| # Copyright (C) 2012 The Android Open Source Project |
| # |
| # IMPORTANT: Do not create world writable files or directories. |
| # This is a common source of Android security bugs. |
| # |
| |
| import /init.environ.rc |
| import /init.usb.rc |
| import /init.${ro.hardware}.rc |
| import /init.${ro.zygote}.rc |
| import /init.trace.rc |
| |
| on early-init |
| # Set init and its forked children's oom_adj. |
| write /proc/1/oom_adj -16 |
| |
| # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. |
| write /sys/fs/selinux/checkreqprot 0 |
| |
| # Set the security context for the init process. |
| # This should occur before anything else (e.g. ueventd) is started. |
| setcon u:r:init:s0 |
| |
| # Set the security context of /adb_keys if present. |
| restorecon /adb_keys |
| |
| start ueventd |
| |
| # create mountpoints |
| mkdir /mnt 0775 root system |
| |
| on init |
| |
| sysclktz 0 |
| |
| loglevel 3 |
| |
| # Backward compatibility |
| symlink /system/etc /etc |
| symlink /sys/kernel/debug /d |
| |
| # Right now vendor lives on the same filesystem as system, |
| # but someday that may change. |
| symlink /system/vendor /vendor |
| |
| # Create cgroup mount point for cpu accounting |
| mkdir /acct |
| mount cgroup none /acct cpuacct |
| mkdir /acct/uid |
| |
| # Create cgroup mount point for memory |
| mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 |
| mkdir /sys/fs/cgroup/memory 0750 root system |
| mount cgroup none /sys/fs/cgroup/memory memory |
| write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 |
| chown root system /sys/fs/cgroup/memory/tasks |
| chmod 0660 /sys/fs/cgroup/memory/tasks |
| mkdir /sys/fs/cgroup/memory/sw 0750 root system |
| write /sys/fs/cgroup/memory/sw/memory.swappiness 100 |
| write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 |
| chown root system /sys/fs/cgroup/memory/sw/tasks |
| chmod 0660 /sys/fs/cgroup/memory/sw/tasks |
| |
| mkdir /system |
| mkdir /data 0771 system system |
| mkdir /cache 0770 system cache |
| mkdir /config 0500 root root |
| |
| # See storage config details at http://source.android.com/tech/storage/ |
| mkdir /mnt/shell 0700 shell shell |
| mkdir /mnt/media_rw 0700 media_rw media_rw |
| mkdir /storage 0751 root sdcard_r |
| |
| # Directory for putting things only root should see. |
| mkdir /mnt/secure 0700 root root |
| |
| # Directory for staging bindmounts |
| mkdir /mnt/secure/staging 0700 root root |
| |
| # Directory-target for where the secure container |
| # imagefile directory will be bind-mounted |
| mkdir /mnt/secure/asec 0700 root root |
| |
| # Secure container public mount points. |
| mkdir /mnt/asec 0700 root system |
| mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 |
| |
| # Filesystem image public mount points. |
| mkdir /mnt/obb 0700 root system |
| mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 |
| |
| write /proc/sys/kernel/panic_on_oops 1 |
| write /proc/sys/kernel/hung_task_timeout_secs 0 |
| write /proc/cpu/alignment 4 |
| write /proc/sys/kernel/sched_latency_ns 10000000 |
| write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 |
| write /proc/sys/kernel/sched_compat_yield 1 |
| write /proc/sys/kernel/sched_child_runs_first 0 |
| write /proc/sys/kernel/randomize_va_space 2 |
| write /proc/sys/kernel/kptr_restrict 2 |
| write /proc/sys/kernel/dmesg_restrict 1 |
| write /proc/sys/vm/mmap_min_addr 32768 |
| write /proc/sys/net/ipv4/ping_group_range "0 2147483647" |
| write /proc/sys/net/unix/max_dgram_qlen 300 |
| write /proc/sys/kernel/sched_rt_runtime_us 950000 |
| write /proc/sys/kernel/sched_rt_period_us 1000000 |
| |
| # Create cgroup mount points for process groups |
| mkdir /dev/cpuctl |
| mount cgroup none /dev/cpuctl cpu |
| chown system system /dev/cpuctl |
| chown system system /dev/cpuctl/tasks |
