Home | History | Annotate | Download | only in rootdir 
      1 # Copyright (C) 2012 The Android Open Source Project
      2 #
      3 # IMPORTANT: Do not create world writable files or directories.
      4 # This is a common source of Android security bugs.
      5 #
      6 
      7 import /init.environ.rc
      8 import /init.usb.rc
      9 import /init.${ro.hardware}.rc
     10 import /init.trace.rc
     11 
     12 on early-init
     13     # Set init and its forked children's oom_adj.
     14     write /proc/1/oom_adj -16
     15 
     16     # Set the security context for the init process.
     17     # This should occur before anything else (e.g. ueventd) is started.
     18     setcon u:r:init:s0
     19 
     20     start ueventd
     21 
     22 # create mountpoints
     23     mkdir /mnt 0775 root system
     24 
     25 on init
     26 
     27 sysclktz 0
     28 
     29 loglevel 3
     30 
     31 # Backward compatibility
     32     symlink /system/etc /etc
     33     symlink /sys/kernel/debug /d
     34 
     35 # Right now vendor lives on the same filesystem as system,
     36 # but someday that may change.
     37     symlink /system/vendor /vendor
     38 
     39 # Create cgroup mount point for cpu accounting
     40     mkdir /acct
     41     mount cgroup none /acct cpuacct
     42     mkdir /acct/uid
     43 
     44 # Create cgroup mount point for memory
     45     mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
     46     mkdir /sys/fs/cgroup/memory 0750 root system
     47     mount cgroup none /sys/fs/cgroup/memory memory
     48     write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
     49     chown root system /sys/fs/cgroup/memory/tasks
     50     chmod 0660 /sys/fs/cgroup/memory/tasks
     51     mkdir /sys/fs/cgroup/memory/sw 0750 root system
     52     write /sys/fs/cgroup/memory/sw/memory.swappiness 100
     53     write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
     54     chown root system /sys/fs/cgroup/memory/sw/tasks
     55     chmod 0660 /sys/fs/cgroup/memory/sw/tasks
     56 
     57     mkdir /system
     58     mkdir /data 0771 system system
     59     mkdir /cache 0770 system cache
     60     mkdir /config 0500 root root
     61 
     62     # See storage config details at http://source.android.com/tech/storage/
     63     mkdir /mnt/shell 0700 shell shell
     64     mkdir /mnt/media_rw 0700 media_rw media_rw
     65     mkdir /storage 0751 root sdcard_r
     66 
     67     # Directory for putting things only root should see.
     68     mkdir /mnt/secure 0700 root root
     69 
     70     # Directory for staging bindmounts
     71     mkdir /mnt/secure/staging 0700 root root
     72 
     73     # Directory-target for where the secure container
     74     # imagefile directory will be bind-mounted
     75     mkdir /mnt/secure/asec  0700 root root
     76 
     77     # Secure container public mount points.
     78     mkdir /mnt/asec  0700 root system
     79     mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
     80 
     81     # Filesystem image public mount points.
     82     mkdir /mnt/obb 0700 root system
     83     mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
     84 
     85     write /proc/sys/kernel/panic_on_oops 1
     86     write /proc/sys/kernel/hung_task_timeout_secs 0
     87     write /proc/cpu/alignment 4
     88     write /proc/sys/kernel/sched_latency_ns 10000000
     89     write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
     90     write /proc/sys/kernel/sched_compat_yield 1
     91     write /proc/sys/kernel/sched_child_runs_first 0
     92     write /proc/sys/kernel/randomize_va_space 2
     93     write /proc/sys/kernel/kptr_restrict 2
     94     write /proc/sys/kernel/dmesg_restrict 1
     95     write /proc/sys/vm/mmap_min_addr 32768
     96     write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
     97     write /proc/sys/kernel/sched_rt_runtime_us 950000
     98     write /proc/sys/kernel/sched_rt_period_us 1000000
     99 
    100 # Create cgroup mount points for process groups
    101     mkdir /dev/cpuctl
    102     mount cgroup none /dev/cpuctl cpu
    103     chown system system /dev/cpuctl
    104     chown system system /dev/cpuctl/tasks
    105     chmod 0660 /dev/cpuctl/tasks
    106     write /dev/cpuctl/cpu.shares 1024
    107     write /dev/cpuctl/cpu.rt_runtime_us 950000
    108     write /dev/cpuctl/cpu.rt_period_us 1000000
    109 
    110     mkdir /dev/cpuctl/apps
    111     chown system system /dev/cpuctl/apps/tasks
    112     chmod 0666 /dev/cpuctl/apps/tasks
    113     write /dev/cpuctl/apps/cpu.shares 1024
    114     write /dev/cpuctl/apps/cpu.rt_runtime_us 800000
    115     write /dev/cpuctl/apps/cpu.rt_period_us 1000000
    116 
    117     mkdir /dev/cpuctl/apps/bg_non_interactive
    118     chown system system /dev/cpuctl/apps/bg_non_interactive/tasks
    119     chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks
    120     # 5.0 %
    121     write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52
    122     write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
    123     write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
    124 
    125 # qtaguid will limit access to specific data based on group memberships.
