init.rc revision 33045a627d4dac8c4c8a910241298ca5da02f87b
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9 10on early-init 11 # Set init and its forked children's oom_adj. 12 write /proc/1/oom_adj -16 13 14 start ueventd 15 16# create mountpoints 17 mkdir /mnt 0775 root system 18 19on init 20 21sysclktz 0 22 23loglevel 3 24 25# setup the global environment 26 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 27 export LD_LIBRARY_PATH /vendor/lib:/system/lib 28 export ANDROID_BOOTLOGO 1 29 export ANDROID_ROOT /system 30 export ANDROID_ASSETS /system/app 31 export ANDROID_DATA /data 32 export ASEC_MOUNTPOINT /mnt/asec 33 export LOOP_MOUNTPOINT /mnt/obb 34 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 35 36# Backward compatibility 37 symlink /system/etc /etc 38 symlink /sys/kernel/debug /d 39 40# Right now vendor lives on the same filesystem as system, 41# but someday that may change. 42 symlink /system/vendor /vendor 43 44# Create cgroup mount point for cpu accounting 45 mkdir /acct 46 mount cgroup none /acct cpuacct 47 mkdir /acct/uid 48 49 mkdir /system 50 mkdir /data 0771 system system 51 mkdir /cache 0770 system cache 52 mkdir /config 0500 root root 53 54 # Directory for putting things only root should see. 55 mkdir /mnt/secure 0700 root root 56 57 # Directory for staging bindmounts 58 mkdir /mnt/secure/staging 0700 root root 59 60 # Directory-target for where the secure container 61 # imagefile directory will be bind-mounted 62 mkdir /mnt/secure/asec 0700 root root 63 64 # Secure container public mount points. 65 mkdir /mnt/asec 0700 root system 66 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 67 68 # Filesystem image public mount points. 69 mkdir /mnt/obb 0700 root system 70 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 71 72 write /proc/sys/kernel/panic_on_oops 1 73 write /proc/sys/kernel/hung_task_timeout_secs 0 74 write /proc/cpu/alignment 4 75 write /proc/sys/kernel/sched_latency_ns 10000000 76 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 77 write /proc/sys/kernel/sched_compat_yield 1 78 write /proc/sys/kernel/sched_child_runs_first 0 79 write /proc/sys/kernel/randomize_va_space 2 80 write /proc/sys/kernel/kptr_restrict 2 81 write /proc/sys/kernel/dmesg_restrict 1 82 write /proc/sys/vm/mmap_min_addr 32768 83 write /proc/sys/kernel/sched_rt_runtime_us 950000 84 write /proc/sys/kernel/sched_rt_period_us 1000000 85 86# Create cgroup mount points for process groups 87 mkdir /dev/cpuctl 88 mount cgroup none /dev/cpuctl cpu 89 chown system system /dev/cpuctl 90 chown system system /dev/cpuctl/tasks 91 chmod 0660 /dev/cpuctl/tasks 92 write /dev/cpuctl/cpu.shares 1024 93 write /dev/cpuctl/cpu.rt_runtime_us 950000 94 write /dev/cpuctl/cpu.rt_period_us 1000000 95 96 mkdir /dev/cpuctl/foreground 97 chown system system /dev/cpuctl/foreground/tasks 98 chmod 0666 /dev/cpuctl/foreground/tasks 99 write /dev/cpuctl/foreground/cpu.shares 1024 100 write /dev/cpuctl/foreground/cpu.rt_runtime_us 0 101 write /dev/cpuctl/foreground/cpu.rt_period_us 1000000 102 103 mkdir /dev/cpuctl/bg_non_interactive 104 chown system system /dev/cpuctl/bg_non_interactive/tasks 105 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 106 # 5.0 % 107 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 108 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 0 109 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 110 111 mkdir /dev/cpuctl/audio_app 112 chown system system /dev/cpuctl/audio_app/tasks 113 chmod 0660 /dev/cpuctl/audio_app/tasks 114 write /dev/cpuctl/audio_app/cpu.shares 10 115 write /dev/cpuctl/audio_app/cpu.rt_runtime_us 50000 116 write /dev/cpuctl/audio_app/cpu.rt_period_us 1000000 117 118 mkdir /dev/cpuctl/audio_sys 119 chown system system /dev/cpuctl/audio_sys/tasks 120 chmod 0660 /dev/cpuctl/audio_sys/tasks 121 write /dev/cpuctl/audio_sys/cpu.shares 10 122 write /dev/cpuctl/audio_sys/cpu.rt_runtime_us 50000 123 write /dev/cpuctl/audio_sys/cpu.rt_period_us 1000000 124 125# Allow everybody to read the xt_qtaguid resource tracking misc dev. 126# This is needed by any process that uses socket tagging. 