-
-
Save Nokius/eea492749e63ce8989b2 to your computer and use it in GitHub Desktop.
init.rc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (C) 2012 The Android Open Source Project | |
# | |
# IMPORTANT: Do not create world writable files or directories. | |
# This is a common source of Android security bugs. | |
# | |
import /init.environ.rc | |
# Mer handles usb stuff | |
#import /init.usb.rc | |
import /init.${ro.hardware}.rc | |
import /init.trace.rc | |
import /init.carrier.rc | |
on early-init | |
# Set the security context for the init process. | |
# This should occur before anything else (e.g. ueventd) is started. | |
setcon u:r:init:s0 | |
# Set the security context of /adb_keys if present. | |
restorecon /adb_keys | |
# create mountpoints | |
mkdir /mnt 0775 root system | |
on init | |
sysclktz 0 | |
loglevel 64 | |
# Backward compatibility | |
symlink /sys/kernel/debug /d | |
# Right now vendor lives on the same filesystem as system, | |
# but someday that may change. | |
symlink /system/vendor /vendor | |
# Create cgroup mount point for cpu accounting | |
mkdir /acct | |
# Removed during droid-hal-device build : mount cgroup none /acct cpuacct | |
mkdir /acct/uid | |
# Create cgroup mount point for memory | |
# Removed during droid-hal-device build : mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 | |
mkdir /sys/fs/cgroup/memory 0750 root system | |
# Removed during droid-hal-device build : mount cgroup none /sys/fs/cgroup/memory memory | |
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 | |
chown root system /sys/fs/cgroup/memory/tasks | |
chmod 0660 /sys/fs/cgroup/memory/tasks | |
mkdir /sys/fs/cgroup/memory/sw 0750 root system | |
write /sys/fs/cgroup/memory/sw/memory.swappiness 100 | |
write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 | |
chown root system /sys/fs/cgroup/memory/sw/tasks | |
chmod 0660 /sys/fs/cgroup/memory/sw/tasks | |
# /system is owned by Mer | |
#mkdir /system | |
mkdir /data 0771 system system | |
mkdir /cache 0771 system cache | |
mkdir /config 0500 root root | |
# See storage config details at http://source.android.com/tech/storage/ | |
mkdir /mnt/shell 0700 shell shell | |
mkdir /mnt/media_rw 0700 media_rw media_rw | |
mkdir /storage 0751 root sdcard_r | |
# Directory for putting things only root should see. | |
mkdir /mnt/secure 0700 root root | |
# Directory for staging bindmounts | |
mkdir /mnt/secure/staging 0700 root root | |
# Directory-target for where the secure container | |
# imagefile directory will be bind-mounted | |
mkdir /mnt/secure/asec 0700 root root | |
# Secure container public mount points. | |
mkdir /mnt/asec 0700 root system | |
# Removed during droid-hal-device build : mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 | |
# Filesystem image public mount points. | |
mkdir /mnt/obb 0700 root system | |
# Removed during droid-hal-device build : mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 | |
# Fuse public mount points. | |
mkdir /mnt/fuse 0700 root system | |
# Removed during droid-hal-device build : mount tmpfs tmpfs /mnt/fuse mode=0775,gid=1000 | |
write /proc/sys/kernel/panic_on_oops 1 | |
write /proc/sys/kernel/hung_task_timeout_secs 0 | |
write /proc/sys/kernel/sched_latency_ns 10000000 | |
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 | |
write /proc/sys/kernel/sched_compat_yield 1 | |
write /proc/sys/kernel/sched_child_runs_first 0 | |
write /proc/sys/kernel/randomize_va_space 2 | |
write /proc/sys/kernel/kptr_restrict 2 | |
write /proc/sys/kernel/dmesg_restrict 1 | |
write /proc/sys/vm/mmap_min_addr 32768 | |
write /proc/sys/net/ipv4/ping_group_range "0 2147483647" | |
write /proc/sys/kernel/sched_rt_runtime_us 950000 | |
write /proc/sys/kernel/sched_rt_period_us 1000000 | |
# qtaguid will limit access to specific data based on group memberships. | |
# net_bw_acct grants impersonation of socket owners. | |
# net_bw_stats grants access to other apps' detailed tagged-socket stats. | |
chown root net_bw_acct /proc/net/xt_qtaguid/ctrl | |
