Home | History | Annotate | Download | only in rootdir 
      1 # Copyright (C) 2012 The Android Open Source Project
      2 #
      3 # IMPORTANT: Do not create world writable files or directories.
      4 # This is a common source of Android security bugs.
      5 #
      6 
      7 import /init.environ.rc
      8 import /init.usb.rc
      9 import /init.${ro.hardware}.rc
     10 import /init.trace.rc
     11 
     12 on early-init
     13     # Set init and its forked children's oom_adj.
     14     write /proc/1/oom_adj -16
     15 
     16     # Set the security context for the init process.
     17     # This should occur before anything else (e.g. ueventd) is started.
     18     setcon u:r:init:s0
     19 
     20     start ueventd
     21 
     22 # create mountpoints
     23     mkdir /mnt 0775 root system
     24 
     25 on init
     26 
     27 sysclktz 0
     28 
     29 loglevel 3
     30 
     31 # Backward compatibility
     32     symlink /system/etc /etc
     33     symlink /sys/kernel/debug /d
     34 
     35 # Right now vendor lives on the same filesystem as system,
     36 # but someday that may change.
     37     symlink /system/vendor /vendor
     38 
     39 # Create cgroup mount point for cpu accounting
     40     mkdir /acct
     41     mount cgroup none /acct cpuacct
     42     mkdir /acct/uid
     43 
     44 # Create cgroup mount point for memory
     45     mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
     46     mkdir /sys/fs/cgroup/memory 0750 root system
     47     mount cgroup none /sys/fs/cgroup/memory memory
     48     write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
     49     chown root system /sys/fs/cgroup/memory/tasks
     50     chmod 0660 /sys/fs/cgroup/memory/tasks
     51     mkdir /sys/fs/cgroup/memory/sw 0750 root system
     52     write /sys/fs/cgroup/memory/sw/memory.swappiness 100
     53     write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
     54     chown root system /sys/fs/cgroup/memory/sw/tasks
     55     chmod 0660 /sys/fs/cgroup/memory/sw/tasks
     56 
     57     mkdir /system
     58     mkdir /data 0771 system system
     59     mkdir /cache 0770 system cache
     60     mkdir /config 0500 root root
     61 
     62     # See storage config details at http://source.android.com/tech/storage/
     63     mkdir /mnt/shell 0700 shell shell
     64     mkdir /mnt/media_rw 0700 media_rw media_rw
     65     mkdir /storage 0751 root sdcard_r
     66 
     67     # Directory for putting things only root should see.
     68     mkdir /mnt/secure 0700 root root
     69     # Create private mountpoint so we can MS_MOVE from staging
     70     mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0
     71 
     72     # Directory for staging bindmounts
     73     mkdir /mnt/secure/staging 0700 root root
     74 
     75     # Directory-target for where the secure container
     76     # imagefile directory will be bind-mounted
     77     mkdir /mnt/secure/asec  0700 root root
     78 
     79     # Secure container public mount points.
     80     mkdir /mnt/asec  0700 root system
     81     mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
     82 
     83     # Filesystem image public mount points.
