init.rc revision 5dd0f86fbfed631b31c9055109889f1d9559a3ea
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ASEC_MOUNTPOINT /mnt/asec 38 export LOOP_MOUNTPOINT /mnt/obb 39 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 40 41# Backward compatibility 42 symlink /system/etc /etc 43 symlink /sys/kernel/debug /d 44 45# Right now vendor lives on the same filesystem as system, 46# but someday that may change. 47 symlink /system/vendor /vendor 48 49# Create cgroup mount point for cpu accounting 50 mkdir /acct 51 mount cgroup none /acct cpuacct 52 mkdir /acct/uid 53 54 mkdir /system 55 mkdir /data 0771 system system 56 mkdir /cache 0770 system cache 57 mkdir /config 0500 root root 58 59 # Directory for shell-visible mount points, like external storage 60 mkdir /mnt/shell 0700 shell shell 61 62 # Directory for putting things only root should see. 63 mkdir /mnt/secure 0700 root root 64 65 # Directory for staging bindmounts 66 mkdir /mnt/secure/staging 0700 root root 67 68 # Directory-target for where the secure container 69 # imagefile directory will be bind-mounted 70 mkdir /mnt/secure/asec 0700 root root 71 72 # Secure container public mount points. 73 mkdir /mnt/asec 0700 root system 74 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 75 76 # Filesystem image public mount points. 77 mkdir /mnt/obb 0700 root system 78 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 79 80 write /proc/sys/kernel/panic_on_oops 1 81 write /proc/sys/kernel/hung_task_timeout_secs 0 82 write /proc/cpu/alignment 4 83 write /proc/sys/kernel/sched_latency_ns 10000000 84 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 85 write /proc/sys/kernel/sched_compat_yield 1 86 write /proc/sys/kernel/sched_child_runs_first 0 87 write /proc/sys/kernel/randomize_va_space 2 88 write /proc/sys/kernel/kptr_restrict 2 89 write /proc/sys/kernel/dmesg_restrict 1 90 write /proc/sys/vm/mmap_min_addr 32768 91 write /proc/sys/kernel/sched_rt_runtime_us 950000 92 write /proc/sys/kernel/sched_rt_period_us 1000000 93 94# Create cgroup mount points for process groups 95 mkdir /dev/cpuctl 96 mount cgroup none /dev/cpuctl cpu 97 chown system system /dev/cpuctl 98 chown system system /dev/cpuctl/tasks 99 chmod 0660 /dev/cpuctl/tasks 100 write /dev/cpuctl/cpu.shares 1024 101 write /dev/cpuctl/cpu.rt_runtime_us 950000 102 write /dev/cpuctl/cpu.rt_period_us 1000000 103 104 mkdir /dev/cpuctl/apps 105 chown system system /dev/cpuctl/apps/tasks 106 chmod 0666 /dev/cpuctl/apps/tasks 107 write /dev/cpuctl/apps/cpu.shares 1024 108 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 109 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 110 111 mkdir /dev/cpuctl/apps/bg_non_interactive 112 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 113 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 114 # 5.0 % 115 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 116 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 117 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 118 119# Allow everybody to read the xt_qtaguid resource tracking misc dev. 120# This is needed by any process that uses socket tagging. 121 chmod 0644 /dev/xt_qtaguid 122 123on fs 124# mount mtd partitions 125 # Mount /system rw first to give the filesystem a chance to save a checkpoint 126 mount yaffs2 mtd@system /system 127 mount yaffs2 mtd@system /system ro remount 128 mount yaffs2 mtd@userdata /data nosuid nodev 129 mount yaffs2 mtd@cache /cache nosuid nodev 130 131on post-fs 132 # once everything is setup, no need to modify / 133 mount rootfs rootfs / ro remount 134 # mount shared so changes propagate into child namespaces 135 mount rootfs rootfs / shared rec 136 137 # We chown/chmod /cache again so because mount is run as root + defaults 138 chown system cache /cache 139 chmod 0770 /cache 140 # We restorecon /cache in case the cache partition has been reset. 141 restorecon /cache 142 143 # This may have been created by the recovery system with odd permissions 144 chown system cache /cache/recovery 145 chmod 0770 /cache/recovery 146 # This may have been created by the recovery system with the wrong context. 