1 # Copyright (C) 2012 The Android Open Source Project 2 # 3 # IMPORTANT: Do not create world writable files or directories. 4 # This is a common source of Android security bugs. 5 # 6 7 import /init.${ro.hardware}.rc 8 import /init.usb.rc 9 import /init.trace.rc 10 11 on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 start ueventd 16 17 # create mountpoints 18 mkdir /mnt 0775 root system 19 20 on init 21 22 sysclktz 0 23 24 loglevel 3 25 26 # setup the global environment 27 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 28 export LD_LIBRARY_PATH /vendor/lib:/system/lib 29 export ANDROID_BOOTLOGO 1 30 export ANDROID_ROOT /system 31 export ANDROID_ASSETS /system/app 32 export ANDROID_DATA /data 33 export ASEC_MOUNTPOINT /mnt/asec 34 export LOOP_MOUNTPOINT /mnt/obb 35 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 36 37 # Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41 # Right now vendor lives on the same filesystem as system, 42 # but someday that may change. 43 symlink /system/vendor /vendor 44 45 # Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50 mkdir /system 51 mkdir /data 0771 system system 52 mkdir /cache 0770 system cache 53 mkdir /config 0500 root root 54 55 # Directory for putting things only root should see. 56 mkdir /mnt/secure 0700 root root 57 58 # Directory for staging bindmounts 59 mkdir /mnt/secure/staging 0700 root root 60 61 # Directory-target for where the secure container 62 # imagefile directory will be bind-mounted 63 mkdir /mnt/secure/asec 0700 root root 64 65 # Secure container public mount points. 66 mkdir /mnt/asec 0700 root system 67 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 68 69 # Filesystem image public mount points. 70 mkdir /mnt/obb 0700 root system 71 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 72 73 write /proc/sys/kernel/panic_on_oops 1 74 write /proc/sys/kernel/hung_task_timeout_secs 0 75 write /proc/cpu/alignment 4 76 write /proc/sys/kernel/sched_latency_ns 10000000 77 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 78 write /proc/sys/kernel/sched_compat_yield 1 79 write /proc/sys/kernel/sched_child_runs_first 0 80 write /proc/sys/kernel/randomize_va_space 2 81 write /proc/sys/kernel/kptr_restrict 2 82 write /proc/sys/kernel/dmesg_restrict 1 83 write /proc/sys/vm/mmap_min_addr 32768 84 write /proc/sys/kernel/sched_rt_runtime_us 950000 85 write /proc/sys/kernel/sched_rt_period_us 1000000 86 87 # Create cgroup mount points for process groups 88 mkdir /dev/cpuctl 89 mount cgroup none /dev/cpuctl cpu 90 chown system system /dev/cpuctl 91 chown system system /dev/cpuctl/tasks 92 chmod 0660 /dev/cpuctl/tasks 93 write /dev/cpuctl/cpu.shares 1024 94 write /dev/cpuctl/cpu.rt_runtime_us 950000 95 write /dev/cpuctl/cpu.rt_period_us 1000000 96 97 mkdir /dev/cpuctl/apps 98 chown system system /dev/cpuctl/apps/tasks 99 chmod 0666 /dev/cpuctl/apps/tasks 100 write /dev/cpuctl/apps/cpu.shares 1024 101 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 102 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 103 104 mkdir /dev/cpuctl/apps/bg_non_interactive 105 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 106 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 107 # 5.0 % 108 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 109 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 110 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 111 112 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 113 # This is needed by any process that uses socket tagging. 