init.rc revision f820e85164a1863e4384f5e1ca8b6f46902bd74e
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ASEC_MOUNTPOINT /mnt/asec 38 export LOOP_MOUNTPOINT /mnt/obb 39 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 40 41# Backward compatibility 42 symlink /system/etc /etc 43 symlink /sys/kernel/debug /d 44 45# Right now vendor lives on the same filesystem as system, 46# but someday that may change. 47 symlink /system/vendor /vendor 48 49# Create cgroup mount point for cpu accounting 50 mkdir /acct 51 mount cgroup none /acct cpuacct 52 mkdir /acct/uid 53 54 mkdir /system 55 mkdir /data 0771 system system 56 mkdir /cache 0770 system cache 57 mkdir /config 0500 root root 58 59 # Directory for putting things only root should see. 60 mkdir /mnt/secure 0700 root root 61 62 # Directory for staging bindmounts 63 mkdir /mnt/secure/staging 0700 root root 64 65 # Directory-target for where the secure container 66 # imagefile directory will be bind-mounted 67 mkdir /mnt/secure/asec 0700 root root 68 69 # Secure container public mount points. 70 mkdir /mnt/asec 0700 root system 71 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 72 73 # Filesystem image public mount points. 74 mkdir /mnt/obb 0700 root system 75 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 76 77 write /proc/sys/kernel/panic_on_oops 1 78 write /proc/sys/kernel/hung_task_timeout_secs 0 79 write /proc/cpu/alignment 4 80 write /proc/sys/kernel/sched_latency_ns 10000000 81 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 82 write /proc/sys/kernel/sched_compat_yield 1 83 write /proc/sys/kernel/sched_child_runs_first 0 84 write /proc/sys/kernel/randomize_va_space 2 85 write /proc/sys/kernel/kptr_restrict 2 86 write /proc/sys/kernel/dmesg_restrict 1 87 write /proc/sys/vm/mmap_min_addr 32768 88 write /proc/sys/kernel/sched_rt_runtime_us 950000 89 write /proc/sys/kernel/sched_rt_period_us 1000000 90 91# Create cgroup mount points for process groups 92 mkdir /dev/cpuctl 93 mount cgroup none /dev/cpuctl cpu 94 chown system system /dev/cpuctl 95 chown system system /dev/cpuctl/tasks 96 chmod 0660 /dev/cpuctl/tasks 97 write /dev/cpuctl/cpu.shares 1024 98 write /dev/cpuctl/cpu.rt_runtime_us 950000 99 write /dev/cpuctl/cpu.rt_period_us 1000000 100 101 mkdir /dev/cpuctl/apps 102 chown system system /dev/cpuctl/apps/tasks 103 chmod 0666 /dev/cpuctl/apps/tasks 104 write /dev/cpuctl/apps/cpu.shares 1024 105 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 106 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps/bg_non_interactive 109 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 110 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 111 # 5.0 % 112 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 113 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 114 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 115 116# Allow everybody to read the xt_qtaguid resource tracking misc dev. 117# This is needed by any process that uses socket tagging. 118 chmod 0644 /dev/xt_qtaguid 119 120on fs 121# mount mtd partitions 122 # Mount /system rw first to give the filesystem a chance to save a checkpoint 123 mount yaffs2 mtd@system /system 124 mount yaffs2 mtd@system /system ro remount 125 mount yaffs2 mtd@userdata /data nosuid nodev 126 mount yaffs2 mtd@cache /cache nosuid nodev 127 128on post-fs 129 # once everything is setup, no need to modify / 130 mount rootfs rootfs / ro remount 131 132 # We chown/chmod /cache again so because mount is run as root + defaults 133 chown system cache /cache 134 chmod 0770 /cache 135 # We restorecon /cache in case the cache partition has been reset. 136 restorecon /cache 137 138 # This may have been created by the recovery system with odd permissions 139 chown system cache /cache/recovery 140 chmod 0770 /cache/recovery 141 # This may have been created by the recovery system with the wrong context. 