| chmod 0660 /dev/cpuctl/tasks |
| write /dev/cpuctl/cpu.shares 1024 |
| write /dev/cpuctl/cpu.rt_runtime_us 950000 |
| write /dev/cpuctl/cpu.rt_period_us 1000000 |
| |
| mkdir /dev/cpuctl/apps |
| chown system system /dev/cpuctl/apps/tasks |
| chmod 0666 /dev/cpuctl/apps/tasks |
| write /dev/cpuctl/apps/cpu.shares 1024 |
| write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 |
| write /dev/cpuctl/apps/cpu.rt_period_us 1000000 |
| |
| mkdir /dev/cpuctl/apps/bg_non_interactive |
| chown system system /dev/cpuctl/apps/bg_non_interactive/tasks |
| chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks |
| # 5.0 % |
| write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 |
| write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 |
| write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 |
| |
| # qtaguid will limit access to specific data based on group memberships. |
| # net_bw_acct grants impersonation of socket owners. |
| # net_bw_stats grants access to other apps' detailed tagged-socket stats. |
| chown root net_bw_acct /proc/net/xt_qtaguid/ctrl |
| chown root net_bw_stats /proc/net/xt_qtaguid/stats |
| |
| # Allow everybody to read the xt_qtaguid resource tracking misc dev. |
| # This is needed by any process that uses socket tagging. |
| chmod 0644 /dev/xt_qtaguid |
| |
| # Create location for fs_mgr to store abbreviated output from filesystem |
| # checker programs. |
| mkdir /dev/fscklogs 0770 root system |
| |
| on post-fs |
| # once everything is setup, no need to modify / |
| mount rootfs rootfs / ro remount |
| # mount shared so changes propagate into child namespaces |
| mount rootfs rootfs / shared rec |
| |
| # We chown/chmod /cache again so because mount is run as root + defaults |
| chown system cache /cache |
| chmod 0770 /cache |
| # We restorecon /cache in case the cache partition has been reset. |
| restorecon /cache |
| |
| # This may have been created by the recovery system with odd permissions |
| chown system cache /cache/recovery |
| chmod 0770 /cache/recovery |
| # This may have been created by the recovery system with the wrong context. |
| restorecon /cache/recovery |
| |
| #change permissions on vmallocinfo so we can grab it from bugreports |
| chown root log /proc/vmallocinfo |
| chmod 0440 /proc/vmallocinfo |
| |
| chown root log /proc/slabinfo |
| chmod 0440 /proc/slabinfo |
| |
| #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks |
| chown root system /proc/kmsg |
| chmod 0440 /proc/kmsg |
| chown root system /proc/sysrq-trigger |
| chmod 0220 /proc/sysrq-trigger |
| chown system log /proc/last_kmsg |
| chmod 0440 /proc/last_kmsg |
| |
| # make the selinux kernel policy world-readable |
| chmod 0444 /sys/fs/selinux/policy |
| |
| # create the lost+found directories, so as to enforce our permissions |
| mkdir /cache/lost+found 0770 root root |
| |
| on post-fs-data |
| # We chown/chmod /data again so because mount is run as root + defaults |
| chown system system /data |
| chmod 0771 /data |
| # We restorecon /data in case the userdata partition has been reset. |
| restorecon /data |
| |
| # Avoid predictable entropy pool. Carry over entropy from previous boot. |
| copy /data/system/entropy.dat /dev/urandom |
| |
| # Create dump dir and collect dumps. |
| # Do this before we mount cache so eventually we can use cache for |
| # storing dumps on platforms which do not have a dedicated dump partition. |
| mkdir /data/dontpanic 0750 root log |
| |
| # Collect apanic data, free resources and re-arm trigger |
| copy /proc/apanic_console /data/dontpanic/apanic_console |
| chown root log /data/dontpanic/apanic_console |
| chmod 0640 /data/dontpanic/apanic_console |
| |
| copy /proc/apanic_threads /data/dontpanic/apanic_threads |
| chown root log /data/dontpanic/apanic_threads |