127 chmod 0644 /dev/xt_qtaguid 128 129on fs 130# mount mtd partitions 131 # Mount /system rw first to give the filesystem a chance to save a checkpoint 132 mount yaffs2 mtd@system /system 133 mount yaffs2 mtd@system /system ro remount 134 mount yaffs2 mtd@userdata /data nosuid nodev 135 mount yaffs2 mtd@cache /cache nosuid nodev 136 137on post-fs 138 # once everything is setup, no need to modify / 139 mount rootfs rootfs / ro remount 140 141 # We chown/chmod /cache again so because mount is run as root + defaults 142 chown system cache /cache 143 chmod 0770 /cache 144 145 # This may have been created by the recovery system with odd permissions 146 chown system cache /cache/recovery 147 chmod 0770 /cache/recovery 148 149 #change permissions on vmallocinfo so we can grab it from bugreports 150 chown root log /proc/vmallocinfo 151 chmod 0440 /proc/vmallocinfo 152 153 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 154 chown root system /proc/kmsg 155 chmod 0440 /proc/kmsg 156 chown root system /proc/sysrq-trigger 157 chmod 0220 /proc/sysrq-trigger 158 159 # create the lost+found directories, so as to enforce our permissions 160 mkdir /cache/lost+found 0770 root root 161 162on post-fs-data 163 # We chown/chmod /data again so because mount is run as root + defaults 164 chown system system /data 165 chmod 0771 /data 166 167 # Create dump dir and collect dumps. 168 # Do this before we mount cache so eventually we can use cache for 169 # storing dumps on platforms which do not have a dedicated dump partition. 170 mkdir /data/dontpanic 0750 root log 171 172 # Collect apanic data, free resources and re-arm trigger 173 copy /proc/apanic_console /data/dontpanic/apanic_console 174 chown root log /data/dontpanic/apanic_console 175 chmod 0640 /data/dontpanic/apanic_console 176 177 copy /proc/apanic_threads /data/dontpanic/apanic_threads 178 chown root log /data/dontpanic/apanic_threads 179 chmod 0640 /data/dontpanic/apanic_threads 180 181 write /proc/apanic_console 1 182 183 # create basic filesystem structure 184 mkdir /data/misc 01771 system misc 185 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 186 mkdir /data/misc/bluetooth 0770 system system 187 mkdir /data/misc/keystore 0700 keystore keystore 188 mkdir /data/misc/keychain 0771 system system 189 mkdir /data/misc/vpn 0770 system vpn 190 mkdir /data/misc/systemkeys 0700 system system 191 # give system access to wpa_supplicant.conf for backup and restore 192 mkdir /data/misc/wifi 0770 wifi wifi 193 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 194 mkdir /data/local 0751 root root 195 196 # For security reasons, /data/local/tmp should always be empty. 197 # Do not place files or directories in /data/local/tmp 198 mkdir /data/local/tmp 0771 shell shell 199 mkdir /data/data 0771 system system 200 mkdir /data/app-private 0771 system system 201 mkdir /data/app-asec 0700 root root 202 mkdir /data/app 0771 system system 203 mkdir /data/property 0700 root root 204 mkdir /data/ssh 0750 root shell 205 mkdir /data/ssh/empty 0700 root root 206 207 # create dalvik-cache, so as to enforce our permissions 208 mkdir /data/dalvik-cache 0771 system system 209 210 # create resource-cache and double-check the perms 211 mkdir /data/resource-cache 0771 system system 212 chown system system /data/resource-cache 213 chmod 0771 /data/resource-cache 214 215 # create the lost+found directories, so as to enforce our permissions 216 mkdir /data/lost+found 0770 root root 217 218 # create directory for DRM plug-ins - give drm the read/write access to 219 # the following directory. 220 mkdir /data/drm 0770 drm drm 221 222 # If there is no fs-post-data action in the init.<device>.rc file, you 223 # must uncomment this line, otherwise encrypted filesystems 224 # won't work. 225 # Set indication (checked by vold) that we have finished this action 226 #setprop vold.post_fs_data_done 1 227 228on boot 229# basic network init 230 ifup lo 231 hostname localhost 232 domainname localdomain 233 234# set RLIMIT_NICE to allow priorities from 19 to -20 235 setrlimit 13 40 40 236 237# Memory management. Basic kernel parameters, and allow the high 238# level system server to be able to adjust the kernel OOM driver 239# parameters to match how it is managing things. 