1 # Copyright (C) 2012 The Android Open Source Project 2 # 3 # IMPORTANT: Do not create world writable files or directories. 4 # This is a common source of Android security bugs. 5 # 6 7 import /init.environ.rc 8 import /init.usb.rc 9 import /init.${ro.hardware}.rc 10 import /init.${ro.zygote}.rc 11 import /init.trace.rc 12 13 on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 18 write /sys/fs/selinux/checkreqprot 0 19 20 # Set the security context for the init process. 21 # This should occur before anything else (e.g. ueventd) is started. 22 setcon u:r:init:s0 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 start ueventd 28 29 # create mountpoints 30 mkdir /mnt 0775 root system 31 32 on init 33 sysclktz 0 34 35 loglevel 3 36 37 # Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41 # Right now vendor lives on the same filesystem as system, 42 # but someday that may change. 43 symlink /system/vendor /vendor 44 45 # Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50 # Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 # memory control cgroup 92 mkdir /dev/memcg 0700 root system 93 mount cgroup none /dev/memcg memory 94 95 write /proc/sys/kernel/panic_on_oops 1 96 write /proc/sys/kernel/hung_task_timeout_secs 0 97 write /proc/cpu/alignment 4 98 write /proc/sys/kernel/sched_latency_ns 10000000 99 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 100 write /proc/sys/kernel/sched_compat_yield 1 101 write /proc/sys/kernel/sched_child_runs_first 0 102 write /proc/sys/kernel/randomize_va_space 2 103 write /proc/sys/kernel/kptr_restrict 2 104 write /proc/sys/vm/mmap_min_addr 32768 105 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 106 write /proc/sys/net/unix/max_dgram_qlen 300 107 write /proc/sys/kernel/sched_rt_runtime_us 950000 108 write /proc/sys/kernel/sched_rt_period_us 1000000 109 110 # reflect fwmark from incoming packets onto generated replies 111 write /proc/sys/net/ipv4/fwmark_reflect 1 112 write /proc/sys/net/ipv6/fwmark_reflect 1 113 114 # set fwmark on accepted sockets 115 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 116 117 # Create cgroup mount points for process groups 118 mkdir /dev/cpuctl 119 mount cgroup none /dev/cpuctl cpu 120 chown system system /dev/cpuctl 121 chown system system /dev/cpuctl/tasks 122 chmod 0666 /dev/cpuctl/tasks 123 write /dev/cpuctl/cpu.shares 1024 124 write /dev/cpuctl/cpu.rt_runtime_us 800000 125 write /dev/cpuctl/cpu.rt_period_us 1000000 126 127 mkdir /dev/cpuctl/bg_non_interactive 128 chown system system /dev/cpuctl/bg_non_interactive/tasks 129 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 130 # 5.0 % 131 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 132 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000 133 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 134 135 # qtaguid will limit access to specific data based on group memberships. 136 # net_bw_acct grants impersonation of socket owners. 137 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 138 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 139 chown root net_bw_stats /proc/net/xt_qtaguid/stats 140 141 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 142 # This is needed by any process that uses socket tagging. 143 chmod 0644 /dev/xt_qtaguid 144 145 # Create location for fs_mgr to store abbreviated output from filesystem 146 # checker programs. 147 mkdir /dev/fscklogs 0770 root system 148 149 # pstore/ramoops previous console log 150 mount pstore pstore /sys/fs/pstore 151 chown system log /sys/fs/pstore/console-ramoops 152 chmod 0440 /sys/fs/pstore/console-ramoops 153 154 # Healthd can trigger a full boot from charger mode by signaling this 155 # property when the power button is held. 156 on property:sys.boot_from_charger_mode=1 157 class_stop charger 158 trigger late-init 159 160 # Load properties from /system/ + /factory after fs mount. 161 on load_all_props_action 162 load_all_props 163 164 # Indicate to fw loaders that the relevant mounts are up. 165 on firmware_mounts_complete 166 rm /dev/.booting 167 168 # Mount filesystems and start core system services. 169 on late-init 170 trigger early-fs 171 trigger fs 172 trigger post-fs 173 trigger post-fs-data 174 175 # Load properties from /system/ + /factory after fs mount. Place 176 # this in another action so that the load will be scheduled after the prior 177 # issued fs triggers have completed. 178 trigger load_all_props_action 179 180 # Remove a file to wake up anything waiting for firmware. 181 trigger firmware_mounts_complete 182 183 trigger early-boot 184 trigger boot 185 186 187 on post-fs 188 # once everything is setup, no need to modify / 189 mount rootfs rootfs / ro remount 190 # mount shared so changes propagate into child namespaces 191 mount rootfs rootfs / shared rec 192 193 # We chown/chmod /cache again so because mount is run as root + defaults 194 chown system cache /cache 195 chmod 0770 /cache 196 # We restorecon /cache in case the cache partition has been reset. 