114 chmod 0644 /dev/xt_qtaguid 115 116 on fs 117 # mount mtd partitions 118 # Mount /system rw first to give the filesystem a chance to save a checkpoint 119 mount yaffs2 mtd@system /system 120 mount yaffs2 mtd@system /system ro remount 121 mount yaffs2 mtd@userdata /data nosuid nodev 122 mount yaffs2 mtd@cache /cache nosuid nodev 123 124 on post-fs 125 # once everything is setup, no need to modify / 126 mount rootfs rootfs / ro remount 127 128 # We chown/chmod /cache again so because mount is run as root + defaults 129 chown system cache /cache 130 chmod 0770 /cache 131 132 # This may have been created by the recovery system with odd permissions 133 chown system cache /cache/recovery 134 chmod 0770 /cache/recovery 135 136 #change permissions on vmallocinfo so we can grab it from bugreports 137 chown root log /proc/vmallocinfo 138 chmod 0440 /proc/vmallocinfo 139 140 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 141 chown root system /proc/kmsg 142 chmod 0440 /proc/kmsg 143 chown root system /proc/sysrq-trigger 144 chmod 0220 /proc/sysrq-trigger 145 146 # create the lost+found directories, so as to enforce our permissions 147 mkdir /cache/lost+found 0770 root root 148 149 on post-fs-data 150 # We chown/chmod /data again so because mount is run as root + defaults 151 chown system system /data 152 chmod 0771 /data 153 154 # Create dump dir and collect dumps. 155 # Do this before we mount cache so eventually we can use cache for 156 # storing dumps on platforms which do not have a dedicated dump partition. 157 mkdir /data/dontpanic 0750 root log 158 159 # Collect apanic data, free resources and re-arm trigger 160 copy /proc/apanic_console /data/dontpanic/apanic_console 161 chown root log /data/dontpanic/apanic_console 162 chmod 0640 /data/dontpanic/apanic_console 163 164 copy /proc/apanic_threads /data/dontpanic/apanic_threads 165 chown root log /data/dontpanic/apanic_threads 166 chmod 0640 /data/dontpanic/apanic_threads 167 168 write /proc/apanic_console 1 169 170 # create basic filesystem structure 171 mkdir /data/misc 01771 system misc 172 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth 173 mkdir /data/misc/bluetooth 0770 system system 174 mkdir /data/misc/keystore 0700 keystore keystore 175 mkdir /data/misc/keychain 0771 system system 176 mkdir /data/misc/vpn 0770 system vpn 177 mkdir /data/misc/systemkeys 0700 system system 178 # give system access to wpa_supplicant.conf for backup and restore 179 mkdir /data/misc/wifi 0770 wifi wifi 180 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 181 mkdir /data/local 0751 root root 182 183 # For security reasons, /data/local/tmp should always be empty. 184 # Do not place files or directories in /data/local/tmp 185 mkdir /data/local/tmp 0771 shell shell 186 mkdir /data/data 0771 system system 187 mkdir /data/app-private 0771 system system 188 mkdir /data/app-asec 0700 root root 189 mkdir /data/app 0771 system system 190 mkdir /data/property 0700 root root 191 mkdir /data/ssh 0750 root shell 192 mkdir /data/ssh/empty 0700 root root 193 194 # create dalvik-cache, so as to enforce our permissions 195 mkdir /data/dalvik-cache 0771 system system 196 197 # create resource-cache and double-check the perms 198 mkdir /data/resource-cache 0771 system system 199 chown system system /data/resource-cache 200 chmod 0771 /data/resource-cache 201 202 # create the lost+found directories, so as to enforce our permissions 203 mkdir /data/lost+found 0770 root root 204 205 # create directory for DRM plug-ins - give drm the read/write access to 206 # the following directory. 207 mkdir /data/drm 0770 drm drm 208 209 # If there is no fs-post-data action in the init.<device>.rc file, you 210 # must uncomment this line, otherwise encrypted filesystems 211 # won't work. 212 # Set indication (checked by vold) that we have finished this action 213 #setprop vold.post_fs_data_done 1 214 215 on boot 216 # basic network init 217 ifup lo 218 hostname localhost 219 domainname localdomain 220 221 # set RLIMIT_NICE to allow priorities from 19 to -20 222 setrlimit 13 40 40 223 224 # Memory management. Basic kernel parameters, and allow the high 225 # level system server to be able to adjust the kernel OOM driver 226 # parameters to match how it is managing things. 227 write /proc/sys/vm/overcommit_memory 1 228 write /proc/sys/vm/min_free_order_shift 4 229 chown root system /sys/module/lowmemorykiller/parameters/adj 230 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 231 chown root system /sys/module/lowmemorykiller/parameters/minfree 232 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 233 234 # Tweak background writeout 235 write /proc/sys/vm/dirty_expire_centisecs 200 236 write /proc/sys/vm/dirty_background_ratio 5 237 238 # Permissions for System Server and daemons. 