chown root net_bw_stats /proc/net/xt_qtaguid/stats | |
# Allow everybody to read the xt_qtaguid resource tracking misc dev. | |
# This is needed by any process that uses socket tagging. | |
chmod 0644 /dev/xt_qtaguid | |
# Create location for fs_mgr to store abbreviated output from filesystem | |
# checker programs. | |
mkdir /dev/fscklogs 0770 root system | |
# pstore/ramoops previous console log | |
# Removed during droid-hal-device build : mount pstore pstore /sys/fs/pstore | |
chown system log /sys/fs/pstore/console-ramoops | |
chmod 0440 /sys/fs/pstore/console-ramoops | |
on post-fs | |
# We chown/chmod /cache again so because mount is run as root + defaults | |
chown system cache /cache | |
chmod 0771 /cache | |
# We restorecon /cache in case the cache partition has been reset. | |
restorecon /cache | |
# This may have been created by the recovery system with odd permissions | |
chown system cache /cache/recovery | |
chmod 0770 /cache/recovery | |
# This may have been created by the recovery system with the wrong context. | |
restorecon /cache/recovery | |
#change permissions on vmallocinfo so we can grab it from bugreports | |
chown root log /proc/vmallocinfo | |
chmod 0440 /proc/vmallocinfo | |
chown root log /proc/slabinfo | |
chmod 0440 /proc/slabinfo | |
#change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks | |
chown root system /proc/kmsg | |
chmod 0440 /proc/kmsg | |
chown root system /proc/sysrq-trigger | |
chmod 0220 /proc/sysrq-trigger | |
chown system log /proc/last_kmsg | |
chmod 0440 /proc/last_kmsg | |
# create the lost+found directories, so as to enforce our permissions | |
mkdir /cache/lost+found 0770 root root | |
on post-fs-data | |
# We chown/chmod /data again so because mount is run as root + defaults | |
chown system system /data | |
chmod 0771 /data | |
# We restorecon /data in case the userdata partition has been reset. | |
restorecon /data | |
# Avoid predictable entropy pool. Carry over entropy from previous boot. | |
copy /data/system/entropy.dat /dev/urandom | |
# Create dump dir and collect dumps. | |
# Do this before we mount cache so eventually we can use cache for | |
# storing dumps on platforms which do not have a dedicated dump partition. | |
mkdir /data/dontpanic 0750 root log | |
# Collect apanic data, free resources and re-arm trigger | |
copy /proc/apanic_console /data/dontpanic/apanic_console | |
chown root log /data/dontpanic/apanic_console | |
chmod 0640 /data/dontpanic/apanic_console | |
copy /proc/apanic_threads /data/dontpanic/apanic_threads | |
chown root log /data/dontpanic/apanic_threads | |
chmod 0640 /data/dontpanic/apanic_threads | |
write /proc/apanic_console 1 | |
# create basic filesystem structure | |
mkdir /data/misc 01771 system misc | |
mkdir /data/misc/adb 02750 system shell | |
mkdir /data/misc/audit 02750 audit system | |
mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack | |
mkdir /data/misc/bluetooth 0770 system system | |
mkdir /data/misc/keystore 0700 keystore keystore | |
mkdir /data/misc/keychain 0771 system system | |
mkdir /data/misc/radio 0770 system radio | |
mkdir /data/misc/sms 0770 system radio | |
mkdir /data/misc/zoneinfo 0775 system system | |
mkdir /data/misc/vpn 0770 system vpn | |
mkdir /data/misc/systemkeys 0700 system system | |
mkdir /data/misc/wifi 0770 wifi wifi | |
mkdir /data/misc/wifi/sockets 0770 wifi wifi | |
mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi | |
mkdir /data/misc/dhcp 0770 dhcp dhcp | |
# give system access to wpa_supplicant.conf for backup and restore | |
chmod 0660 /data/misc/wifi/wpa_supplicant.conf | |
mkdir /data/local 0751 root root | |
mkdir /data/misc/media 0700 media media | |
# For security reasons, /data/local/tmp should always be empty. | |
# Do not place files or directories in /data/local/tmp | |
mkdir /data/local/tmp 0771 shell shell | |
mkdir /data/data 0771 system system | |
mkdir /data/app-private 0771 system system | |
mkdir /data/app-asec 0700 root root | |