147 restorecon /cache/recovery 148 149 #change permissions on vmallocinfo so we can grab it from bugreports 150 chown root log /proc/vmallocinfo 151 chmod 0440 /proc/vmallocinfo 152 153 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 154 chown root system /proc/kmsg 155 chmod 0440 /proc/kmsg 156 chown root system /proc/sysrq-trigger 157 chmod 0220 /proc/sysrq-trigger 158 chown system log /proc/last_kmsg 159 chmod 0440 /proc/last_kmsg 160 161 # create the lost+found directories, so as to enforce our permissions 162 mkdir /cache/lost+found 0770 root root 163 164on post-fs-data 165 # We chown/chmod /data again so because mount is run as root + defaults 166 chown system system /data 167 chmod 0771 /data 168 # We restorecon /data in case the userdata partition has been reset. 169 restorecon /data 170 171 # Create dump dir and collect dumps. 172 # Do this before we mount cache so eventually we can use cache for 173 # storing dumps on platforms which do not have a dedicated dump partition. 174 mkdir /data/dontpanic 0750 root log 175 176 # Collect apanic data, free resources and re-arm trigger 177 copy /proc/apanic_console /data/dontpanic/apanic_console 178 chown root log /data/dontpanic/apanic_console 179 chmod 0640 /data/dontpanic/apanic_console 180 181 copy /proc/apanic_threads /data/dontpanic/apanic_threads 182 chown root log /data/dontpanic/apanic_threads 183 chmod 0640 /data/dontpanic/apanic_threads 184 185 write /proc/apanic_console 1 186 187 # create basic filesystem structure 188 mkdir /data/misc 01771 system misc 189 mkdir /data/misc/adb 02750 system shell 190 mkdir /data/misc/bluedroid 0770 bluetooth bluetooth 191 mkdir /data/misc/bluetooth 0770 system system 192 mkdir /data/misc/keystore 0700 keystore keystore 193 mkdir /data/misc/keychain 0771 system system 194 mkdir /data/misc/vpn 0770 system vpn 195 mkdir /data/misc/systemkeys 0700 system system 196 # give system access to wpa_supplicant.conf for backup and restore 197 mkdir /data/misc/wifi 0770 wifi wifi 198 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 199 mkdir /data/local 0751 root root 200 201 # For security reasons, /data/local/tmp should always be empty. 202 # Do not place files or directories in /data/local/tmp 203 mkdir /data/local/tmp 0771 shell shell 204 mkdir /data/data 0771 system system 205 mkdir /data/app-private 0771 system system 206 mkdir /data/app-asec 0700 root root 207 mkdir /data/app 0771 system system 208 mkdir /data/property 0700 root root 209 mkdir /data/ssh 0750 root shell 210 mkdir /data/ssh/empty 0700 root root 211 212 # create dalvik-cache, so as to enforce our permissions 213 mkdir /data/dalvik-cache 0771 system system 214 215 # create resource-cache and double-check the perms 216 mkdir /data/resource-cache 0771 system system 217 chown system system /data/resource-cache 218 chmod 0771 /data/resource-cache 219 220 # create the lost+found directories, so as to enforce our permissions 221 mkdir /data/lost+found 0770 root root 222 223 # create directory for DRM plug-ins - give drm the read/write access to 224 # the following directory. 225 mkdir /data/drm 0770 drm drm 226 227 # If there is no fs-post-data action in the init.<device>.rc file, you 228 # must uncomment this line, otherwise encrypted filesystems 229 # won't work. 230 # Set indication (checked by vold) that we have finished this action 231 #setprop vold.post_fs_data_done 1 232 233on boot 234# basic network init 235 ifup lo 236 hostname localhost 237 domainname localdomain 238 239# set RLIMIT_NICE to allow priorities from 19 to -20 240 setrlimit 13 40 40 241 242# Memory management. Basic kernel parameters, and allow the high 243# level system server to be able to adjust the kernel OOM driver 244# parameters to match how it is managing things. 