197 restorecon_recursive /cache 198 199 # This may have been created by the recovery system with odd permissions 200 chown system cache /cache/recovery 201 chmod 0770 /cache/recovery 202 203 #change permissions on vmallocinfo so we can grab it from bugreports 204 chown root log /proc/vmallocinfo 205 chmod 0440 /proc/vmallocinfo 206 207 chown root log /proc/slabinfo 208 chmod 0440 /proc/slabinfo 209 210 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 211 chown root system /proc/kmsg 212 chmod 0440 /proc/kmsg 213 chown root system /proc/sysrq-trigger 214 chmod 0220 /proc/sysrq-trigger 215 chown system log /proc/last_kmsg 216 chmod 0440 /proc/last_kmsg 217 218 # make the selinux kernel policy world-readable 219 chmod 0444 /sys/fs/selinux/policy 220 221 # create the lost+found directories, so as to enforce our permissions 222 mkdir /cache/lost+found 0770 root root 223 224 on post-fs-data 225 # We chown/chmod /data again so because mount is run as root + defaults 226 chown system system /data 227 chmod 0771 /data 228 # We restorecon /data in case the userdata partition has been reset. 229 restorecon /data 230 231 # Avoid predictable entropy pool. Carry over entropy from previous boot. 232 copy /data/system/entropy.dat /dev/urandom 233 234 # Create dump dir and collect dumps. 235 # Do this before we mount cache so eventually we can use cache for 236 # storing dumps on platforms which do not have a dedicated dump partition. 237 mkdir /data/dontpanic 0750 root log 238 239 # Collect apanic data, free resources and re-arm trigger 240 copy /proc/apanic_console /data/dontpanic/apanic_console 241 chown root log /data/dontpanic/apanic_console 242 chmod 0640 /data/dontpanic/apanic_console 243 244 copy /proc/apanic_threads /data/dontpanic/apanic_threads 245 chown root log /data/dontpanic/apanic_threads 246 chmod 0640 /data/dontpanic/apanic_threads 247 248 write /proc/apanic_console 1 249 250 # create basic filesystem structure 251 mkdir /data/misc 01771 system misc 252 mkdir /data/misc/adb 02750 system shell 253 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 254 mkdir /data/misc/bluetooth 0770 system system 255 mkdir /data/misc/keystore 0700 keystore keystore 256 mkdir /data/misc/keychain 0771 system system 257 mkdir /data/misc/net 0750 root shell 258 mkdir /data/misc/radio 0770 system radio 259 mkdir /data/misc/sms 0770 system radio 260 mkdir /data/misc/zoneinfo 0775 system system 261 mkdir /data/misc/vpn 0770 system vpn 262 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 263 mkdir /data/misc/systemkeys 0700 system system 264 mkdir /data/misc/wifi 0770 wifi wifi 265 mkdir /data/misc/wifi/sockets 0770 wifi wifi 266 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 267 mkdir /data/misc/ethernet 0770 system system 268 mkdir /data/misc/dhcp 0770 dhcp dhcp 269 mkdir /data/misc/user 0771 root root 270 # give system access to wpa_supplicant.conf for backup and restore 271 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 272 mkdir /data/local 0751 root root 273 mkdir /data/misc/media 0700 media media 274 275 # For security reasons, /data/local/tmp should always be empty. 276 # Do not place files or directories in /data/local/tmp 277 mkdir /data/local/tmp 0771 shell shell 278 mkdir /data/data 0771 system system 279 mkdir /data/app-private 0771 system system 280 mkdir /data/app-asec 0700 root root 281 mkdir /data/app-lib 0771 system system 282 mkdir /data/app 0771 system system 283 mkdir /data/property 0700 root root 284 285 # create dalvik-cache, so as to enforce our permissions 286 mkdir /data/dalvik-cache 0771 root root 287 mkdir /data/dalvik-cache/profiles 0711 system system 288 289 # create resource-cache and double-check the perms 290 mkdir /data/resource-cache 0771 system system 291 chown system system /data/resource-cache 292 chmod 0771 /data/resource-cache 293 294 # create the lost+found directories, so as to enforce our permissions 295 mkdir /data/lost+found 0770 root root 296 297 # create directory for DRM plug-ins - give drm the read/write access to 298 # the following directory. 299 mkdir /data/drm 0770 drm drm 300 301 # create directory for MediaDrm plug-ins - give drm the read/write access to 302 # the following directory. 303 mkdir /data/mediadrm 0770 mediadrm mediadrm 304 305 mkdir /data/adb 0700 root root 306 307 # symlink to bugreport storage location 308 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 309 310 # Separate location for storing security policy files on data 311 mkdir /data/security 0711 system system 312 313 # Reload policy from /data/security if present. 314 setprop selinux.reload_policy 1 315 316 # Set SELinux security contexts on upgrade or policy update. 317 restorecon_recursive /data 318 319 # If there is no fs-post-data action in the init.