mkdir /data/app-lib 0771 system system | |
mkdir /data/app 0771 system system | |
mkdir /data/property 0700 root root | |
mkdir /data/ssh 0750 root shell | |
mkdir /data/ssh/empty 0700 root root | |
mkdir /data/radio 0770 radio radio | |
# create dalvik-cache and double-check the perms, so as to enforce our permissions | |
mkdir /data/dalvik-cache 0771 system system | |
chown system system /data/dalvik-cache | |
chmod 0771 /data/dalvik-cache | |
# create resource-cache and double-check the perms | |
mkdir /data/resource-cache 0771 system system | |
chown system system /data/resource-cache | |
chmod 0771 /data/resource-cache | |
# create the lost+found directories, so as to enforce our permissions | |
mkdir /data/lost+found 0770 root root | |
# create directory for DRM plug-ins - give drm the read/write access to | |
# the following directory. | |
mkdir /data/drm 0770 drm drm | |
# create directory for MediaDrm plug-ins - give drm the read/write access to | |
# the following directory. | |
mkdir /data/mediadrm 0770 mediadrm mediadrm | |
# symlink to bugreport storage location | |
symlink /data/data/com.android.shell/files/bugreports /data/bugreports | |
# Separate location for storing security policy files on data | |
mkdir /data/security 0711 system system | |
# Reload policy from /data/security if present. | |
setprop selinux.reload_policy 1 | |
# Set SELinux security contexts on upgrade or policy update. | |
restorecon_recursive /data | |
# If there is no fs-post-data action in the init.<device>.rc file, you | |
# must uncomment this line, otherwise encrypted filesystems | |
# won't work. | |
# Set indication (checked by vold) that we have finished this action | |
#setprop vold.post_fs_data_done 1 | |
# Include extra init file | |
import /init.cm.rc | |
on boot | |
# set RLIMIT_NICE to allow priorities from 19 to -20 | |
setrlimit 13 40 40 | |
# Memory management. Basic kernel parameters, and allow the high | |
# level system server to be able to adjust the kernel OOM driver | |
# parameters to match how it is managing things. | |
write /proc/sys/vm/overcommit_memory 1 | |
write /proc/sys/vm/min_free_order_shift 4 | |
chown root system /sys/module/lowmemorykiller/parameters/adj | |
chmod 0664 /sys/module/lowmemorykiller/parameters/adj | |
chown root system /sys/module/lowmemorykiller/parameters/minfree | |
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree | |
# Tweak background writeout | |
write /proc/sys/vm/dirty_expire_centisecs 200 | |
write /proc/sys/vm/dirty_background_ratio 5 | |
# Permissions for System Server and daemons. | |
chown radio system /sys/android_power/state | |
chown radio system /sys/android_power/request_state | |
chown radio system /sys/android_power/acquire_full_wake_lock | |
chown radio system /sys/android_power/acquire_partial_wake_lock | |
chown radio system /sys/android_power/release_wake_lock | |
chown system system /sys/power/autosleep | |
chown system system /sys/power/state | |
chown system system /sys/power/wakeup_count | |
chown radio system /sys/power/wake_lock | |
chown radio system /sys/power/wake_unlock | |
chmod 0660 /sys/power/state | |
chmod 0660 /sys/power/wake_lock | |
chmod 0660 /sys/power/wake_unlock | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/boost | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration | |
chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy | |
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy | |
# Assume SMP uses shared cpufreq policy for all CPUs | |
chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor | |
chmod 0664 /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor | |
chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq | |
chmod 0664 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq | |
chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq | |
chmod 0664 /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq | |
chown system system /sys/class/leds/keyboard-backlight/brightness | |
chown system system /sys/class/leds/lcd-backlight/brightness | |