245 write /proc/sys/vm/overcommit_memory 1 246 write /proc/sys/vm/min_free_order_shift 4 247 chown root system /sys/module/lowmemorykiller/parameters/adj 248 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 249 chown root system /sys/module/lowmemorykiller/parameters/minfree 250 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 251 252 # Tweak background writeout 253 write /proc/sys/vm/dirty_expire_centisecs 200 254 write /proc/sys/vm/dirty_background_ratio 5 255 256 # Permissions for System Server and daemons. 257 chown radio system /sys/android_power/state 258 chown radio system /sys/android_power/request_state 259 chown radio system /sys/android_power/acquire_full_wake_lock 260 chown radio system /sys/android_power/acquire_partial_wake_lock 261 chown radio system /sys/android_power/release_wake_lock 262 chown system system /sys/power/autosleep 263 chown system system /sys/power/state 264 chown system system /sys/power/wakeup_count 265 chown radio system /sys/power/wake_lock 266 chown radio system /sys/power/wake_unlock 267 chmod 0660 /sys/power/state 268 chmod 0660 /sys/power/wake_lock 269 chmod 0660 /sys/power/wake_unlock 270 271 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 272 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 273 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 274 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 275 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 276 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 277 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 278 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 279 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 280 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 281 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 282 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 283 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 284 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 285 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 286 287 # Assume SMP uses shared cpufreq policy for all CPUs 288 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 289 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 290 291 chown system system /sys/class/timed_output/vibrator/enable 292 chown system system /sys/class/leds/keyboard-backlight/brightness 293 chown system system /sys/class/leds/lcd-backlight/brightness 294 chown system system /sys/class/leds/button-backlight/brightness 295 chown system system /sys/class/leds/jogball-backlight/brightness 296 chown system system /sys/class/leds/red/brightness 297 chown system system /sys/class/leds/green/brightness 298 chown system system /sys/class/leds/blue/brightness 299 chown system system /sys/class/leds/red/device/grpfreq 300 chown system system /sys/class/leds/red/device/grppwm 301 chown system system /sys/class/leds/red/device/blink 302 chown system system /sys/class/leds/red/brightness 303 chown system system /sys/class/leds/green/brightness 304 chown system system /sys/class/leds/blue/brightness 305 chown system system /sys/class/leds/red/device/grpfreq 306 chown system system /sys/class/leds/red/device/grppwm 307 chown system system /sys/class/leds/red/device/blink 308 chown system system /sys/class/timed_output/vibrator/enable 309 chown system system /sys/module/sco/parameters/disable_esco 310 chown system system /sys/kernel/ipv4/tcp_wmem_min 311 chown system system /sys/kernel/ipv4/tcp_wmem_def 312 chown system system /sys/kernel/ipv4/tcp_wmem_max 313 chown system system /sys/kernel/ipv4/tcp_rmem_min 314 chown system system /sys/kernel/ipv4/tcp_rmem_def 315 chown system system /sys/kernel/ipv4/tcp_rmem_max 316 chown root radio /proc/cmdline 317 318# Define TCP buffer sizes for various networks 319# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 320 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 321 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 322 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 323 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 324 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 325 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 326 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 327 328# Set this property so surfaceflinger is not started by system_init 