init.rc revision fee250d27a9c03af1ba439047b976d89563b1887
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 96 write /proc/sys/kernel/sched_rt_runtime_us 950000 97 write /proc/sys/kernel/sched_rt_period_us 1000000 98 99# Create cgroup mount points for process groups 100 mkdir /dev/cpuctl 101 mount cgroup none /dev/cpuctl cpu 102 chown system system /dev/cpuctl 103 chown system system /dev/cpuctl/tasks 104 chmod 0660 /dev/cpuctl/tasks 105 write /dev/cpuctl/cpu.shares 1024 106 write /dev/cpuctl/cpu.rt_runtime_us 950000 107 write /dev/cpuctl/cpu.rt_period_us 1000000 108 109 mkdir /dev/cpuctl/apps 110 chown system system /dev/cpuctl/apps/tasks 111 chmod 0666 /dev/cpuctl/apps/tasks 112 write /dev/cpuctl/apps/cpu.shares 1024 113 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 114 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 115 116 mkdir /dev/cpuctl/apps/bg_non_interactive 117 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 118 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 119 # 5.0 % 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 122 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 123 124# qtaguid will limit access to specific data based on group memberships. 125# net_bw_acct grants impersonation of socket owners. 126# net_bw_stats grants access to other apps' detailed tagged-socket stats. 127 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 128 chown root net_bw_stats /proc/net/xt_qtaguid/stats 129 130# Allow everybody to read the xt_qtaguid resource tracking misc dev. 131# This is needed by any process that uses socket tagging. 132 chmod 0644 /dev/xt_qtaguid 133 134on fs 135# mount mtd partitions 136 # Mount /system rw first to give the filesystem a chance to save a checkpoint 137 mount yaffs2 mtd@system /system 138 mount yaffs2 mtd@system /system ro remount 139 mount yaffs2 mtd@userdata /data nosuid nodev 140 mount yaffs2 mtd@cache /cache nosuid nodev 141 142on post-fs 143 # once everything is setup, no need to modify / 144 mount rootfs rootfs / ro remount 145 # mount shared so changes propagate into child namespaces 146 mount rootfs rootfs / shared rec 147 mount tmpfs tmpfs /mnt/secure private rec 148 149 # We chown/chmod /cache again so because mount is run as root + defaults 150 chown system cache /cache 151 chmod 0770 /cache 152 # We restorecon /cache in case the cache partition has been reset. 153 restorecon /cache 154 155 # This may have been created by the recovery system with odd permissions 156 chown system cache /cache/recovery 157 chmod 0770 /cache/recovery 158 # This may have been created by the recovery system with the wrong context. 159 restorecon /cache/recovery 160 161 #change permissions on vmallocinfo so we can grab it from bugreports 162 chown root log /proc/vmallocinfo 163 chmod 0440 /proc/vmallocinfo 164 165 chown root log /proc/slabinfo 166 chmod 0440 /proc/slabinfo 167 168 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 169 chown root system /proc/kmsg 170 chmod 0440 /proc/kmsg 171 chown root system /proc/sysrq-trigger 172 chmod 0220 /proc/sysrq-trigger 173 chown system log /proc/last_kmsg 174 chmod 0440 /proc/last_kmsg 175 176 # create the lost+found directories, so as to enforce our permissions 177 mkdir /cache/lost+found 0770 root root 178 179on post-fs-data 180 # reload SELinux based on what we find on the data partition 181 selinux_reload_policy 182 183 # We chown/chmod /data again so because mount is run as root + defaults 184 chown system system /data 185 chmod 0771 /data 186 # We restorecon /data in case the userdata partition has been reset. 187 restorecon /data 188 189 # Create dump dir and collect dumps. 190 # Do this before we mount cache so eventually we can use cache for 191 # storing dumps on platforms which do not have a dedicated dump partition. 192 mkdir /data/dontpanic 0750 root log 193 194 # Collect apanic data, free resources and re-arm trigger 195 copy /proc/apanic_console /data/dontpanic/apanic_console 196 chown root log /data/dontpanic/apanic_console 197 chmod 0640 /data/dontpanic/apanic_console 198 199 copy /proc/apanic_threads /data/dontpanic/apanic_threads 200 chown root log /data/dontpanic/apanic_threads 201 chmod 0640 /data/dontpanic/apanic_threads 202 203 write /proc/apanic_console 1 204 205 # create basic filesystem structure 206 mkdir /data/misc 01771 system misc 207 mkdir /data/misc/adb 02750 system shell 208 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 209 mkdir /data/misc/bluetooth 0770 system system 210 mkdir /data/misc/keystore 0700 keystore keystore 211 mkdir /data/misc/keychain 0771 system system 212 mkdir /data/misc/sms 0770 system radio 213 mkdir /data/misc/zoneinfo 0775 system system 214 mkdir /data/misc/vpn 0770 system vpn 215 mkdir /data/misc/systemkeys 0700 system system 216 # give system access to wpa_supplicant.conf for backup and restore 217 mkdir /data/misc/wifi 0770 wifi wifi 218 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 219 mkdir /data/local 0751 root root 220 mkdir /data/misc/media 0700 media media 221 222 # For security reasons, /data/local/tmp should always be empty. 