240 write /proc/sys/vm/overcommit_memory 1 241 write /proc/sys/vm/min_free_order_shift 4 242 chown root system /sys/module/lowmemorykiller/parameters/adj 243 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 244 chown root system /sys/module/lowmemorykiller/parameters/minfree 245 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 246 247 # Tweak background writeout 248 write /proc/sys/vm/dirty_expire_centisecs 200 249 write /proc/sys/vm/dirty_background_ratio 5 250 251 # Permissions for System Server and daemons. 252 chown radio system /sys/android_power/state 253 chown radio system /sys/android_power/request_state 254 chown radio system /sys/android_power/acquire_full_wake_lock 255 chown radio system /sys/android_power/acquire_partial_wake_lock 256 chown radio system /sys/android_power/release_wake_lock 257 chown system system /sys/power/state 258 chown system system /sys/power/wakeup_count 259 chown radio system /sys/power/wake_lock 260 chown radio system /sys/power/wake_unlock 261 chmod 0660 /sys/power/state 262 chmod 0660 /sys/power/wake_lock 263 chmod 0660 /sys/power/wake_unlock 264 265 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 266 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 267 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 268 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 269 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 270 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 271 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 272 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 273 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 274 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 275 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 276 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 277 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 278 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 279 280 # Assume SMP uses shared cpufreq policy for all CPUs 281 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 282 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 283 284 chown system system /sys/class/timed_output/vibrator/enable 285 chown system system /sys/class/leds/keyboard-backlight/brightness 286 chown system system /sys/class/leds/lcd-backlight/brightness 287 chown system system /sys/class/leds/button-backlight/brightness 288 chown system system /sys/class/leds/jogball-backlight/brightness 289 chown system system /sys/class/leds/red/brightness 290 chown system system /sys/class/leds/green/brightness 291 chown system system /sys/class/leds/blue/brightness 292 chown system system /sys/class/leds/red/device/grpfreq 293 chown system system /sys/class/leds/red/device/grppwm 294 chown system system /sys/class/leds/red/device/blink 295 chown system system /sys/class/leds/red/brightness 296 chown system system /sys/class/leds/green/brightness 297 chown system system /sys/class/leds/blue/brightness 298 chown system system /sys/class/leds/red/device/grpfreq 299 chown system system /sys/class/leds/red/device/grppwm 300 chown system system /sys/class/leds/red/device/blink 301 chown system system /sys/class/timed_output/vibrator/enable 302 chown system system /sys/module/sco/parameters/disable_esco 303 chown system system /sys/kernel/ipv4/tcp_wmem_min 304 chown system system /sys/kernel/ipv4/tcp_wmem_def 305 chown system system /sys/kernel/ipv4/tcp_wmem_max 306 chown system system /sys/kernel/ipv4/tcp_rmem_min 307 chown system system /sys/kernel/ipv4/tcp_rmem_def 308 chown system system /sys/kernel/ipv4/tcp_rmem_max 309 chown root radio /proc/cmdline 310 311# Define TCP buffer sizes for various networks 312# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 313 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 314 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 315 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 316 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 317 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 318 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 319 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 320 321# Set this property so surfaceflinger is not started by system_init 322 setprop system_init.startsurfaceflinger 0 323 324 class_start core 325 class_start main 326 327on nonencrypted 328 class_start late_start 329 330on charger 331 class_start charger 332 333on property:vold.decrypt=trigger_reset_main 334 class_reset main 335 336on property:vold.decrypt=trigger_load_persist_props 