start adbd
521
522service lmkd /system/bin/lmkd
523    class core
524    critical
525    socket lmkd seqpacket 0660 system system
526
527service servicemanager /system/bin/servicemanager
528    class core
529    user system
530    group system
531    critical
532    onrestart restart healthd
533    onrestart restart zygote
534    onrestart restart media
535    onrestart restart surfaceflinger
536    onrestart restart inputflinger
537    onrestart restart drm
538
539service vold /system/bin/vold
540    class core
541    socket vold stream 0660 root mount
542    ioprio be 2
543
544service netd /system/bin/netd
545    class main
546    socket netd stream 0660 root system
547    socket dnsproxyd stream 0660 root inet
548    socket mdns stream 0660 root system
549    socket fwmarkd stream 0660 root inet
550
551service debuggerd /system/bin/debuggerd
552    class main
553
554service debuggerd64 /system/bin/debuggerd64
555    class main
556
557service ril-daemon /system/bin/rild
558    class main
559    socket rild stream 660 root radio
560    socket rild-debug stream 660 radio system
561    user root
562    group radio cache inet misc audio log
563
564service surfaceflinger /system/bin/surfaceflinger
565    class main
566    user system
567    group graphics drmrpc
568    onrestart restart zygote
569
570service inputflinger /system/bin/inputflinger
571    class main
572    user system
573    group input
574    onrestart restart zygote
575
576service drm /system/bin/drmserver
577    class main
578    user drm
579    group drm system inet drmrpc
580
581service media /system/bin/mediaserver
582    class main
583    user media
584    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
585    ioprio rt 4
586
587# One shot invocation to deal with encrypted volume.
588service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted
589    disabled
590    oneshot
591    # vold will set vold.decrypt to trigger_restart_framework (default
592    # encryption) or trigger_restart_min_framework (other encryption)
593
594# One shot invocation to encrypt unencrypted volumes
595service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default
596    disabled
597    oneshot
598    # vold will set vold.decrypt to trigger_restart_framework (default
599    # encryption)
600
601service bootanim /system/bin/bootanimation
602    class main
603    user graphics
604    group graphics
605    disabled
606    oneshot
607
608service installd /system/bin/installd
609    class main
610    socket installd stream 600 system system
611
612service flash_recovery /system/bin/install-recovery.sh
613    class main
614    oneshot
615
616service racoon /system/bin/racoon
617    class main
618    socket racoon stream 600 system system
619    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
620    group vpn net_admin inet
621    disabled
622    oneshot
623
624service mtpd /system/bin/mtpd
625    class main
626    socket mtpd stream 600 system system
627    user vpn
628    group vpn net_admin inet net_raw
629    disabled
630    oneshot
631
632service keystore /system/bin/keystore /data/misc/keystore
633    class main
634    user keystore
635    group keystore drmrpc
636
637service dumpstate /system/bin/dumpstate -s
638    class main
639    socket dumpstate stream 0660 shell log
640    disabled
641    oneshot
642
643service sshd /system/bin/start-ssh
644    class main
645    disabled
646
647service mdnsd /system/bin/mdnsd
648    class main
649    user mdnsr
650    group inet net_raw
651    socket mdnsd stream 0660 mdnsr inet
652    disabled
653    oneshot
654
655service pre-recovery /system/bin/uncrypt
656    class main
657    disabled
658    oneshot
659