init.rc revision fee250d27a9c03af1ba439047b976d89563b1887 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.usb.rc
8import /init.${ro.hardware}.rc
9import /init.trace.rc
10
11on early-init
12    # Set init and its forked children's oom_adj.
13    write /proc/1/oom_adj -16
14
15    # Set the security context for the init process.
16    # This should occur before anything else (e.g. ueventd) is started.
17    setcon u:r:init:s0
18
19    start ueventd
20
21# create mountpoints
22    mkdir /mnt 0775 root system
23
24on init
25
26sysclktz 0
27
28loglevel 3
29
30# setup the global environment
31    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
32    export LD_LIBRARY_PATH /vendor/lib:/system/lib
33    export ANDROID_BOOTLOGO 1
34    export ANDROID_ROOT /system
35    export ANDROID_ASSETS /system/app
36    export ANDROID_DATA /data
37    export ANDROID_STORAGE /storage
38    export ASEC_MOUNTPOINT /mnt/asec
39    export LOOP_MOUNTPOINT /mnt/obb
40    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
41
42# Backward compatibility
43    symlink /system/etc /etc
44    symlink /sys/kernel/debug /d
45
46# Right now vendor lives on the same filesystem as system,
47# but someday that may change.
48    symlink /system/vendor /vendor
49
50# Create cgroup mount point for cpu accounting
51    mkdir /acct
52    mount cgroup none /acct cpuacct
53    mkdir /acct/uid
54
55    mkdir /system
56    mkdir /data 0771 system system
57    mkdir /cache 0770 system cache
58    mkdir /config 0500 root root
59
60    # See storage config details at http://source.android.com/tech/storage/
61    mkdir /mnt/shell 0700 shell shell
62    mkdir /storage 0050 root sdcard_r
63
64    # Directory for putting things only root should see.
65    mkdir /mnt/secure 0700 root root
66    # Create private mountpoint so we can MS_MOVE from staging
67    mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
68
69    # Directory for staging bindmounts
70    mkdir /mnt/secure/staging 0700 root root
71
72    # Directory-target for where the secure container
73    # imagefile directory will be bind-mounted
74    mkdir /mnt/secure/asec  0700 root root
75
76    # Secure container public mount points.
77    mkdir /mnt/asec  0700 root system
78    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
79
80    # Filesystem image public mount points.
81    mkdir /mnt/obb 0700 root system
82    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
83
84    write /proc/sys/kernel/panic_on_oops 1
85    write /proc/sys/kernel/hung_task_timeout_secs 0
86    write /proc/cpu/alignment 4
87    write /proc/sys/kernel/sched_latency_ns 10000000
88    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
89    write /proc/sys/kernel/sched_compat_yield 1
90    write /proc/sys/kernel/sched_child_runs_first 0
91    write /proc/sys/kernel/randomize_va_space 2
92    write /proc/sys/kernel/kptr_restrict 2
93    write /proc/sys/kernel/dmesg_restrict 1
94    write /proc/sys/vm/mmap_min_addr 32768
95    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
96    write /proc/sys/kernel/sched_rt_runtime_us 950000
97    write /proc/sys/kernel/sched_rt_period_us 1000000
98
99# Create cgroup mount points for process groups
100    mkdir /dev/cpuctl
101    mount cgroup none /dev/cpuctl cpu
102    chown system system /dev/cpuctl
103    chown system system /dev/cpuctl/tasks
104    chmod 0660 /dev/cpuctl/tasks
105    write /dev/cpuctl/cpu.shares 1024
106    write /dev/cpuctl/cpu.rt_runtime_us 950000
107    write /dev/cpuctl/cpu.rt_period_us 1000000
108
109    mkdir /dev/cpuctl/apps
110    chown system system /dev/cpuctl/apps/tasks
111    chmod 0666 /dev/cpuctl/apps/tasks
112    write /dev/cpuctl/apps/cpu.shares 1024
113    write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
114    write /dev/cpuctl/apps/cpu.rt_period_us 1000000
115
116    mkdir /dev/cpuctl/apps/bg_non_interactive
117    chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
118    chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
119    # 5.0 %
120    write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
121    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
122    write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
123
124# qtaguid will limit access to specific data based on group memberships.
125#   net_bw_acct grants impersonation of socket owners.
126#   net_bw_stats grants access to other apps' detailed tagged-socket stats.
127    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
128    chown root net_bw_stats /proc/net/xt_qtaguid/stats
129
130# Allow everybody to read the xt_qtaguid resource tracking misc dev.