    126 #   net_bw_acct grants impersonation of socket owners.
    127 #   net_bw_stats grants access to other apps' detailed tagged-socket stats.
    128     chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
    129     chown root net_bw_stats /proc/net/xt_qtaguid/stats
    130 
    131 # Allow everybody to read the xt_qtaguid resource tracking misc dev.
    132 # This is needed by any process that uses socket tagging.
    133     chmod 0644 /dev/xt_qtaguid
    134 
    135 # Create location for fs_mgr to store abbreviated output from filesystem
    136 # checker programs.
    137     mkdir /dev/fscklogs 0770 root system
    138 
    139 # pstore/ramoops previous console log
    140     mount pstore pstore /sys/fs/pstore
    141     chown system log /sys/fs/pstore/console-ramoops
    142     chmod 0440 /sys/fs/pstore/console-ramoops
    143 
    144 on post-fs
    145     # once everything is setup, no need to modify /
    146     mount rootfs rootfs / ro remount
    147     # mount shared so changes propagate into child namespaces
    148     mount rootfs rootfs / shared rec
    149 
    150     # We chown/chmod /cache again so because mount is run as root + defaults
    151     chown system cache /cache
    152     chmod 0770 /cache
    153     # We restorecon /cache in case the cache partition has been reset.
    154     restorecon /cache
    155 
    156     # This may have been created by the recovery system with odd permissions
    157     chown system cache /cache/recovery
    158     chmod 0770 /cache/recovery
    159     # This may have been created by the recovery system with the wrong context.
    160     restorecon /cache/recovery
    161 
    162     #change permissions on vmallocinfo so we can grab it from bugreports
    163     chown root log /proc/vmallocinfo
    164     chmod 0440 /proc/vmallocinfo
    165 
    166     chown root log /proc/slabinfo
    167     chmod 0440 /proc/slabinfo
    168 
    169     #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
    170     chown root system /proc/kmsg
    171     chmod 0440 /proc/kmsg
    172     chown root system /proc/sysrq-trigger
    173     chmod 0220 /proc/sysrq-trigger
    174     chown system log /proc/last_kmsg
    175     chmod 0440 /proc/last_kmsg
    176 
    177     # create the lost+found directories, so as to enforce our permissions
    178     mkdir /cache/lost+found 0770 root root
    179 
    180 on post-fs-data
    181     # We chown/chmod /data again so because mount is run as root + defaults
    182     chown system system /data
    183     chmod 0771 /data
    184     # We restorecon /data in case the userdata partition has been reset.
    185     restorecon /data
    186 
    187     # Avoid predictable entropy pool. Carry over entropy from previous boot.
    188     copy /data/system/entropy.dat /dev/urandom
    189 
    190     # Create dump dir and collect dumps.
    191     # Do this before we mount cache so eventually we can use cache for
    192     # storing dumps on platforms which do not have a dedicated dump partition.