142 restorecon /cache/recovery 143 144 #change permissions on vmallocinfo so we can grab it from bugreports 145 chown root log /proc/vmallocinfo 146 chmod 0440 /proc/vmallocinfo 147 148 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 149 chown root system /proc/kmsg 150 chmod 0440 /proc/kmsg 151 chown root system /proc/sysrq-trigger 152 chmod 0220 /proc/sysrq-trigger 153 154 # create the lost+found directories, so as to enforce our permissions 155 mkdir /cache/lost+found 0770 root root 156 157on post-fs-data 158 # We chown/chmod /data again so because mount is run as root + defaults 159 chown system system /data 160 chmod 0771 /data 161 # We restorecon /data in case the userdata partition has been reset. 162 restorecon /data 163 164 # Create dump dir and collect dumps. 165 # Do this before we mount cache so eventually we can use cache for 166 # storing dumps on platforms which do not have a dedicated dump partition. 167 mkdir /data/dontpanic 0750 root log 168 169 # Collect apanic data, free resources and re-arm trigger 170 copy /proc/apanic_console /data/dontpanic/apanic_console 171 chown root log /data/dontpanic/apanic_console 172 chmod 0640 /data/dontpanic/apanic_console 173 174 copy /proc/apanic_threads /data/dontpanic/apanic_threads 175 chown root log /data/dontpanic/apanic_threads 176 chmod 0640 /data/dontpanic/apanic_threads 177 178 write /proc/apanic_console 1 179 180 # create basic filesystem structure 181 mkdir /data/misc 01771 system misc 182 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 183 mkdir /data/misc/bluetooth 0770 system system 184 mkdir /data/misc/keystore 0700 keystore keystore 185 mkdir /data/misc/keychain 0771 system system 186 mkdir /data/misc/zoneinfo 0775 system system 187 mkdir /data/misc/vpn 0770 system vpn 188 mkdir /data/misc/systemkeys 0700 system system 189 # give system access to wpa_supplicant.conf for backup and restore 190 mkdir /data/misc/wifi 0770 wifi wifi 191 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 192 mkdir /data/local 0751 root root 193 194 # For security reasons, /data/local/tmp should always be empty. 195 # Do not place files or directories in /data/local/tmp 196 mkdir /data/local/tmp 0771 shell shell 197 mkdir /data/data 0771 system system 198 mkdir /data/app-private 0771 system system 199 mkdir /data/app-asec 0700 root root 200 mkdir /data/app 0771 system system 201 mkdir /data/property 0700 root root 202 mkdir /data/ssh 0750 root shell 203 mkdir /data/ssh/empty 0700 root root 204 205 # create dalvik-cache, so as to enforce our permissions 206 mkdir /data/dalvik-cache 0771 system system 207 208 # create resource-cache and double-check the perms 209 mkdir /data/resource-cache 0771 system system 210 chown system system /data/resource-cache 211 chmod 0771 /data/resource-cache 212 213 # create the lost+found directories, so as to enforce our permissions 214 mkdir /data/lost+found 0770 root root 215 216 # create directory for DRM plug-ins - give drm the read/write access to 217 # the following directory. 218 mkdir /data/drm 0770 drm drm 219 220 # If there is no fs-post-data action in the init.<device>.rc file, you 221 # must uncomment this line, otherwise encrypted filesystems 222 # won't work. 223 # Set indication (checked by vold) that we have finished this action 224 #setprop vold.post_fs_data_done 1 225 226on boot 227# basic network init 228 ifup lo 229 hostname localhost 230 domainname localdomain 231 232# set RLIMIT_NICE to allow priorities from 19 to -20 233 setrlimit 13 40 40 234 235# Memory management. Basic kernel parameters, and allow the high 236# level system server to be able to adjust the kernel OOM driver 237# parameters to match how it is managing things. 238 write /proc/sys/vm/overcommit_memory 1 239 write /proc/sys/vm/min_free_order_shift 4 240 chown root system /sys/module/lowmemorykiller/parameters/adj 241 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 242 chown root system /sys/module/lowmemorykiller/parameters/minfree 243 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 244 245 # Tweak background writeout 246 write /proc/sys/vm/dirty_expire_centisecs 200 247 write /proc/sys/vm/dirty_background_ratio 5 248 249 # Permissions for System Server and daemons. 