chown system system /sys/class/leds/button-backlight/brightness | |
chown system system /sys/class/leds/jogball-backlight/brightness | |
chown system system /sys/class/leds/red/brightness | |
chown system system /sys/class/leds/green/brightness | |
chown system system /sys/class/leds/blue/brightness | |
chown system system /sys/class/leds/red/device/grpfreq | |
chown system system /sys/class/leds/red/device/grppwm | |
chown system system /sys/class/leds/red/device/blink | |
chown system system /sys/class/timed_output/vibrator/enable | |
chown system system /sys/module/sco/parameters/disable_esco | |
chown system system /sys/kernel/ipv4/tcp_wmem_min | |
chown system system /sys/kernel/ipv4/tcp_wmem_def | |
chown system system /sys/kernel/ipv4/tcp_wmem_max | |
chown system system /sys/kernel/ipv4/tcp_rmem_min | |
chown system system /sys/kernel/ipv4/tcp_rmem_def | |
chown system system /sys/kernel/ipv4/tcp_rmem_max | |
chown root radio /proc/cmdline | |
# Allow system group to trigger vibrator | |
chmod 0664 /sys/class/timed_output/vibrator/enable | |
# Define TCP buffer sizes for various networks | |
# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, | |
setprop net.tcp.buffersize.default 4096,87380,704512,4096,16384,110208 | |
setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 | |
setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 | |
setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 | |
setprop net.tcp.buffersize.hspa 4094,87380,1220608,4096,16384,1220608 | |
setprop net.tcp.buffersize.hsupa 4094,87380,1220608,4096,16384,1220608 | |
setprop net.tcp.buffersize.hsdpa 4094,87380,1220608,4096,16384,1220608 | |
setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 | |
setprop net.tcp.buffersize.dchspap 4094,87380,1220608,4096,16384,1220608 | |
setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 | |
setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 | |
setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 | |
setprop net.tcp.buffersize.evdo_b 4096,87380,704512,4096,16384,262144 | |
# Assign TCP buffer thresholds to be ceiling value of technology maximums | |
# Increased technology maximums should be reflected here. | |
write /proc/sys/net/core/rmem_max 2097152 | |
write /proc/sys/net/core/wmem_max 2097152 | |
# Define default initial receive window size in segments. | |
setprop net.tcp.default_init_rwnd 60 | |
class_start core | |
class_start main | |
# Never gets called, since Mer does its own 'mount_all' | |
on nonencrypted | |
class_start late_start | |
# Mer needs to set this property when fs units are mounted | |
on property:droid.late_start=trigger_late_start | |
class_start late_start | |
on charger | |
class_start charger | |
on property:vold.decrypt=trigger_reset_main | |
class_reset main | |
on property:vold.decrypt=trigger_load_persist_props | |
load_persist_props | |
on property:vold.decrypt=trigger_post_fs_data | |
trigger post-fs-data | |
on property:vold.decrypt=trigger_restart_min_framework | |
class_start main | |
on property:vold.decrypt=trigger_restart_framework | |
class_start main | |
class_start late_start | |
on property:vold.decrypt=trigger_shutdown_framework | |
class_reset late_start | |
class_reset main | |
on property:sys.powerctl=* | |
powerctl ${sys.powerctl} | |
# system server cannot write to /proc/sys files, | |
# and chown/chmod does not work for /proc/sys/ entries. | |
# So proxy writes through init. | |
on property:sys.sysctl.extra_free_kbytes=* | |
write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} | |
# "tcp_default_init_rwnd" Is too long! | |
on property:sys.sysctl.tcp_def_init_rwnd=* | |
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} | |
## Daemon processes to be run by init. | |
## | |
# Not used by Mer | |
#service ueventd /sbin/ueventd | |
# class core | |
# critical | |
# seclabel u:r:ueventd:s0 | |
service healthd /sbin/healthd | |
class core | |
critical | |
seclabel u:r:healthd:s0 | |
service healthd-charger /sbin/healthd -n | |