223 # Do not place files or directories in /data/local/tmp 224 mkdir /data/local/tmp 0771 shell shell 225 mkdir /data/data 0771 system system 226 mkdir /data/app-private 0771 system system 227 mkdir /data/app-asec 0700 root root 228 mkdir /data/app-lib 0771 system system 229 mkdir /data/app 0771 system system 230 mkdir /data/property 0700 root root 231 mkdir /data/ssh 0750 root shell 232 mkdir /data/ssh/empty 0700 root root 233 234 # create dalvik-cache, so as to enforce our permissions 235 mkdir /data/dalvik-cache 0771 system system 236 237 # create resource-cache and double-check the perms 238 mkdir /data/resource-cache 0771 system system 239 chown system system /data/resource-cache 240 chmod 0771 /data/resource-cache 241 242 # create the lost+found directories, so as to enforce our permissions 243 mkdir /data/lost+found 0770 root root 244 245 # create directory for DRM plug-ins - give drm the read/write access to 246 # the following directory. 247 mkdir /data/drm 0770 drm drm 248 249 # create directory for MediaDrm plug-ins - give drm the read/write access to 250 # the following directory. 251 mkdir /data/mediadrm 0770 mediadrm mediadrm 252 253 # symlink to bugreport storage location 254 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 255 256 # Separate location for storing security policy files on data 257 mkdir /data/security 0700 system system 258 259 # If there is no fs-post-data action in the init.<device>.rc file, you 260 # must uncomment this line, otherwise encrypted filesystems 261 # won't work. 262 # Set indication (checked by vold) that we have finished this action 263 #setprop vold.post_fs_data_done 1 264 265on boot 266# basic network init 267 ifup lo 268 hostname localhost 269 domainname localdomain 270 271# set RLIMIT_NICE to allow priorities from 19 to -20 272 setrlimit 13 40 40 273 274# Memory management. Basic kernel parameters, and allow the high 275# level system server to be able to adjust the kernel OOM driver 276# parameters to match how it is managing things. 277 write /proc/sys/vm/overcommit_memory 1 278 write /proc/sys/vm/min_free_order_shift 4 279 chown root system /sys/module/lowmemorykiller/parameters/adj 280 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 281 chown root system /sys/module/lowmemorykiller/parameters/minfree 282 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 283 284 # Tweak background writeout 285 write /proc/sys/vm/dirty_expire_centisecs 200 286 write /proc/sys/vm/dirty_background_ratio 5 287 288 # Permissions for System Server and daemons. 289 chown radio system /sys/android_power/state 290 chown radio system /sys/android_power/request_state 291 chown radio system /sys/android_power/acquire_full_wake_lock 292 chown radio system /sys/android_power/acquire_partial_wake_lock 293 chown radio system /sys/android_power/release_wake_lock 294 chown system system /sys/power/autosleep 295 chown system system /sys/power/state 296 chown system system /sys/power/wakeup_count 297 chown radio system /sys/power/wake_lock 298 chown radio system /sys/power/wake_unlock 299 chmod 0660 /sys/power/state 300 chmod 0660 /sys/power/wake_lock 301 chmod 0660 /sys/power/wake_unlock 302 303 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 304 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 305 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 306 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 307 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 308 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 309 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 310 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 311 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 312 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 313 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 314 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 315 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 316 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 317 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 318 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 319 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 320 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 321 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 322 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 323 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 324 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 325 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 326 327 # Assume SMP uses shared cpufreq policy for all CPUs 328 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 329 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 330 331 chown system system /sys/class/timed_output/vibrator/enable 332 chown system system /sys/class/leds/keyboard-backlight/brightness 333 chown system system /sys/class/leds/lcd-backlight/brightness 334 chown system system /sys/class/leds/button-backlight/brightness 335 chown system system /sys/class/leds/jogball-backlight/brightness 336 chown system system /sys/class/leds/red/brightness 337 chown system system /sys/class/leds/green/brightness 338 chown system system /sys/class/leds/blue/brightness 339 chown system system /sys/class/leds/red/device/grpfreq 340 chown system system /sys/class/leds/red/device/grppwm 341 chown system system /sys/class/leds/red/device/blink 342 chown system system /sys/class/leds/red/brightness 343 chown system system /sys/class/leds/green/brightness 344 chown system system /sys/class/leds/blue/brightness 345 chown system system /sys/class/leds/red/device/grpfreq 346 chown system system /sys/class/leds/red/device/grppwm 347 chown system system /sys/class/leds/red/device/blink 348 chown system system /sys/class/timed_output/vibrator/enable 349 chown system system /sys/module/sco/parameters/disable_esco 350 chown system