    193     mkdir /data/dontpanic 0750 root log
    194 
    195     # Collect apanic data, free resources and re-arm trigger
    196     copy /proc/apanic_console /data/dontpanic/apanic_console
    197     chown root log /data/dontpanic/apanic_console
    198     chmod 0640 /data/dontpanic/apanic_console
    199 
    200     copy /proc/apanic_threads /data/dontpanic/apanic_threads
    201     chown root log /data/dontpanic/apanic_threads
    202     chmod 0640 /data/dontpanic/apanic_threads
    203 
    204     write /proc/apanic_console 1
    205 
    206     # create basic filesystem structure
    207     mkdir /data/misc 01771 system misc
    208     mkdir /data/misc/adb 02750 system shell
    209     mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
    210     mkdir /data/misc/bluetooth 0770 system system
    211     mkdir /data/misc/keystore 0700 keystore keystore
    212     mkdir /data/misc/keychain 0771 system system
    213     mkdir /data/misc/radio 0770 system radio
    214     mkdir /data/misc/sms 0770 system radio
    215     mkdir /data/misc/zoneinfo 0775 system system
    216     mkdir /data/misc/vpn 0770 system vpn
    217     mkdir /data/misc/systemkeys 0700 system system
    218     # give system access to wpa_supplicant.conf for backup and restore
    219     mkdir /data/misc/wifi 0770 wifi wifi
    220     chmod 0660 /data/misc/wifi/wpa_supplicant.conf
    221     mkdir /data/local 0751 root root
    222     mkdir /data/misc/media 0700 media media
    223 
    224     # For security reasons, /data/local/tmp should always be empty.
    225     # Do not place files or directories in /data/local/tmp
    226     mkdir /data/local/tmp 0771 shell shell
    227     mkdir /data/data 0771 system system
    228     mkdir /data/app-private 0771 system system
    229     mkdir /data/app-asec 0700 root root
    230     mkdir /data/app-lib 0771 system system
    231     mkdir /data/app 0771 system system
    232     mkdir /data/property 0700 root root
    233     mkdir /data/ssh 0750 root shell
    234     mkdir /data/ssh/empty 0700 root root
    235 
    236     # create dalvik-cache, so as to enforce our permissions
    237     mkdir /data/dalvik-cache 0771 system system
    238 
    239     # create resource-cache and double-check the perms
    240     mkdir /data/resource-cache 0771 system system
    241     chown system system /data/resource-cache
    242     chmod 0771 /data/resource-cache
    243 
    244     # create the lost+found directories, so as to enforce our permissions
    245     mkdir /data/lost+found 0770 root root
    246 
    247     # create directory for DRM plug-ins - give drm the read/write access to
    248     # the following directory.
    249     mkdir /data/drm 0770 drm drm
    250 
    251     # create directory for MediaDrm plug-ins - give drm the read/write access to
    252     # the following directory.
    253     mkdir /data/mediadrm 0770 mediadrm mediadrm
    254 
    255     # symlink to bugreport storage location
    256     symlink /data/data/com.android.shell/files/bugreports /data/bugreports
    257 
    258     # Separate location for storing security policy files on data
    259     mkdir /data/security 0711 system system
    260 
    261     # If there is no fs-post-data action in the init.<device>.rc file, you
    262     # must uncomment this line, otherwise encrypted filesystems
    263     # won't work.
    264     # Set indication (checked by vold) that we have finished this action
    265     #setprop vold.post_fs_data_done 1
    266 
    267 on boot
    268 # basic network init
    269     ifup lo
    270     hostname localhost
    271     domainname localdomain
    272 
    273 # set RLIMIT_NICE to allow priorities from 19 to -20
    274     setrlimit 13 40 40
    275 
    276 # Memory management.  Basic kernel parameters, and allow the high
    277 # level system server to be able to adjust the kernel OOM driver
    278 # parameters to match how it is managing things.
    279     write /proc/sys/vm/overcommit_memory 1
    280     write /proc/sys/vm/min_free_order_shift 4
    281     chown root system /sys/module/lowmemorykiller/parameters/adj
    282     chmod 0664 /sys/module/lowmemorykiller/parameters/adj
    283     chown root system /sys/module/lowmemorykiller/parameters/minfree
    284     chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
    285 
    286     # Tweak background writeout
    287     write /proc/sys/vm/dirty_expire_centisecs 200
    288     write /proc/sys/vm/dirty_background_ratio  5
    289 
    290     # Permissions for System Server and daemons.