| chmod 0640 /data/dontpanic/apanic_threads |
| |
| write /proc/apanic_console 1 |
| |
| # create basic filesystem structure |
| mkdir /data/misc 01771 system misc |
| mkdir /data/misc/adb 02750 system shell |
| mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack |
| mkdir /data/misc/bluetooth 0770 system system |
| mkdir /data/misc/keystore 0700 keystore keystore |
| mkdir /data/misc/keychain 0771 system system |
| mkdir /data/misc/radio 0770 system radio |
| mkdir /data/misc/sms 0770 system radio |
| mkdir /data/misc/zoneinfo 0775 system system |
| mkdir /data/misc/vpn 0770 system vpn |
| mkdir /data/misc/systemkeys 0700 system system |
| mkdir /data/misc/wifi 0770 wifi wifi |
| mkdir /data/misc/wifi/sockets 0770 wifi wifi |
| mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi |
| mkdir /data/misc/dhcp 0770 dhcp dhcp |
| # give system access to wpa_supplicant.conf for backup and restore |
| chmod 0660 /data/misc/wifi/wpa_supplicant.conf |
| mkdir /data/local 0751 root root |
| mkdir /data/misc/media 0700 media media |
| |
| # For security reasons, /data/local/tmp should always be empty. |
| # Do not place files or directories in /data/local/tmp |
| mkdir /data/local/tmp 0771 shell shell |
| mkdir /data/data 0771 system system |
| mkdir /data/app-private 0771 system system |
| mkdir /data/app-asec 0700 root root |
| mkdir /data/app-lib 0771 system system |
| mkdir /data/app 0771 system system |
| mkdir /data/property 0700 root root |
| mkdir /data/ssh 0750 root shell |
| mkdir /data/ssh/empty 0700 root root |
| |
| # create dalvik-cache, so as to enforce our permissions |
| mkdir /data/dalvik-cache 0771 system system |
| |
| # create resource-cache and double-check the perms |
| mkdir /data/resource-cache 0771 system system |
| chown system system /data/resource-cache |
| chmod 0771 /data/resource-cache |
| |
| # create the lost+found directories, so as to enforce our permissions |
| mkdir /data/lost+found 0770 root root |
| |
| # create directory for DRM plug-ins - give drm the read/write access to |
| # the following directory. |
| mkdir /data/drm 0770 drm drm |
| |
| # create directory for MediaDrm plug-ins - give drm the read/write access to |
| # the following directory. |
| mkdir /data/mediadrm 0770 mediadrm mediadrm |
| |
| # symlink to bugreport storage location |
| symlink /data/data/com.android.shell/files/bugreports /data/bugreports |
| |
| # Separate location for storing security policy files on data |
| mkdir /data/security 0711 system system |
| |
| # Reload policy from /data/security if present. |
| setprop selinux.reload_policy 1 |
| |
| # Set SELinux security contexts on upgrade or policy update. |
| restorecon_recursive /data |
| |
| # If there is no fs-post-data action in the init.<device>.rc file, you |
| # must uncomment this line, otherwise encrypted filesystems |
| # won't work. |
| # Set indication (checked by vold) that we have finished this action |
| #setprop vold.post_fs_data_done 1 |
| |
| on boot |
| # basic network init |
| ifup lo |
| hostname localhost |
| domainname localdomain |
| |
| # set RLIMIT_NICE to allow priorities from 19 to -20 |
| setrlimit 13 40 40 |
| |
| # Memory management. Basic kernel parameters, and allow the high |
| # level system server to be able to adjust the kernel OOM driver |
| # parameters to match how it is managing things. |
| write /proc/sys/vm/overcommit_memory 1 |
| write /proc/sys/vm/min_free_order_shift 4 |
| chown root system /sys/module/lowmemorykiller/parameters/adj |
| chmod 0664 /sys/module/lowmemorykiller/parameters/adj |
| chown root system /sys/module/lowmemorykiller/parameters/minfree |
| chmod 0664 /sys/module/lowmemorykiller/parameters/minfree |
| |
| # Tweak background writeout |
| write /proc/sys/vm/dirty_expire_centisecs 200 |