     84     mkdir /mnt/obb 0700 root system
     85     mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
     86 
     87     write /proc/sys/kernel/panic_on_oops 1
     88     write /proc/sys/kernel/hung_task_timeout_secs 0
     89     write /proc/cpu/alignment 4
     90     write /proc/sys/kernel/sched_latency_ns 10000000
     91     write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
     92     write /proc/sys/kernel/sched_compat_yield 1
     93     write /proc/sys/kernel/sched_child_runs_first 0
     94     write /proc/sys/kernel/randomize_va_space 2
     95     write /proc/sys/kernel/kptr_restrict 2
     96     write /proc/sys/kernel/dmesg_restrict 1
     97     write /proc/sys/vm/mmap_min_addr 32768
     98     write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
     99     write /proc/sys/kernel/sched_rt_runtime_us 950000
    100     write /proc/sys/kernel/sched_rt_period_us 1000000
    101 
    102 # Create cgroup mount points for process groups
    103     mkdir /dev/cpuctl
    104     mount cgroup none /dev/cpuctl cpu
    105     chown system system /dev/cpuctl
    106     chown system system /dev/cpuctl/tasks
    107     chmod 0660 /dev/cpuctl/tasks
    108     write /dev/cpuctl/cpu.shares 1024
    109     write /dev/cpuctl/cpu.rt_runtime_us 950000
    110     write /dev/cpuctl/cpu.rt_period_us 1000000
    111 
    112     mkdir /dev/cpuctl/apps
    113     chown system system /dev/cpuctl/apps/tasks
    114     chmod 0666 /dev/cpuctl/apps/tasks
    115     write /dev/cpuctl/apps/cpu.shares 1024
    116     write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
    117     write /dev/cpuctl/apps/cpu.rt_period_us 1000000
    118 
    119     mkdir /dev/cpuctl/apps/bg_non_interactive
    120     chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
    121     chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
    122     # 5.0 %
    123     write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
    124     write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
    125     write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
    126 
    127 # qtaguid will limit access to specific data based on group memberships.
    128 #   net_bw_acct grants impersonation of socket owners.
    129 #   net_bw_stats grants access to other apps' detailed tagged-socket stats.
    130     chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
    131     chown root net_bw_stats /proc/net/xt_qtaguid/stats
    132 
    133 # Allow everybody to read the xt_qtaguid resource tracking misc dev.
    134 # This is needed by any process that uses socket tagging.
    135     chmod 0644 /dev/xt_qtaguid
    136 
    137 # Create location for fs_mgr to store abbreviated output from filesystem
    138 # checker programs.
    139     mkdir /dev/fscklogs 0770 root system
    140 
    141 on post-fs
    142     # once everything is setup, no need to modify /
    143     mount rootfs rootfs / ro remount
    144     # mount shared so changes propagate into child namespaces
    145     mount rootfs rootfs / shared rec
    146     mount tmpfs tmpfs /mnt/secure private rec
    147 
    148     # We chown/chmod /cache again so because mount is run as root + defaults
    149     chown system cache /cache
    150     chmod 0770 /cache
    151     # We restorecon /cache in case the cache partition has been reset.
    152     restorecon /cache
    153 
    154     # This may have been created by the recovery system with odd permissions
    155     chown system cache /cache/recovery
    156     chmod 0770 /cache/recovery
    157     # This may have been created by the recovery system with the wrong context.
    158     restorecon /cache/recovery
    159 
    160     #change permissions on vmallocinfo so we can grab it from bugreports
    161     chown root log /proc/vmallocinfo
    162     chmod 0440 /proc/vmallocinfo
    163 
    164     chown root log /proc/slabinfo
    165     chmod 0440 /proc/slabinfo
    166 
    167     #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
    168     chown root system /proc/kmsg
    169     chmod 0440 /proc/kmsg
    170     chown root system /proc/sysrq-trigger
    171     chmod 0220 /proc/sysrq-trigger
    172     chown system log /proc/last_kmsg
    173     chmod 0440 /proc/last_kmsg
    174 
    175     # create the lost+found directories, so as to enforce our permissions
    176     mkdir /cache/lost+found 0770 root root
    177 
    178 on post-fs-data
    179     # We chown/chmod /data again so because mount is run as root + defaults
    180     chown system system /data
    181     chmod 0771 /data
    182     # We restorecon /data in case the userdata partition has been reset.
    183     restorecon /data
    184 
    185     # Avoid predictable entropy pool. Carry over entropy from previous boot.
    186     copy /data/system/entropy.dat /dev/urandom
    187 
    188     # Create dump dir and collect dumps.
    189     # Do this before we mount cache so eventually we can use cache for
    190     # storing dumps on platforms which do not have a dedicated dump partition.