131# This is needed by any process that uses socket tagging.
132    chmod 0644 /dev/xt_qtaguid
133
134on fs
135# mount mtd partitions
136    # Mount /system rw first to give the filesystem a chance to save a checkpoint
137    mount yaffs2 mtd@system /system
138    mount yaffs2 mtd@system /system ro remount
139    mount yaffs2 mtd@userdata /data nosuid nodev
140    mount yaffs2 mtd@cache /cache nosuid nodev
141
142on post-fs
143    # once everything is setup, no need to modify /
144    mount rootfs rootfs / ro remount
145    # mount shared so changes propagate into child namespaces
146    mount rootfs rootfs / shared rec
147    mount tmpfs tmpfs /mnt/secure private rec
148
149    # We chown/chmod /cache again so because mount is run as root + defaults
150    chown system cache /cache
151    chmod 0770 /cache
152    # We restorecon /cache in case the cache partition has been reset.
153    restorecon /cache
154
155    # This may have been created by the recovery system with odd permissions
156    chown system cache /cache/recovery
157    chmod 0770 /cache/recovery
158    # This may have been created by the recovery system with the wrong context.
159    restorecon /cache/recovery
160
161    #change permissions on vmallocinfo so we can grab it from bugreports
162    chown root log /proc/vmallocinfo
163    chmod 0440 /proc/vmallocinfo
164
165    chown root log /proc/slabinfo
166    chmod 0440 /proc/slabinfo
167
168    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
169    chown root system /proc/kmsg
170    chmod 0440 /proc/kmsg
171    chown root system /proc/sysrq-trigger
172    chmod 0220 /proc/sysrq-trigger
173    chown system log /proc/last_kmsg
174    chmod 0440 /proc/last_kmsg
175
176    # create the lost+found directories, so as to enforce our permissions
177    mkdir /cache/lost+found 0770 root root
178
179on post-fs-data
180    # reload SELinux based on what we find on the data partition
181    selinux_reload_policy
182
183    # We chown/chmod /data again so because mount is run as root + defaults
184    chown system system /data
185    chmod 0771 /data
186    # We restorecon /data in case the userdata partition has been reset.
187    restorecon /data
188
189    # Create dump dir and collect dumps.
190    # Do this before we mount cache so eventually we can use cache for
191    # storing dumps on platforms which do not have a dedicated dump partition.
192    mkdir /data/dontpanic 0750 root log
193
194    # Collect apanic data, free resources and re-arm trigger
195    copy /proc/apanic_console /data/dontpanic/apanic_console
196    chown root log /data/dontpanic/apanic_console
197    chmod 0640 /data/dontpanic/apanic_console
198
199    copy /proc/apanic_threads /data/dontpanic/apanic_threads
200    chown root log /data/dontpanic/apanic_threads
201    chmod 0640 /data/dontpanic/apanic_threads
202
203    write /proc/apanic_console 1
204
205    # create basic filesystem structure
206    mkdir /data/misc 01771 system misc
207    mkdir /data/misc/adb 02750 system shell
208    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
209    mkdir /data/misc/bluetooth 0770 system system
210    mkdir /data/misc/keystore 0700 keystore keystore
211    mkdir /data/misc/keychain 0771 system system
212    mkdir /data/misc/sms 0770 system radio
213    mkdir /data/misc/zoneinfo 0775 system system
214    mkdir /data/misc/vpn 0770 system vpn
215    mkdir /data/misc/systemkeys 0700 system system
216    # give system access to wpa_supplicant.conf for backup and restore
217    mkdir /data/misc/wifi 0770 wifi wifi
218    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
219    mkdir /data/local 0751 root root
220    mkdir /data/misc/media 0700 media media
221
222    # For security reasons, /data/local/tmp should always be empty.
223    # Do not place files or directories in /data/local/tmp
224    mkdir /data/local/tmp 0771 shell shell
225    mkdir /data/data 0771 system system
226    mkdir /data/app-private 0771 system system
227    mkdir /data/app-asec 0700 root root
228    mkdir /data/app-lib 0771 system system
229    mkdir /data/app 0771 system system
230    mkdir /data/property 0700 root root
231    mkdir /data/ssh 0750 root shell
232    mkdir /data/ssh/empty 0700 root root
233
234    # create dalvik-cache, so as to enforce our permissions
235    mkdir /data/dalvik-cache 0771 system system
236
237    # create resource-cache and double-check the perms
238    mkdir /data/resource-cache 0771 system system
239    chown system system /data/resource-cache
240    chmod 0771 /data/resource-cache
241
242    # create the lost+found directories, so as to enforce our permissions
243    mkdir /data/lost+found 0770 root root
244
245    # create directory for DRM plug-ins - give drm the read/write access to
246    # the following directory.