| write /proc/sys/vm/dirty_background_ratio 5 |
| |
| # Permissions for System Server and daemons. |
| chown radio system /sys/android_power/state |
| chown radio system /sys/android_power/request_state |
| chown radio system /sys/android_power/acquire_full_wake_lock |
| chown radio system /sys/android_power/acquire_partial_wake_lock |
| chown radio system /sys/android_power/release_wake_lock |
| chown system system /sys/power/autosleep |
| chown system system /sys/power/state |
| chown system system /sys/power/wakeup_count |
| chown radio system /sys/power/wake_lock |
| chown radio system /sys/power/wake_unlock |
| chmod 0660 /sys/power/state |
| chmod 0660 /sys/power/wake_lock |
| chmod 0660 /sys/power/wake_unlock |
| |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boost |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy |
| |
| # Assume SMP uses shared cpufreq policy for all CPUs |
| chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq |
| chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq |
| |
| chown system system /sys/class/timed_output/vibrator/enable |
| chown system system /sys/class/leds/keyboard-backlight/brightness |
| chown system system /sys/class/leds/lcd-backlight/brightness |
| chown system system /sys/class/leds/button-backlight/brightness |
| chown system system /sys/class/leds/jogball-backlight/brightness |
| chown system system /sys/class/leds/red/brightness |
| chown system system /sys/class/leds/green/brightness |
| chown system system /sys/class/leds/blue/brightness |
| chown system system /sys/class/leds/red/device/grpfreq |
| chown system system /sys/class/leds/red/device/grppwm |
| chown system system /sys/class/leds/red/device/blink |
| chown system system /sys/class/timed_output/vibrator/enable |
| chown system system /sys/module/sco/parameters/disable_esco |
| chown system system /sys/kernel/ipv4/tcp_wmem_min |
| chown system system /sys/kernel/ipv4/tcp_wmem_def |
| chown system system /sys/kernel/ipv4/tcp_wmem_max |
| chown system system /sys/kernel/ipv4/tcp_rmem_min |
| chown system system /sys/kernel/ipv4/tcp_rmem_def |
| chown system system /sys/kernel/ipv4/tcp_rmem_max |
| chown root radio /proc/cmdline |
| |
| # Define TCP buffer sizes for various networks |
| # ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, |
| setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 |
| setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 |
| setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 |
| setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 |
| setprop net.tcp.buffersize.umts 58254,349525,1048576,58254,349525,1048576 |
| setprop net.tcp.buffersize.hspa 40778,244668,734003,16777,100663,301990 |
| setprop net.tcp.buffersize.hsupa 40778,244668,734003,16777,100663,301990 |
| setprop net.tcp.buffersize.hsdpa 61167,367002,1101005,8738,52429,262114 |
| setprop net.tcp.buffersize.hspap 122334,734003,2202010,32040,192239,576717 |
| setprop net.tcp.buffersize.edge 4093,26280,70800,4096,16384,70800 |
| setprop net.tcp.buffersize.gprs 4092,8760,48000,4096,8760,48000 |
| setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 |
| |
| class_start core |
| class_start main |
| |
| on nonencrypted |
| class_start late_start |
| |
| on charger |
| class_start charger |
| |
| on property:vold.decrypt=trigger_reset_main |
| class_reset main |
| |
| on property:vold.decrypt=trigger_load_persist_props |
| load_persist_props |
| |
| on property:vold.decrypt=trigger_post_fs_data |
| trigger post-fs-data |
| |
| on property:vold.decrypt=trigger_restart_min_framework |
| class_start main |
| |
| on property:vold.decrypt=trigger_restart_framework |
| class_start main |
| class_start late_start |
| |
| on property:vold.decrypt=trigger_shutdown_framework |
| class_reset late_start |