    191     mkdir /data/dontpanic 0750 root log
    192 
    193     # Collect apanic data, free resources and re-arm trigger
    194     copy /proc/apanic_console /data/dontpanic/apanic_console
    195     chown root log /data/dontpanic/apanic_console
    196     chmod 0640 /data/dontpanic/apanic_console
    197 
    198     copy /proc/apanic_threads /data/dontpanic/apanic_threads
    199     chown root log /data/dontpanic/apanic_threads
    200     chmod 0640 /data/dontpanic/apanic_threads
    201 
    202     write /proc/apanic_console 1
    203 
    204     # create basic filesystem structure
    205     mkdir /data/misc 01771 system misc
    206     mkdir /data/misc/adb 02750 system shell
    207     mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
    208     mkdir /data/misc/bluetooth 0770 system system
    209     mkdir /data/misc/keystore 0700 keystore keystore
    210     mkdir /data/misc/keychain 0771 system system
    211     mkdir /data/misc/radio 0770 system radio
    212     mkdir /data/misc/sms 0770 system radio
    213     mkdir /data/misc/zoneinfo 0775 system system
    214     mkdir /data/misc/vpn 0770 system vpn
    215     mkdir /data/misc/systemkeys 0700 system system
    216     # give system access to wpa_supplicant.conf for backup and restore
    217     mkdir /data/misc/wifi 0770 wifi wifi
    218     chmod 0660 /data/misc/wifi/wpa_supplicant.conf
    219     mkdir /data/local 0751 root root
    220     mkdir /data/misc/media 0700 media media
    221 
    222     # For security reasons, /data/local/tmp should always be empty.
    223     # Do not place files or directories in /data/local/tmp
    224     mkdir /data/local/tmp 0771 shell shell
    225     mkdir /data/data 0771 system system
    226     mkdir /data/app-private 0771 system system
    227     mkdir /data/app-asec 0700 root root
    228     mkdir /data/app-lib 0771 system system
    229     mkdir /data/app 0771 system system
    230     mkdir /data/property 0700 root root
    231     mkdir /data/ssh 0750 root shell
    232     mkdir /data/ssh/empty 0700 root root
    233 
    234     # create dalvik-cache, so as to enforce our permissions
    235     mkdir /data/dalvik-cache 0771 system system
    236 
    237     # create resource-cache and double-check the perms
    238     mkdir /data/resource-cache 0771 system system
    239     chown system system /data/resource-cache
    240     chmod 0771 /data/resource-cache
    241 
    242     # create the lost+found directories, so as to enforce our permissions
    243     mkdir /data/lost+found 0770 root root
    244 
    245     # create directory for DRM plug-ins - give drm the read/write access to
    246     # the following directory.
    247     mkdir /data/drm 0770 drm drm
    248 
    249     # create directory for MediaDrm plug-ins - give drm the read/write access to
    250     # the following directory.
    251     mkdir /data/mediadrm 0770 mediadrm mediadrm
    252 
    253     # symlink to bugreport storage location
    254     symlink /data/data/com.android.shell/files/bugreports /data/bugreports
    255 
    256     # Separate location for storing security policy files on data
    257     mkdir /data/security 0711 system system
    258 
    259     # If there is no fs-post-data action in the init.<device>.rc file, you
    260     # must uncomment this line, otherwise encrypted filesystems
    261     # won't work.
    262     # Set indication (checked by vold) that we have finished this action
    263     #setprop vold.post_fs_data_done 1
    264 
    265 on boot
    266 # basic network init
    267     ifup lo
    268     hostname localhost
    269     domainname localdomain
    270 
    271 # set RLIMIT_NICE to allow priorities from 19 to -20
    272     setrlimit 13 40 40
    273 
    274 # Memory management.  Basic kernel parameters, and allow the high
    275 # level system server to be able to adjust the kernel OOM driver
    276 # parameters to match how it is managing things.
    277     write /proc/sys/vm/overcommit_memory 1
    278     write /proc/sys/vm/min_free_order_shift 4
    279     chown root system /sys/module/lowmemorykiller/parameters/adj
    280     chmod 0664 /sys/module/lowmemorykiller/parameters/adj
    281     chown root system /sys/module/lowmemorykiller/parameters/minfree
    282     chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
    283 
    284     # Tweak background writeout
    285     write /proc/sys/vm/dirty_expire_centisecs 200
    286     write /proc/sys/vm/dirty_background_ratio  5
    287 
    288     # Permissions for System Server and daemons.