<device>.rc file, you 320 # must uncomment this line, otherwise encrypted filesystems 321 # won't work. 322 # Set indication (checked by vold) that we have finished this action 323 #setprop vold.post_fs_data_done 1 324 325 on boot 326 # basic network init 327 ifup lo 328 hostname localhost 329 domainname localdomain 330 331 # set RLIMIT_NICE to allow priorities from 19 to -20 332 setrlimit 13 40 40 333 334 # Memory management. Basic kernel parameters, and allow the high 335 # level system server to be able to adjust the kernel OOM driver 336 # parameters to match how it is managing things. 337 write /proc/sys/vm/overcommit_memory 1 338 write /proc/sys/vm/min_free_order_shift 4 339 chown root system /sys/module/lowmemorykiller/parameters/adj 340 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 341 chown root system /sys/module/lowmemorykiller/parameters/minfree 342 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 343 344 # Tweak background writeout 345 write /proc/sys/vm/dirty_expire_centisecs 200 346 write /proc/sys/vm/dirty_background_ratio 5 347 348 # Permissions for System Server and daemons. 349 chown radio system /sys/android_power/state 350 chown radio system /sys/android_power/request_state 351 chown radio system /sys/android_power/acquire_full_wake_lock 352 chown radio system /sys/android_power/acquire_partial_wake_lock 353 chown radio system /sys/android_power/release_wake_lock 354 chown system system /sys/power/autosleep 355 chown system system /sys/power/state 356 chown system system /sys/power/wakeup_count 357 chown radio system /sys/power/wake_lock 358 chown radio system /sys/power/wake_unlock 359 chmod 0660 /sys/power/state 360 chmod 0660 /sys/power/wake_lock 361 chmod 0660 /sys/power/wake_unlock 362 363 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 364 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 365 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 366 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 367 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 368 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 369 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 370 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 371 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 372 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 373 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 374 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 375 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 376 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 377 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 378 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 379 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 380 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 381 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 382 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 383 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 384 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 385 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 386 387 # Assume SMP uses shared cpufreq policy for all CPUs 388 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 389 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 390 391 chown system system /sys/class/timed_output/vibrator/enable 392 chown system system /sys/class/leds/keyboard-backlight/brightness 393 chown system system /sys/class/leds/lcd-backlight/brightness 394 chown system system /sys/class/leds/button-backlight/brightness 395 chown system system /sys/class/leds/jogball-backlight/brightness 396 chown system system /sys/class/leds/red/brightness 397 chown system system /sys/class/leds/green/brightness 398 chown system system /sys/class/leds/blue/brightness 399 chown system system /sys/class/leds/red/device/grpfreq 400 chown system system /sys/class/leds/red/device/grppwm 401 chown system system /sys/class/leds/red/device/blink 402 chown system system /sys/class/timed_output/vibrator/enable 403 chown system system /sys/module/sco/parameters/disable_esco 404 chown system system /sys/kernel/ipv4/tcp_wmem_min 405 chown system system /sys/kernel/ipv4/tcp_wmem_def 406 chown system system /sys/kernel/ipv4/tcp_wmem_max 407 chown system system /sys/kernel/ipv4/tcp_rmem_min 408 chown system system /sys/kernel/ipv4/tcp_rmem_def 409 chown system system /sys/kernel/ipv4/tcp_rmem_max 410 chown root radio /proc/cmdline 411 412 # Define default initial receive window size in segments. 413 setprop net.tcp.default_init_rwnd 60 414 415 class_start core 416 417 on nonencrypted 418 class_start main 419 class_start late_start 420 421 on property:vold.decrypt=trigger_default_encryption 422 start defaultcrypto 423 424 on property:vold.decrypt=trigger_encryption 425 start surfaceflinger 426 start encrypt 427 428 on property:sys.init_log_level=* 429 loglevel ${sys.init_log_level} 430 431 on charger 432 class_start charger 433 434 on property:vold.decrypt=trigger_reset_main 435 class_reset main 436 437 on property:vold.decrypt=trigger_load_persist_props 438 load_persist_props 439 440 on property:vold.decrypt=trigger_post_fs_data 441 trigger post-fs-data 442 443 on property:vold.decrypt=trigger_restart_min_framework 444 class_start main 445 446 on property:vold.decrypt=trigger_restart_framework 447 class_start main 448 class_start late_start 449 450 on property:vold.decrypt=trigger_shutdown_framework 451 class_reset late_start 452 class_reset main 453 454 on property:sys.powerctl=* 455 powerctl ${sys.powerctl} 456 457 # system server cannot write to /proc/sys files, 458 # and chown/chmod does not work for /proc/sys/ entries. 