    291     chown radio system /sys/android_power/state
    292     chown radio system /sys/android_power/request_state
    293     chown radio system /sys/android_power/acquire_full_wake_lock
    294     chown radio system /sys/android_power/acquire_partial_wake_lock
    295     chown radio system /sys/android_power/release_wake_lock
    296     chown system system /sys/power/autosleep
    297     chown system system /sys/power/state
    298     chown system system /sys/power/wakeup_count
    299     chown radio system /sys/power/wake_lock
    300     chown radio system /sys/power/wake_unlock
    301     chmod 0660 /sys/power/state
    302     chmod 0660 /sys/power/wake_lock
    303     chmod 0660 /sys/power/wake_unlock
    304 
    305     chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
    306     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
    307     chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
    308     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
    309     chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
    310     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
    311     chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
    312     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
    313     chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
    314     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
    315     chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
    316     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
    317     chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
    318     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
    319     chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
    320     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
    321     chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
    322     chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
    323     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
    324     chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
    325     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
    326     chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
    327     chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
    328 
    329     # Assume SMP uses shared cpufreq policy for all CPUs
    330     chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
    331     chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
    332 
    333     chown system system /sys/class/timed_output/vibrator/enable
    334     chown system system /sys/class/leds/keyboard-backlight/brightness
    335     chown system system /sys/class/leds/lcd-backlight/brightness
    336     chown system system /sys/class/leds/button-backlight/brightness
    337     chown system system /sys/class/leds/jogball-backlight/brightness
    338     chown system system /sys/class/leds/red/brightness
    339     chown system system /sys/class/leds/green/brightness
    340     chown system system /sys/class/leds/blue/brightness
    341     chown system system /sys/class/leds/red/device/grpfreq
    342     chown system system /sys/class/leds/red/device/grppwm
    343     chown system system /sys/class/leds/red/device/blink
    344     chown system system /sys/class/timed_output/vibrator/enable
    345     chown system system /sys/module/sco/parameters/disable_esco
    346     chown system system /sys/kernel/ipv4/tcp_wmem_min
    347     chown system system /sys/kernel/ipv4/tcp_wmem_def
    348     chown system system /sys/kernel/ipv4/tcp_wmem_max
    349     chown system system /sys/kernel/ipv4/tcp_rmem_min
    350     chown system system /sys/kernel/ipv4/tcp_rmem_def
    351     chown system system /sys/kernel/ipv4/tcp_rmem_max
    352     chown root radio /proc/cmdline
    353 
    354 # Set these so we can remotely update SELinux policy
    355     chown system system /sys/fs/selinux/load
    356     chown system system /sys/fs/selinux/enforce
    357 
    358 # Define TCP buffer sizes for various networks
    359 #   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
    360     setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
    361     setprop net.tcp.buffersize.wifi    524288,1048576,2097152,262144,524288,1048576
    362     setprop net.tcp.buffersize.lte     524288,1048576,2097152,262144,524288,1048576
    363     setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
    364     setprop net.tcp.buffersize.hspa    4094,87380,262144,4096,16384,262144
    365     setprop net.tcp.buffersize.hsupa   4094,87380,262144,4096,16384,262144
    366     setprop net.tcp.buffersize.hsdpa   4094,87380,262144,4096,16384,262144
    367     setprop net.tcp.buffersize.hspap   4094,87380,1220608,4096,16384,1220608
    368     setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
    369     setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680
    370     setprop net.tcp.buffersize.evdo    4094,87380,262144,4096,16384,262144
    371 
    372 # Define default initial receive window size in segments.
    373     setprop net.tcp.default_init_rwnd 60
    374 
    375     class_start core
    376     class_start main
    377 
    378 on nonencrypted
    379     class_start late_start
    380 
    381 on charger
    382     class_start charger
    383 
    384 on property:vold.decrypt=trigger_reset_main
    385     class_reset main
    386 
    387 on property:vold.decrypt=trigger_load_persist_props
    388     load_persist_props
    389 
    390 on property:vold.decrypt=trigger_post_fs_data
    391     trigger post-fs-data
    392 
    393 on property:vold.decrypt=trigger_restart_min_framework
    394     class_start main
    395 
    396 on property:vold.decrypt=trigger_restart_framework
    397     class_start main
    398     class_start late_start
    399 
    400 on property:vold.decrypt=trigger_shutdown_framework
    401     class_reset late_start
    402     class_reset main
    403 
    404 on property:sys.powerctl=*
    405     powerctl ${sys.powerctl}
    406 
    407 # system server cannot write to /proc/sys files,
    408 # and chown/chmod does not work for /proc/sys/ entries.
    409 # So proxy writes through init.