    289     chown radio system /sys/android_power/state
    290     chown radio system /sys/android_power/request_state
    291     chown radio system /sys/android_power/acquire_full_wake_lock
    292     chown radio system /sys/android_power/acquire_partial_wake_lock
    293     chown radio system /sys/android_power/release_wake_lock
    294     chown system system /sys/power/autosleep
    295     chown system system /sys/power/state
    296     chown system system /sys/power/wakeup_count
    297     chown radio system /sys/power/wake_lock
    298     chown radio system /sys/power/wake_unlock
    299     chmod 0660 /sys/power/state
    300     chmod 0660 /sys/power/wake_lock
    301     chmod 0660 /sys/power/wake_unlock
    302 
    303     chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
    304     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
    305     chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
    306     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
    307     chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
    308     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
    309     chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
    310     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
    311     chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
    312     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
    313     chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
    314     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
    315     chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
    316     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
    317     chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
    318     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
    319     chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
    320     chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
    321     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
    322     chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
    323     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
    324     chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
    325     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
    326 
    327     # Assume SMP uses shared cpufreq policy for all CPUs
    328     chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
    329     chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
    330 
    331     chown system system /sys/class/timed_output/vibrator/enable
    332     chown system system /sys/class/leds/keyboard-backlight/brightness
    333     chown system system /sys/class/leds/lcd-backlight/brightness
    334     chown system system /sys/class/leds/button-backlight/brightness
    335     chown system system /sys/class/leds/jogball-backlight/brightness
    336     chown system system /sys/class/leds/red/brightness
    337     chown system system /sys/class/leds/green/brightness
    338     chown system system /sys/class/leds/blue/brightness
    339     chown system system /sys/class/leds/red/device/grpfreq
    340     chown system system /sys/class/leds/red/device/grppwm
    341     chown system system /sys/class/leds/red/device/blink
    342     chown system system /sys/class/timed_output/vibrator/enable
    343     chown system system /sys/module/sco/parameters/disable_esco
    344     chown system system /sys/kernel/ipv4/tcp_wmem_min
    345     chown system system /sys/kernel/ipv4/tcp_wmem_def
    346     chown system system /sys/kernel/ipv4/tcp_wmem_max
    347     chown system system /sys/kernel/ipv4/tcp_rmem_min
    348     chown system system /sys/kernel/ipv4/tcp_rmem_def
    349     chown system system /sys/kernel/ipv4/tcp_rmem_max
    350     chown root radio /proc/cmdline
    351 
    352 # Set these so we can remotely update SELinux policy
    353     chown system system /sys/fs/selinux/load
    354     chown system system /sys/fs/selinux/enforce
    355 
    356 # Define TCP buffer sizes for various networks
    357 #   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
    358     setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
    359     setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
    360     setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
    361     setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
    362     setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
    363     setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
    364     setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
    365     setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
    366     setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
    367     setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
    368     setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
    369 
    370     class_start core
    371     class_start main
    372 
    373 on nonencrypted
    374     class_start late_start
    375 
    376 on charger
    377     class_start charger
    378 
    379 on property:vold.decrypt=trigger_reset_main
    380     class_reset main
    381 
    382 on property:vold.decrypt=trigger_load_persist_props
    383     load_persist_props
    384 
    385 on property:vold.decrypt=trigger_post_fs_data
    386     trigger post-fs-data
    387 
    388 on property:vold.decrypt=trigger_restart_min_framework
    389     class_start main
    390 
    391 on property:vold.decrypt=trigger_restart_framework
    392     class_start main
    393     class_start late_start
    394 
    395 on property:vold.decrypt=trigger_shutdown_framework
    396     class_reset late_start
    397     class_reset main
    398 
    399 on property:sys.powerctl=*
    400     powerctl ${sys.powerctl}
    401 
    402 # system server cannot write to /proc/sys files, so proxy it through init
    403 on property:sys.sysctl.extra_free_kbytes=*
    404     write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
    405 
    406 ## Daemon processes to be run by init.