239 chown radio system /sys/android_power/state 240 chown radio system /sys/android_power/request_state 241 chown radio system /sys/android_power/acquire_full_wake_lock 242 chown radio system /sys/android_power/acquire_partial_wake_lock 243 chown radio system /sys/android_power/release_wake_lock 244 chown system system /sys/power/state 245 chown system system /sys/power/wakeup_count 246 chown radio system /sys/power/wake_lock 247 chown radio system /sys/power/wake_unlock 248 chmod 0660 /sys/power/state 249 chmod 0660 /sys/power/wake_lock 250 chmod 0660 /sys/power/wake_unlock 251 252 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 253 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 254 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 255 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 256 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 257 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 258 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 259 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 260 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 261 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 262 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 263 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 264 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 265 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 266 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 267 268 # Assume SMP uses shared cpufreq policy for all CPUs 269 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 270 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 271 272 chown system system /sys/class/timed_output/vibrator/enable 273 chown system system /sys/class/leds/keyboard-backlight/brightness 274 chown system system /sys/class/leds/lcd-backlight/brightness 275 chown system system /sys/class/leds/button-backlight/brightness 276 chown system system /sys/class/leds/jogball-backlight/brightness 277 chown system system /sys/class/leds/red/brightness 278 chown system system /sys/class/leds/green/brightness 279 chown system system /sys/class/leds/blue/brightness 280 chown system system /sys/class/leds/red/device/grpfreq 281 chown system system /sys/class/leds/red/device/grppwm 282 chown system system /sys/class/leds/red/device/blink 283 chown system system /sys/class/leds/red/brightness 284 chown system system /sys/class/leds/green/brightness 285 chown system system /sys/class/leds/blue/brightness 286 chown system system /sys/class/leds/red/device/grpfreq 287 chown system system /sys/class/leds/red/device/grppwm 288 chown system system /sys/class/leds/red/device/blink 289 chown system system /sys/class/timed_output/vibrator/enable 290 chown system system /sys/module/sco/parameters/disable_esco 291 chown system system /sys/kernel/ipv4/tcp_wmem_min 292 chown system system /sys/kernel/ipv4/tcp_wmem_def 293 chown system system /sys/kernel/ipv4/tcp_wmem_max 294 chown system system /sys/kernel/ipv4/tcp_rmem_min 295 chown system system /sys/kernel/ipv4/tcp_rmem_def 296 chown system system /sys/kernel/ipv4/tcp_rmem_max 297 chown root radio /proc/cmdline 298 299 # Define TCP buffer sizes for various networks 300 # ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 301 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 302 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 303 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 304 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 305 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 306 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 307 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 308 309 # Set this property so surfaceflinger is not started by system_init 310 setprop system_init.startsurfaceflinger 0 311 312 class_start core 313 class_start main 314 315 on nonencrypted 316 class_start late_start 317 318 on charger 319 class_start charger 320 321 on property:vold.decrypt=trigger_reset_main 322 class_reset main 323 324 on property:vold.decrypt=trigger_load_persist_props 325 load_persist_props 326 327 