    410 on property:sys.sysctl.extra_free_kbytes=*
    411     write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
    412 # "tcp_default_init_rwnd" Is too long!
    413 on property:sys.sysctl.tcp_def_init_rwnd=*
    414     write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
    415 
    416 
    417 ## Daemon processes to be run by init.
    418 ##
    419 service ueventd /sbin/ueventd
    420     class core
    421     critical
    422     seclabel u:r:ueventd:s0
    423 
    424 service healthd /sbin/healthd
    425     class core
    426     critical
    427     seclabel u:r:healthd:s0
    428 
    429 service healthd-charger /sbin/healthd -n
    430     class charger
    431     critical
    432     seclabel u:r:healthd:s0
    433 
    434 on property:selinux.reload_policy=1
    435     restart ueventd
    436     restart installd
    437 
    438 service console /system/bin/sh
    439     class core
    440     console
    441     disabled
    442     user shell
    443     group log
    444 
    445 on property:ro.debuggable=1
    446     start console
    447 
    448 # adbd is controlled via property triggers in init.<platform>.usb.rc
    449 service adbd /sbin/adbd
    450     class core
    451     socket adbd stream 660 system system
    452     disabled
    453     seclabel u:r:adbd:s0
    454 
    455 # adbd on at boot in emulator
    456 on property:ro.kernel.qemu=1
    457     start adbd
    458 
    459 service servicemanager /system/bin/servicemanager
    460     class core
    461     user system
    462     group system
    463     critical
    464     onrestart restart healthd
    465     onrestart restart zygote
    466     onrestart restart media
    467     onrestart restart surfaceflinger
    468     onrestart restart drm
    469 
    470 service vold /system/bin/vold
    471     class core
    472     socket vold stream 0660 root mount
    473     ioprio be 2
    474 
    475 service netd /system/bin/netd
    476     class main
    477     socket netd stream 0660 root system
    478     socket dnsproxyd stream 0660 root inet
    479     socket mdns stream 0660 root system
    480 
    481 service debuggerd /system/bin/debuggerd
    482     class main
    483 
    484 service ril-daemon /system/bin/rild
    485     class main
    486     socket rild stream 660 root radio
    487     socket rild-debug stream 660 radio system
    488     user root
    489     group radio cache inet misc audio log
    490 
    491 service surfaceflinger /system/bin/surfaceflinger
    492     class main
    493     user system
    494     group graphics drmrpc
    495     onrestart restart zygote
    496 
    497 service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    498     class main
    499     socket zygote stream 660 root system
    500     onrestart write /sys/android_power/request_state wake
    501     onrestart write /sys/power/state on
    502     onrestart restart media
    503     onrestart restart netd
    504 
    505 service drm /system/bin/drmserver
    506     class main
    507     user drm
    508     group drm system inet drmrpc
    509 
    510 service media /system/bin/mediaserver
    511     class main
    512     user media
    513     group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
    514     ioprio rt 4
    515 
    516 service bootanim /system/bin/bootanimation
    517     class main
    518     user graphics
    519     group graphics
    520     disabled
    521     oneshot
    522 
    523 service installd /system/bin/installd
    524     class main
    525     socket installd stream 600 system system
    526 
    527 service flash_recovery /system/etc/install-recovery.sh
    528     class main
    529     oneshot
    530 
    531 service racoon /system/bin/racoon
    532     class main
    533     socket racoon stream 600 system system
    534     # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
    535     group vpn net_admin inet
    536     disabled
    537     oneshot
    538 
    539 service mtpd /system/bin/mtpd
    540     class main
    541     socket mtpd stream 600 system system
    542     user vpn
    543     group vpn net_admin inet net_raw
    544     disabled
    545     oneshot
    546 
    547 service keystore /system/bin/keystore /data/misc/keystore
    548     class main
    549     user keystore
    550     group keystore drmrpc
    551 
    552 service dumpstate /system/bin/dumpstate -s
    553     class main
    554     socket dumpstate stream 0660 shell log
    555     disabled
    556     oneshot
    557 
    558 service sshd /system/bin/start-ssh
    559     class main
    560     disabled
    561 
    562 service mdnsd /system/bin/mdnsd
    563     class main
    564     user mdnsr
    565     group inet net_raw
    566     socket mdnsd stream 0660 mdnsr inet
    567     disabled
    568     oneshot
    569