system /sys/kernel/ipv4/tcp_wmem_min 351 chown system system /sys/kernel/ipv4/tcp_wmem_def 352 chown system system /sys/kernel/ipv4/tcp_wmem_max 353 chown system system /sys/kernel/ipv4/tcp_rmem_min 354 chown system system /sys/kernel/ipv4/tcp_rmem_def 355 chown system system /sys/kernel/ipv4/tcp_rmem_max 356 chown root radio /proc/cmdline 357 358# Set these so we can remotely update SELinux policy 359 chown system system /sys/fs/selinux/load 360 chown system system /sys/fs/selinux/enforce 361 362# Define TCP buffer sizes for various networks 363# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 364 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 365 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 366 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 367 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 368 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 369 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 370 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 371 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 372 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 373 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 374 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 375 376# Set this property so surfaceflinger is not started by system_init 377 setprop system_init.startsurfaceflinger 0 378 379 class_start core 380 class_start main 381 382on nonencrypted 383 class_start late_start 384 385on charger 386 class_start charger 387 388on property:vold.decrypt=trigger_reset_main 389 class_reset main 390 391on property:vold.decrypt=trigger_load_persist_props 392 load_persist_props 393 394on property:vold.decrypt=trigger_post_fs_data 395 trigger post-fs-data 396 397on property:vold.decrypt=trigger_restart_min_framework 398 class_start main 399 400on property:vold.decrypt=trigger_restart_framework 401 class_start main 402 class_start late_start 403 404on property:vold.decrypt=trigger_shutdown_framework 405 class_reset late_start 406 class_reset main 407 408## Daemon processes to be run by init. 409## 410service ueventd /sbin/ueventd 411 class core 412 critical 413 seclabel u:r:ueventd:s0 414 415on property:selinux.reload_policy=1 416 selinux_reload_policy 417 restart ueventd 418 restart installd 419 420on property:persist.selinux.enforcing=1 421 setenforce 1 422 423on property:persist.selinux.enforcing=0 424 setenforce 0 425 426service console /system/bin/sh 427 class core 428 console 429 disabled 430 user shell 431 group log 432 433on property:ro.debuggable=1 434 start console 435 436# adbd is controlled via property triggers in init.<platform>.usb.rc 437service adbd /sbin/adbd 438 class core 439 socket adbd stream 660 system system 440 disabled 441 seclabel u:r:adbd:s0 442 443# adbd on at boot in emulator 444on property:ro.kernel.qemu=1 445 start adbd 446 447service servicemanager /system/bin/servicemanager 448 class core 449 user system 450 group system 451 critical 452 onrestart restart zygote 453 onrestart restart media 454 onrestart restart surfaceflinger 455 onrestart restart drm 456 457service vold /system/bin/vold 458 class core 459 socket vold stream 0660 root mount 460 ioprio be 2 461 462service netd /system/bin/netd 463 class main 464 socket netd stream 0660 root system 465 socket dnsproxyd stream 0660 root inet 466 socket mdns stream 0660 root system 467 468service debuggerd /system/bin/debuggerd 469 class main 470 471service ril-daemon /system/bin/rild 472 class main 473 socket rild stream 660 root radio 474 socket rild-debug stream 660 radio system 475 user root 476 group radio cache inet misc audio log 477 478service surfaceflinger /system/bin/surfaceflinger 479 class main 480 user system 481 group graphics drmrpc 482 onrestart restart zygote 483 484service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 485 class main 486 socket zygote stream 660 root system 487 onrestart write /sys/android_power/request_state wake 488 onrestart write /sys/power/state on 489 onrestart restart media 490 onrestart restart netd 491 492service drm /system/bin/drmserver 493 class main 494 user drm 495 group drm system inet drmrpc 496 497service media /system/bin/mediaserver 498 class main 499 user media 500 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 501 ioprio rt 4 502 503service bootanim /system/bin/bootanimation 504 class main 505 user graphics 506 group graphics 507 disabled 508 oneshot 509 510service installd /system/bin/installd 511 class main 512 socket installd stream 600 system system 513 514service flash_recovery /system/etc/install-recovery.sh 515 class main 516 oneshot 517 518service racoon /system/bin/racoon 519 class main 520 socket racoon stream 600 system system 521 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 522 group vpn net_admin inet 523 disabled 524 oneshot 525 526service mtpd /system/bin/mtpd 527 class main 528 socket mtpd stream 600 system system 529 user vpn 530 group vpn net_admin inet net_raw 531 disabled 532 oneshot 533 534service keystore /system/bin/keystore /data/misc/keystore 535 class main 536 user keystore 537 group keystore drmrpc 538 539service dumpstate /system/bin/dumpstate -s 540 class main 541 socket dumpstate stream 0660 shell log 542 disabled 543 oneshot 544 545service sshd /system/bin/start-ssh 546 class main 547 disabled 548 549service mdnsd /system/bin/mdnsd 550 class main 551 user mdnsr 552 group inet net_raw 553 socket mdnsd stream 0660 mdnsr inet 554 disabled 555 oneshot 556