459 # So proxy writes through init. 460 on property:sys.sysctl.extra_free_kbytes=* 461 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 462 463 # "tcp_default_init_rwnd" Is too long! 464 on property:sys.sysctl.tcp_def_init_rwnd=* 465 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 466 467 468 ## Daemon processes to be run by init. 469 ## 470 service ueventd /sbin/ueventd 471 class core 472 critical 473 seclabel u:r:ueventd:s0 474 475 service logd /system/bin/logd 476 class core 477 socket logd stream 0666 logd logd 478 socket logdr seqpacket 0666 logd logd 479 socket logdw dgram 0222 logd logd 480 seclabel u:r:logd:s0 481 482 service healthd /sbin/healthd 483 class core 484 critical 485 seclabel u:r:healthd:s0 486 487 service console /system/bin/sh 488 class core 489 console 490 disabled 491 user shell 492 group shell log 493 seclabel u:r:shell:s0 494 495 on property:ro.debuggable=1 496 start console 497 498 # adbd is controlled via property triggers in init.<platform>.usb.rc 499 service adbd /sbin/adbd --root_seclabel=u:r:su:s0 500 class core 501 socket adbd stream 660 system system 502 disabled 503 seclabel u:r:adbd:s0 504 505 # adbd on at boot in emulator 506 on property:ro.kernel.qemu=1 507 start adbd 508 509 service lmkd /system/bin/lmkd 510 class core 511 critical 512 socket lmkd seqpacket 0660 system system 513 514 service servicemanager /system/bin/servicemanager 515 class core 516 user system 517 group system 518 critical 519 onrestart restart healthd 520 onrestart restart zygote 521 onrestart restart media 522 onrestart restart surfaceflinger 523 onrestart restart drm 524 525 service vold /system/bin/vold 526 class core 527 socket vold stream 0660 root mount 528 ioprio be 2 529 530 service netd /system/bin/netd 531 class main 532 socket netd stream 0660 root system 533 socket dnsproxyd stream 0660 root inet 534 socket mdns stream 0660 root system 535 socket fwmarkd stream 0660 root inet 536 537 service debuggerd /system/bin/debuggerd 538 class main 539 540 service debuggerd64 /system/bin/debuggerd64 541 class main 542 543 service ril-daemon /system/bin/rild 544 class main 545 socket rild stream 660 root radio 546 socket rild-debug stream 660 radio system 547 user root 548 group radio cache inet misc audio log 549 550 service surfaceflinger /system/bin/surfaceflinger 551 class core 552 user system 553 group graphics drmrpc 554 onrestart restart zygote 555 556 service drm /system/bin/drmserver 557 class main 558 user drm 559 group drm system inet drmrpc 560 561 service media /system/bin/mediaserver 562 class main 563 user media 564 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 565 ioprio rt 4 566 567 # One shot invocation to deal with encrypted volume. 568 service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 569 disabled 570 oneshot 571 # vold will set vold.decrypt to trigger_restart_framework (default 572 # encryption) or trigger_restart_min_framework (other encryption) 573 574 # One shot invocation to encrypt unencrypted volumes 575 service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 576 disabled 577 oneshot 578 # vold will set vold.decrypt to trigger_restart_framework (default 579 # encryption) 580 581 service bootanim /system/bin/bootanimation 582 class core 583 user graphics 584 group graphics audio 585 disabled 586 oneshot 587 588 service installd /system/bin/installd 589 class main 590 socket installd stream 600 system system 591 592 service flash_recovery /system/bin/install-recovery.sh 593 class main 594 seclabel u:r:install_recovery:s0 595 oneshot 596 597 service racoon /system/bin/racoon 598 class main 599 socket racoon stream 600 system system 600 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 601 group vpn net_admin inet 602 disabled 603 oneshot 604 605 service mtpd /system/bin/mtpd 606 class main 607 socket mtpd stream 600 system system 608 user vpn 609 group vpn net_admin inet net_raw 610 disabled 611 oneshot 612 613 service keystore /system/bin/keystore /data/misc/keystore 614 class main 615 user keystore 616 group keystore drmrpc 617 618 service dumpstate /system/bin/dumpstate -s 619 class main 620 socket dumpstate stream 0660 shell log 621 disabled 622 oneshot 623 624 service mdnsd /system/bin/mdnsd 625 class main 626 user mdnsr 627 group inet net_raw 628 socket mdnsd stream 0660 mdnsr inet 629 disabled 630 oneshot 631 632 service pre-recovery /system/bin/uncrypt 633 class main 634 disabled 635 oneshot 636