250 chown radio system /sys/android_power/state 251 chown radio system /sys/android_power/request_state 252 chown radio system /sys/android_power/acquire_full_wake_lock 253 chown radio system /sys/android_power/acquire_partial_wake_lock 254 chown radio system /sys/android_power/release_wake_lock 255 chown system system /sys/power/state 256 chown system system /sys/power/wakeup_count 257 chown radio system /sys/power/wake_lock 258 chown radio system /sys/power/wake_unlock 259 chmod 0660 /sys/power/state 260 chmod 0660 /sys/power/wake_lock 261 chmod 0660 /sys/power/wake_unlock 262 263 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 264 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 265 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 266 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 267 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 268 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 269 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 270 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 271 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 272 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 273 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 274 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 275 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 276 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 277 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 278 279 # Assume SMP uses shared cpufreq policy for all CPUs 280 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 281 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 282 283 chown system system /sys/class/timed_output/vibrator/enable 284 chown system system /sys/class/leds/keyboard-backlight/brightness 285 chown system system /sys/class/leds/lcd-backlight/brightness 286 chown system system /sys/class/leds/button-backlight/brightness 287 chown system system /sys/class/leds/jogball-backlight/brightness 288 chown system system /sys/class/leds/red/brightness 289 chown system system /sys/class/leds/green/brightness 290 chown system system /sys/class/leds/blue/brightness 291 chown system system /sys/class/leds/red/device/grpfreq 292 chown system system /sys/class/leds/red/device/grppwm 293 chown system system /sys/class/leds/red/device/blink 294 chown system system /sys/class/leds/red/brightness 295 chown system system /sys/class/leds/green/brightness 296 chown system system /sys/class/leds/blue/brightness 297 chown system system /sys/class/leds/red/device/grpfreq 298 chown system system /sys/class/leds/red/device/grppwm 299 chown system system /sys/class/leds/red/device/blink 300 chown system system /sys/class/timed_output/vibrator/enable 301 chown system system /sys/module/sco/parameters/disable_esco 302 chown system system /sys/kernel/ipv4/tcp_wmem_min 303 chown system system /sys/kernel/ipv4/tcp_wmem_def 304 chown system system /sys/kernel/ipv4/tcp_wmem_max 305 chown system system /sys/kernel/ipv4/tcp_rmem_min 306 chown system system /sys/kernel/ipv4/tcp_rmem_def 307 chown system system /sys/kernel/ipv4/tcp_rmem_max 308 chown root radio /proc/cmdline 309 310# Define TCP buffer sizes for various networks 311# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 312 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 313 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 314 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 315 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 316 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 317 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 318 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 319 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 320 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 321 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 322 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 323 324# Set this property so surfaceflinger is not started by system_init 325 setprop system_init.startsurfaceflinger 0 326 327 class_start core 328 class_start main 329 330on nonencrypted 331 class_start late_start 332 333on charger 334 class_start charger 335 336on property:vold.decrypt=trigger_reset_main 337 class_reset main 338 339on property:vold.decrypt=trigger_load_persist_props 340 load_persist_props 341 342on property:vold.decrypt=trigger_post_fs_data 343 trigger post-fs-data 