329 setprop system_init.startsurfaceflinger 0 330 331 class_start core 332 class_start main 333 334on nonencrypted 335 class_start late_start 336 337on charger 338 class_start charger 339 340on property:vold.decrypt=trigger_reset_main 341 class_reset main 342 343on property:vold.decrypt=trigger_load_persist_props 344 load_persist_props 345 346on property:vold.decrypt=trigger_post_fs_data 347 trigger post-fs-data 348 349on property:vold.decrypt=trigger_restart_min_framework 350 class_start main 351 352on property:vold.decrypt=trigger_restart_framework 353 class_start main 354 class_start late_start 355 356on property:vold.decrypt=trigger_shutdown_framework 357 class_reset late_start 358 class_reset main 359 360## Daemon processes to be run by init. 361## 362service ueventd /sbin/ueventd 363 class core 364 critical 365 seclabel u:r:ueventd:s0 366 367on property:selinux.reload_policy=1 368 restart ueventd 369 restart installd 370 371service console /system/bin/sh 372 class core 373 console 374 disabled 375 user shell 376 group log 377 378on property:ro.debuggable=1 379 start console 380 381# adbd is controlled via property triggers in init.<platform>.usb.rc 382service adbd /sbin/adbd 383 class core 384 socket adbd stream 660 system system 385 disabled 386 seclabel u:r:adbd:s0 387 388# adbd on at boot in emulator 389on property:ro.kernel.qemu=1 390 start adbd 391 392service servicemanager /system/bin/servicemanager 393 class core 394 user system 395 group system 396 critical 397 onrestart restart zygote 398 onrestart restart media 399 onrestart restart surfaceflinger 400 onrestart restart drm 401 402service vold /system/bin/vold 403 class core 404 socket vold stream 0660 root mount 405 ioprio be 2 406 407service netd /system/bin/netd 408 class main 409 socket netd stream 0660 root system 410 socket dnsproxyd stream 0660 root inet 411 socket mdns stream 0660 root system 412 413service debuggerd /system/bin/debuggerd 414 class main 415 416service ril-daemon /system/bin/rild 417 class main 418 socket rild stream 660 root radio 419 socket rild-debug stream 660 radio system 420 user root 421 group radio cache inet misc audio sdcard_r sdcard_rw log 422 423service surfaceflinger /system/bin/surfaceflinger 424 class main 425 user system 426 group graphics 427 onrestart restart zygote 428 429service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 430 class main 431 socket zygote stream 660 root system 432 onrestart write /sys/android_power/request_state wake 433 onrestart write /sys/power/state on 434 onrestart restart media 435 onrestart restart netd 436 437service drm /system/bin/drmserver 438 class main 439 user drm 440 group drm system inet drmrpc sdcard_r 441 442service media /system/bin/mediaserver 443 class main 444 user media 445 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 446 ioprio rt 4 447 448service bootanim /system/bin/bootanimation 449 class main 450 user graphics 451 group graphics 452 disabled 453 oneshot 454 455service installd /system/bin/installd 456 class main 457 socket installd stream 600 system system 458 459service flash_recovery /system/etc/install-recovery.sh 460 class main 461 oneshot 462 463service racoon /system/bin/racoon 464 class main 465 socket racoon stream 600 system system 466 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 467 group vpn net_admin inet 468 disabled 469 oneshot 470 471service mtpd /system/bin/mtpd 472 class main 473 socket mtpd stream 600 system system 474 user vpn 475 group vpn net_admin inet net_raw 476 disabled 477 oneshot 478 479service keystore /system/bin/keystore /data/misc/keystore 480 class main 481 user keystore 482 group keystore drmrpc 483 socket keystore stream 666 484 485service dumpstate /system/bin/dumpstate -s 486 class main 487 socket dumpstate stream 0660 shell log 488 disabled 489 oneshot 490 491service sshd /system/bin/start-ssh 492 class main 493 disabled 494 495service mdnsd /system/bin/mdnsd 496 class main 497 user mdnsr 498 group inet net_raw 499 socket mdnsd stream 0660 mdnsr inet 500 disabled 501 oneshot 502