337 load_persist_props 338 339on property:vold.decrypt=trigger_post_fs_data 340 trigger post-fs-data 341 342on property:vold.decrypt=trigger_restart_min_framework 343 class_start main 344 345on property:vold.decrypt=trigger_restart_framework 346 class_start main 347 class_start late_start 348 349on property:vold.decrypt=trigger_shutdown_framework 350 class_reset late_start 351 class_reset main 352 353## Daemon processes to be run by init. 354## 355service ueventd /sbin/ueventd 356 class core 357 critical 358 359service console /system/bin/sh 360 class core 361 console 362 disabled 363 user shell 364 group log 365 366on property:ro.debuggable=1 367 start console 368 369# Allow writing to the kernel trace log. Enabling tracing still requires root. 370on property:ro.debuggable=1 371 chmod 0222 /sys/kernel/debug/tracing/trace_marker 372 373# adbd is controlled via property triggers in init.<platform>.usb.rc 374service adbd /sbin/adbd 375 class core 376 disabled 377 378# adbd on at boot in emulator 379on property:ro.kernel.qemu=1 380 start adbd 381 382service servicemanager /system/bin/servicemanager 383 class core 384 user system 385 group system 386 critical 387 onrestart restart zygote 388 onrestart restart media 389 onrestart restart surfaceflinger 390 onrestart restart drm 391 392service vold /system/bin/vold 393 class core 394 socket vold stream 0660 root mount 395 ioprio be 2 396 397service netd /system/bin/netd 398 class main 399 socket netd stream 0660 root system 400 socket dnsproxyd stream 0660 root inet 401 socket mdns stream 0660 root system 402 403service debuggerd /system/bin/debuggerd 404 class main 405 406service ril-daemon /system/bin/rild 407 class main 408 socket rild stream 660 root radio 409 socket rild-debug stream 660 radio system 410 user root 411 group radio cache inet misc audio sdcard_rw log 412 413service surfaceflinger /system/bin/surfaceflinger 414 class main 415 user system 416 group graphics 417 onrestart restart zygote 418 419service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 420 class main 421 socket zygote stream 660 root system 422 onrestart write /sys/android_power/request_state wake 423 onrestart write /sys/power/state on 424 onrestart restart media 425 onrestart restart netd 426 427service drm /system/bin/drmserver 428 class main 429 user drm 430 group drm system inet drmrpc 431 432service media /system/bin/mediaserver 433 class main 434 user media 435 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 436 ioprio rt 4 437 438service bootanim /system/bin/bootanimation 439 class main 440 user graphics 441 group graphics 442 disabled 443 oneshot 444 445service dbus /system/bin/dbus-daemon --system --nofork 446 class main 447 socket dbus stream 660 bluetooth bluetooth 448 user bluetooth 449 group bluetooth net_bt_admin 450 451service bluetoothd /system/bin/bluetoothd -n 452 class main 453 socket bluetooth stream 660 bluetooth bluetooth 454 socket dbus_bluetooth stream 660 bluetooth bluetooth 455 # init.rc does not yet support applying capabilities, so run as root and 456 # let bluetoothd drop uid to bluetooth with the right linux capabilities 457 group bluetooth net_bt_admin misc 458 disabled 459 460service installd /system/bin/installd 461 class main 462 socket installd stream 600 system system 463 464service flash_recovery /system/etc/install-recovery.sh 465 class main 466 oneshot 467 468service racoon /system/bin/racoon 469 class main 470 socket racoon stream 600 system system 471 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 472 group vpn net_admin inet 473 disabled 474 oneshot 475 476service mtpd /system/bin/mtpd 477 class main 478 socket mtpd stream 600 system system 479 user vpn 480 group vpn net_admin inet net_raw 481 disabled 482 oneshot 483 484service keystore /system/bin/keystore /data/misc/keystore 485 class main 486 user keystore 487 group keystore drmrpc 488 socket keystore stream 666 489 490service dumpstate /system/bin/dumpstate -s 491 class main 492 socket dumpstate stream 0660 shell log 493 disabled 494 oneshot 495 496service sshd /system/bin/start-ssh 497 class main 498 disabled 499 500service mdnsd /system/bin/mdnsd 501 class main 502 user mdnsr 503 group inet net_raw 504 socket mdnsd stream 0660 mdnsr inet 505 disabled 506 oneshot 507 508