344 345on property:vold.decrypt=trigger_restart_min_framework 346 class_start main 347 348on property:vold.decrypt=trigger_restart_framework 349 class_start main 350 class_start late_start 351 352on property:vold.decrypt=trigger_shutdown_framework 353 class_reset late_start 354 class_reset main 355 356## Daemon processes to be run by init. 357## 358service ueventd /sbin/ueventd 359 class core 360 critical 361 seclabel u:r:ueventd:s0 362 363on property:selinux.reload_policy=1 364 restart ueventd 365 restart installd 366 367service console /system/bin/sh 368 class core 369 console 370 disabled 371 user shell 372 group log 373 374on property:ro.debuggable=1 375 start console 376 377# adbd is controlled via property triggers in init.<platform>.usb.rc 378service adbd /sbin/adbd 379 class core 380 disabled 381 seclabel u:r:adbd:s0 382 383# adbd on at boot in emulator 384on property:ro.kernel.qemu=1 385 start adbd 386 387service servicemanager /system/bin/servicemanager 388 class core 389 user system 390 group system 391 critical 392 onrestart restart zygote 393 onrestart restart media 394 onrestart restart surfaceflinger 395 onrestart restart drm 396 397service vold /system/bin/vold 398 class core 399 socket vold stream 0660 root mount 400 ioprio be 2 401 402service netd /system/bin/netd 403 class main 404 socket netd stream 0660 root system 405 socket dnsproxyd stream 0660 root inet 406 socket mdns stream 0660 root system 407 408service debuggerd /system/bin/debuggerd 409 class main 410 411service ril-daemon /system/bin/rild 412 class main 413 socket rild stream 660 root radio 414 socket rild-debug stream 660 radio system 415 user root 416 group radio cache inet misc audio sdcard_r sdcard_rw log 417 418service surfaceflinger /system/bin/surfaceflinger 419 class main 420 user system 421 group graphics 422 onrestart restart zygote 423 424service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 425 class main 426 socket zygote stream 660 root system 427 onrestart write /sys/android_power/request_state wake 428 onrestart write /sys/power/state on 429 onrestart restart media 430 onrestart restart netd 431 432service drm /system/bin/drmserver 433 class main 434 user drm 435 group drm system inet drmrpc sdcard_r 436 437service media /system/bin/mediaserver 438 class main 439 user media 440 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 441 ioprio rt 4 442 443service bootanim /system/bin/bootanimation 444 class main 445 user graphics 446 group graphics 447 disabled 448 oneshot 449 450service dbus /system/bin/dbus-daemon --system --nofork 451 class main 452 socket dbus stream 660 bluetooth bluetooth 453 user bluetooth 454 group bluetooth net_bt_admin 455 456service bluetoothd /system/bin/bluetoothd -n 457 class main 458 socket bluetooth stream 660 bluetooth bluetooth 459 socket dbus_bluetooth stream 660 bluetooth bluetooth 460 # init.rc does not yet support applying capabilities, so run as root and 461 # let bluetoothd drop uid to bluetooth with the right linux capabilities 462 group bluetooth net_bt_admin misc 463 disabled 464 465service installd /system/bin/installd 466 class main 467 socket installd stream 600 system system 468 469service flash_recovery /system/etc/install-recovery.sh 470 class main 471 oneshot 472 473service racoon /system/bin/racoon 474 class main 475 socket racoon stream 600 system system 476 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 477 group vpn net_admin inet 478 disabled 479 oneshot 480 481service mtpd /system/bin/mtpd 482 class main 483 socket mtpd stream 600 system system 484 user vpn 485 group vpn net_admin inet net_raw 486 disabled 487 oneshot 488 489service keystore /system/bin/keystore /data/misc/keystore 490 class main 491 user keystore 492 group keystore drmrpc 493 socket keystore stream 666 494 495service dumpstate /system/bin/dumpstate -s 496 class main 497 socket dumpstate stream 0660 shell log 498 disabled 499 oneshot 500 501service sshd /system/bin/start-ssh 502 class main 503 disabled 504 505service mdnsd /system/bin/mdnsd 506 class main 507 user mdnsr 508 group inet net_raw 509 socket mdnsd stream 0660 mdnsr inet 510 disabled 511 oneshot 512