247    mkdir /data/drm 0770 drm drm
248
249    # create directory for MediaDrm plug-ins - give drm the read/write access to
250    # the following directory.
251    mkdir /data/mediadrm 0770 mediadrm mediadrm
252
253    # symlink to bugreport storage location
254    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
255
256    # Separate location for storing security policy files on data
257    mkdir /data/security 0700 system system
258
259    # If there is no fs-post-data action in the init.<device>.rc file, you
260    # must uncomment this line, otherwise encrypted filesystems
261    # won't work.
262    # Set indication (checked by vold) that we have finished this action
263    #setprop vold.post_fs_data_done 1
264
265on boot
266# basic network init
267    ifup lo
268    hostname localhost
269    domainname localdomain
270
271# set RLIMIT_NICE to allow priorities from 19 to -20
272    setrlimit 13 40 40
273
274# Memory management.  Basic kernel parameters, and allow the high
275# level system server to be able to adjust the kernel OOM driver
276# parameters to match how it is managing things.
277    write /proc/sys/vm/overcommit_memory 1
278    write /proc/sys/vm/min_free_order_shift 4
279    chown root system /sys/module/lowmemorykiller/parameters/adj
280    chmod 0664 /sys/module/lowmemorykiller/parameters/adj
281    chown root system /sys/module/lowmemorykiller/parameters/minfree
282    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
283
284    # Tweak background writeout
285    write /proc/sys/vm/dirty_expire_centisecs 200
286    write /proc/sys/vm/dirty_background_ratio  5
287
288    # Permissions for System Server and daemons.
289    chown radio system /sys/android_power/state
290    chown radio system /sys/android_power/request_state
291    chown radio system /sys/android_power/acquire_full_wake_lock
292    chown radio system /sys/android_power/acquire_partial_wake_lock
293    chown radio system /sys/android_power/release_wake_lock
294    chown system system /sys/power/autosleep
295    chown system system /sys/power/state
296    chown system system /sys/power/wakeup_count
297    chown radio system /sys/power/wake_lock
298    chown radio system /sys/power/wake_unlock
299    chmod 0660 /sys/power/state
300    chmod 0660 /sys/power/wake_lock
301    chmod 0660 /sys/power/wake_unlock
302
303    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
304    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
305    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
306    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
307    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
308    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
309    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
310    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
311    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
312    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
313    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
314    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
315    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
316    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
317    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
318    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
319    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
320    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
321    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
322    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
323    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
324    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
325    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
326
327    # Assume SMP uses shared cpufreq policy for all CPUs
328    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
329    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
330
331    chown system system /sys/class/timed_output/vibrator/enable
332    chown system system /sys/class/leds/keyboard-backlight/brightness
333    chown system system /sys/class/leds/lcd-backlight/brightness
334    chown system system /sys/class/leds/button-backlight/brightness
335    chown system system /sys/class/leds/jogball-backlight/brightness
336    chown system system /sys/class/leds/red/brightness
337    chown system system /sys/class/leds/green/brightness
338    chown system system /sys/class/leds/blue/brightness
339    chown system system /sys/class/leds/red/device/grpfreq
340    chown system system /sys/class/leds/red/device/grppwm
341    chown system system /sys/class/leds/red/device/blink
342    chown system system /sys/class/leds/red/brightness
343    chown system system /sys/class/leds/green/brightness
344    chown system system /sys/class/leds/blue/brightness
345    chown system system /sys/class/leds/red/device/grpfreq
346    chown system system /sys/class/leds/red/device/grppwm
347    chown system system /sys/class/leds/red/device/blink
348    chown system system /sys/class/timed_output/vibrator/enable
349    chown system system /sys/module/sco/parameters/disable_esco
350    chown system system /sys/kernel/ipv4/tcp_wmem_min
351    chown system system /sys/kernel/ipv4/tcp_wmem_def
352    chown system system /sys/kernel/ipv4/tcp_wmem_max
353    chown system system /sys/kernel/ipv4/tcp_rmem_min
354    chown system system /sys/kernel/ipv4/tcp_rmem_def
355    chown system system /sys/kernel/ipv4/tcp_rmem_max
356    chown root radio /proc/cmdline
357
358# Set these so we can remotely update SELinux policy
359    chown system system /sys/fs/selinux/load
360    chown system system /sys/fs/selinux/enforce
361
362# Define TCP buffer sizes for various networks
363#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
364    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
365    setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
366    setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
367    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
368    setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
369    setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
370    setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
371    setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
372    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
373    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
374    setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
375
376# Set this property so surfaceflinger is not started by system_init
377    setprop system_init.startsurfaceflinger 0
378
379    class_start core
380    class_start main
381
382on nonencrypted
383    class_start late_start
384
385on charger
386    class_start charger
387
388on property:vold.decrypt=trigger_reset_main
389    class_reset main
390
391on property:vold.decrypt=trigger_load_persist_props
392    load_persist_props
393
394on property:vold.decrypt=trigger_post_fs_data
395    trigger post-fs-data
396
397on property:vold.decrypt=trigger_restart_min_framework
398    class_start main
399
400on property:vold.decrypt=trigger_restart_framework
401    class_start main
402    class_start late_start
403
404on property:vold.decrypt=trigger_shutdown_framework
405    class_reset late_start
406    class_reset main
407
408## Daemon processes to be run by init.