    407 ##
    408 service ueventd /sbin/ueventd
    409     class core
    410     critical
    411     seclabel u:r:ueventd:s0
    412 
    413 service healthd /sbin/healthd
    414     class core
    415     critical
    416     seclabel u:r:healthd:s0
    417 
    418 service healthd-charger /sbin/healthd -n
    419     class charger
    420     critical
    421     seclabel u:r:healthd:s0
    422 
    423 on property:selinux.reload_policy=1
    424     restart ueventd
    425     restart installd
    426 
    427 service console /system/bin/sh
    428     class core
    429     console
    430     disabled
    431     user shell
    432     group log
    433 
    434 on property:ro.debuggable=1
    435     start console
    436 
    437 # adbd is controlled via property triggers in init.<platform>.usb.rc
    438 service adbd /sbin/adbd
    439     class core
    440     socket adbd stream 660 system system
    441     disabled
    442     seclabel u:r:adbd:s0
    443 
    444 # adbd on at boot in emulator
    445 on property:ro.kernel.qemu=1
    446     start adbd
    447 
    448 service servicemanager /system/bin/servicemanager
    449     class core
    450     user system
    451     group system
    452     critical
    453     onrestart restart healthd
    454     onrestart restart zygote
    455     onrestart restart media
    456     onrestart restart surfaceflinger
    457     onrestart restart drm
    458 
    459 service vold /system/bin/vold
    460     class core
    461     socket vold stream 0660 root mount
    462     ioprio be 2
    463 
    464 service netd /system/bin/netd
    465     class main
    466     socket netd stream 0660 root system
    467     socket dnsproxyd stream 0660 root inet
    468     socket mdns stream 0660 root system
    469 
    470 service debuggerd /system/bin/debuggerd
    471     class main
    472 
    473 service ril-daemon /system/bin/rild
    474     class main
    475     socket rild stream 660 root radio
    476     socket rild-debug stream 660 radio system
    477     user root
    478     group radio cache inet misc audio log
    479 
    480 service surfaceflinger /system/bin/surfaceflinger
    481     class main
    482     user system
    483     group graphics drmrpc
    484     onrestart restart zygote
    485 
    486 service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    487     class main
    488     socket zygote stream 660 root system
    489     onrestart write /sys/android_power/request_state wake
    490     onrestart write /sys/power/state on
    491     onrestart restart media
    492     onrestart restart netd
    493 
    494 service drm /system/bin/drmserver
    495     class main
    496     user drm
    497     group drm system inet drmrpc
    498 
    499 service media /system/bin/mediaserver
    500     class main
    501     user media
    502     group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
    503     ioprio rt 4
    504 
    505 service bootanim /system/bin/bootanimation
    506     class main
    507     user graphics
    508     group graphics
    509     disabled
    510     oneshot
    511 
    512 service installd /system/bin/installd
    513     class main
    514     socket installd stream 600 system system
    515 
    516 service flash_recovery /system/etc/install-recovery.sh
    517     class main
    518     oneshot
    519 
    520 service racoon /system/bin/racoon
    521     class main
    522     socket racoon stream 600 system system
    523     # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
    524     group vpn net_admin inet
    525     disabled
    526     oneshot
    527 
    528 service mtpd /system/bin/mtpd
    529     class main
    530     socket mtpd stream 600 system system
    531     user vpn
    532     group vpn net_admin inet net_raw
    533     disabled
    534     oneshot
    535 
    536 service keystore /system/bin/keystore /data/misc/keystore
    537     class main
    538     user keystore
    539     group keystore drmrpc
    540 
    541 service dumpstate /system/bin/dumpstate -s
    542     class main
    543     socket dumpstate stream 0660 shell log
    544     disabled
    545     oneshot
    546 
    547 service sshd /system/bin/start-ssh
    548     class main
    549     disabled
    550 
    551 service mdnsd /system/bin/mdnsd
    552     class main
    553     user mdnsr
    554     group inet net_raw
    555     socket mdnsd stream 0660 mdnsr inet
    556     disabled
    557     oneshot
    558