| class_reset main |
| |
| on property:sys.powerctl=* |
| powerctl ${sys.powerctl} |
| |
| # system server cannot write to /proc/sys files, so proxy it through init |
| on property:sys.sysctl.extra_free_kbytes=* |
| write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} |
| |
| ## Daemon processes to be run by init. |
| ## |
| service ueventd /sbin/ueventd |
| class core |
| critical |
| seclabel u:r:ueventd:s0 |
| |
| service logd /system/bin/logd |
| class core |
| socket logd stream 0666 logd logd |
| socket logdr seqpacket 0666 logd logd |
| socket logdw dgram 0222 logd logd |
| seclabel u:r:logd:s0 |
| |
| service healthd /sbin/healthd |
| class core |
| critical |
| seclabel u:r:healthd:s0 |
| |
| service healthd-charger /sbin/healthd -n |
| class charger |
| critical |
| seclabel u:r:healthd:s0 |
| |
| service console /system/bin/sh |
| class core |
| console |
| disabled |
| user shell |
| group log |
| seclabel u:r:shell:s0 |
| |
| on property:ro.debuggable=1 |
| start console |
| |
| # adbd is controlled via property triggers in init.<platform>.usb.rc |
| service adbd /sbin/adbd --root_seclabel=u:r:su:s0 |
| class core |
| socket adbd stream 660 system system |
| disabled |
| seclabel u:r:adbd:s0 |
| |
| # adbd on at boot in emulator |
| on property:ro.kernel.qemu=1 |
| start adbd |
| |
| service servicemanager /system/bin/servicemanager |
| class core |
| user system |
| group system |
| critical |
| onrestart restart healthd |
| onrestart restart zygote |
| onrestart restart media |
| onrestart restart surfaceflinger |
| onrestart restart drm |
| |
| service vold /system/bin/vold |
| class core |
| socket vold stream 0660 root mount |
| ioprio be 2 |
| |
| service netd /system/bin/netd |
| class main |
| socket netd stream 0660 root system |
| socket dnsproxyd stream 0660 root inet |
| socket mdns stream 0660 root system |
| |
| service debuggerd /system/bin/debuggerd |
| class main |
| |
| service debuggerd64 /system/bin/debuggerd64 |
| class main |
| |
| service ril-daemon /system/bin/rild |
| class main |
| socket rild stream 660 root radio |
| socket rild-debug stream 660 radio system |
| user root |
| group radio cache inet misc audio log |
| |
| service surfaceflinger /system/bin/surfaceflinger |
| class main |
| user system |
| group graphics drmrpc |
| onrestart restart zygote |
| |
| service drm /system/bin/drmserver |
| class main |
| user drm |
| group drm system inet drmrpc |
| |
| service media /system/bin/mediaserver |
| class main |
| user media |
| group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm |
| ioprio rt 4 |
| |
| service bootanim /system/bin/bootanimation |
| class main |
| user graphics |
| group graphics |
| disabled |
| oneshot |
| |
| service installd /system/bin/installd |
| class main |
| socket installd stream 600 system system |
| |
| service flash_recovery /system/etc/install-recovery.sh |
| class main |
| oneshot |
| |
| service racoon /system/bin/racoon |
| class main |
| socket racoon stream 600 system system |
| # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. |
| group vpn net_admin inet |
| disabled |
| oneshot |
| |
| service mtpd /system/bin/mtpd |
| class main |
| socket mtpd stream 600 system system |
| user vpn |
| group vpn net_admin inet net_raw |
| disabled |
| oneshot |
| |
| service keystore /system/bin/keystore /data/misc/keystore |
| class main |
| user keystore |
| group keystore drmrpc |
| |
| service dumpstate /system/bin/dumpstate -s |
| class main |
| socket dumpstate stream 0660 shell log |
| disabled |
| oneshot |
| |
| service sshd /system/bin/start-ssh |
| class main |
| disabled |
| |
| service mdnsd /system/bin/mdnsd |
| class main |
| user mdnsr |
| group inet net_raw |
| socket mdnsd stream 0660 mdnsr inet |
| disabled |
| oneshot |