on property:vold.decrypt=trigger_post_fs_data 328 trigger post-fs-data 329 330 on property:vold.decrypt=trigger_restart_min_framework 331 class_start main 332 333 on property:vold.decrypt=trigger_restart_framework 334 class_start main 335 class_start late_start 336 337 on property:vold.decrypt=trigger_shutdown_framework 338 class_reset late_start 339 class_reset main 340 341 ## Daemon processes to be run by init. 342 ## 343 service ueventd /sbin/ueventd 344 class core 345 critical 346 347 service console /system/bin/sh 348 class core 349 console 350 disabled 351 user shell 352 group log 353 354 on property:ro.debuggable=1 355 start console 356 357 # adbd is controlled via property triggers in init.<platform>.usb.rc 358 service adbd /sbin/adbd 359 class core 360 disabled 361 362 # adbd on at boot in emulator 363 on property:ro.kernel.qemu=1 364 start adbd 365 366 service servicemanager /system/bin/servicemanager 367 class core 368 user system 369 group system 370 critical 371 onrestart restart zygote 372 onrestart restart media 373 onrestart restart surfaceflinger 374 onrestart restart drm 375 376 service vold /system/bin/vold 377 class core 378 socket vold stream 0660 root mount 379 ioprio be 2 380 381 service netd /system/bin/netd 382 class main 383 socket netd stream 0660 root system 384 socket dnsproxyd stream 0660 root inet 385 socket mdns stream 0660 root system 386 387 service debuggerd /system/bin/debuggerd 388 class main 389 390 service ril-daemon /system/bin/rild 391 class main 392 socket rild stream 660 root radio 393 socket rild-debug stream 660 radio system 394 user root 395 group radio cache inet misc audio sdcard_r sdcard_rw log 396 397 service surfaceflinger /system/bin/surfaceflinger 398 class main 399 user system 400 group graphics 401 onrestart restart zygote 402 403 service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 404 class main 405 socket zygote stream 660 root system 406 onrestart write /sys/android_power/request_state wake 407 onrestart write /sys/power/state on 408 onrestart restart media 409 onrestart restart netd 410 411 service drm /system/bin/drmserver 412 class main 413 user drm 414 group drm system inet drmrpc sdcard_r 415 416 service media /system/bin/mediaserver 417 class main 418 user media 419 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 420 ioprio rt 4 421 422 service bootanim /system/bin/bootanimation 423 class main 424 user graphics 425 group graphics 426 disabled 427 oneshot 428 429 service dbus /system/bin/dbus-daemon --system --nofork 430 class main 431 socket dbus stream 660 bluetooth bluetooth 432 user bluetooth 433 group bluetooth net_bt_admin 434 435 service bluetoothd /system/bin/bluetoothd -n 436 class main 437 socket bluetooth stream 660 bluetooth bluetooth 438 socket dbus_bluetooth stream 660 bluetooth bluetooth 439 # init.rc does not yet support applying capabilities, so run as root and 440 # let bluetoothd drop uid to bluetooth with the right linux capabilities 441 group bluetooth net_bt_admin misc 442 disabled 443 444 service installd /system/bin/installd 445 class main 446 socket installd stream 600 system system 447 448 service flash_recovery /system/etc/install-recovery.sh 449 class main 450 oneshot 451 452 service racoon /system/bin/racoon 453 class main 454 socket racoon stream 600 system system 455 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 456 group vpn net_admin inet 457 disabled 458 oneshot 459 460 service mtpd /system/bin/mtpd 461 class main 462 socket mtpd stream 600 system system 463 user vpn 464 group vpn net_admin inet net_raw 465 disabled 466 oneshot 467 468 service keystore /system/bin/keystore /data/misc/keystore 469 class main 470 user keystore 471 group keystore drmrpc 472 socket keystore stream 666 473 474 service dumpstate /system/bin/dumpstate -s 475 class main 476 socket dumpstate stream 0660 shell log 477 disabled 478 oneshot 479 480 service sshd /system/bin/start-ssh 481 class main 482 disabled 483 484 service mdnsd /system/bin/mdnsd 485 class main 486 user mdnsr 487 group inet net_raw 488 socket mdnsd stream 0660 mdnsr inet 489 disabled 490 oneshot 491