409##
410service ueventd /sbin/ueventd
411    class core
412    critical
413    seclabel u:r:ueventd:s0
414
415on property:selinux.reload_policy=1
416    selinux_reload_policy
417    restart ueventd
418    restart installd
419
420on property:persist.selinux.enforcing=1
421    setenforce 1
422
423on property:persist.selinux.enforcing=0
424    setenforce 0
425
426service console /system/bin/sh
427    class core
428    console
429    disabled
430    user shell
431    group log
432
433on property:ro.debuggable=1
434    start console
435
436# adbd is controlled via property triggers in init.<platform>.usb.rc
437service adbd /sbin/adbd
438    class core
439    socket adbd stream 660 system system
440    disabled
441    seclabel u:r:adbd:s0
442
443# adbd on at boot in emulator
444on property:ro.kernel.qemu=1
445    start adbd
446
447service servicemanager /system/bin/servicemanager
448    class core
449    user system
450    group system
451    critical
452    onrestart restart zygote
453    onrestart restart media
454    onrestart restart surfaceflinger
455    onrestart restart drm
456
457service vold /system/bin/vold
458    class core
459    socket vold stream 0660 root mount
460    ioprio be 2
461
462service netd /system/bin/netd
463    class main
464    socket netd stream 0660 root system
465    socket dnsproxyd stream 0660 root inet
466    socket mdns stream 0660 root system
467
468service debuggerd /system/bin/debuggerd
469    class main
470
471service ril-daemon /system/bin/rild
472    class main
473    socket rild stream 660 root radio
474    socket rild-debug stream 660 radio system
475    user root
476    group radio cache inet misc audio log
477
478service surfaceflinger /system/bin/surfaceflinger
479    class main
480    user system
481    group graphics drmrpc
482    onrestart restart zygote
483
484service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
485    class main
486    socket zygote stream 660 root system
487    onrestart write /sys/android_power/request_state wake
488    onrestart write /sys/power/state on
489    onrestart restart media
490    onrestart restart netd
491
492service drm /system/bin/drmserver
493    class main
494    user drm
495    group drm system inet drmrpc
496
497service media /system/bin/mediaserver
498    class main
499    user media
500    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
501    ioprio rt 4
502
503service bootanim /system/bin/bootanimation
504    class main
505    user graphics
506    group graphics
507    disabled
508    oneshot
509
510service installd /system/bin/installd
511    class main
512    socket installd stream 600 system system
513
514service flash_recovery /system/etc/install-recovery.sh
515    class main
516    oneshot
517
518service racoon /system/bin/racoon
519    class main
520    socket racoon stream 600 system system
521    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
522    group vpn net_admin inet
523    disabled
524    oneshot
525
526service mtpd /system/bin/mtpd
527    class main
528    socket mtpd stream 600 system system
529    user vpn
530    group vpn net_admin inet net_raw
531    disabled
532    oneshot
533
534service keystore /system/bin/keystore /data/misc/keystore
535    class main
536    user keystore
537    group keystore drmrpc
538
539service dumpstate /system/bin/dumpstate -s
540    class main
541    socket dumpstate stream 0660 shell log
542    disabled
543    oneshot
544
545service sshd /system/bin/start-ssh
546    class main
547    disabled
548
549service mdnsd /system/bin/mdnsd
550    class main
551    user mdnsr
552    group inet net_raw
553    socket mdnsd stream 0660 mdnsr inet
554    disabled
555    oneshot
556