class charger | |
critical | |
seclabel u:r:healthd:s0 | |
service console /system/bin/sh | |
class core | |
console | |
disabled | |
user shell | |
group log | |
seclabel u:r:shell:s0 | |
# Disabled in Mer - together with CONFIG_AUDIT=n in mer-kernel-check | |
service auditd /system/bin/auditd -k | |
class main | |
disabled | |
on property:ro.debuggable=1 | |
start console | |
# adbd is controlled via property triggers in init.<platform>.usb.rc | |
service adbd /sbin/adbd | |
class core | |
socket adbd stream 660 system system | |
disabled | |
seclabel u:r:adbd:s0 | |
# adbd on at boot in emulator | |
on property:ro.kernel.qemu=1 | |
start adbd | |
# Custom servicemanager allows user nemo to register services | |
service servicemanager /usr/libexec/droid-hybris/system/bin/servicemanager | |
class core | |
user system | |
group system | |
# critical | |
# onrestart restart minimedia | |
# onrestart restart minisf | |
# onrestart restart healthd | |
# onrestart restart zygote | |
# onrestart restart media | |
# onrestart restart surfaceflinger | |
# onrestart restart drm | |
# | |
service minimedia /usr/libexec/droid-hybris/system/bin/minimediaservice | |
class main | |
user media | |
group audio camera | |
ioprio rt 4 | |
service minisf /usr/libexec/droid-hybris/system/bin/minisfservice | |
class main | |
user system | |
group graphics | |
#service vold /system/bin/vold | |
# class core | |
# socket vold stream 0660 root mount | |
# ioprio be 2 | |
# | |
#service netd /system/bin/netd | |
# class main | |
# socket netd stream 0660 root system | |
# socket dnsproxyd stream 0660 root inet | |
# socket mdns stream 0660 root system | |
service debuggerd /system/bin/debuggerd | |
class main | |
service ril-daemon /system/bin/rild | |
class main | |
socket rild stream 660 root radio | |
socket rild-debug stream 660 radio system | |
user root | |
group radio cache inet misc audio sdcard_rw qcom_oncrpc qcom_diag log | |
# Disabled in Mer - used only during porting atm | |
service surfaceflinger /system/bin/surfaceflinger | |
class main | |
user system | |
group graphics drmrpc | |
onrestart restart zygote | |
disabled | |
# Disabled in Mer | |
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server | |
class main | |
socket zygote stream 660 root system | |
onrestart write /sys/android_power/request_state wake | |
onrestart write /sys/power/state on | |
# onrestart restart media | |
# onrestart restart netd | |
disabled | |
# Disabled coz it rebooted device | |
#service drm /system/bin/drmserver | |
# class main | |
# user drm | |
# group drm system inet drmrpc | |
# Disabled in Mer | |
service media /system/bin/mediaserver | |
class main | |
user media | |
group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc qcom_diag mediadrm | |
ioprio rt 4 | |
disabled | |
service bootanim /system/bin/bootanimation | |
class main | |
user graphics | |
group graphics | |
disabled | |
oneshot | |
service installd /system/bin/installd | |
class main | |
socket installd stream 600 system system | |
service flash_recovery /system/etc/install-cm-recovery.sh | |
class main | |
disabled | |
oneshot | |
# update recovery if enabled | |
on property:persist.sys.recovery_update=true | |
start flash_recovery | |
service racoon /system/bin/racoon | |
class main | |
socket racoon stream 600 system system | |
# IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. | |
group vpn net_admin inet | |
disabled | |
oneshot | |
service mtpd /system/bin/mtpd | |
class main | |
socket mtpd stream 600 system system | |
user vpn | |
group vpn net_admin inet net_raw | |
disabled | |
oneshot | |
# Disabled in Mer | |
service keystore /system/bin/keystore /data/misc/keystore | |
class main | |
user keystore | |
group keystore drmrpc system | |
disabled | |
service dumpstate /system/bin/dumpstate -s | |
class main | |
socket dumpstate stream 0660 shell log | |
disabled | |
oneshot | |
# Use Mer sshd | |
#service sshd /system/bin/start-ssh | |
# class main | |
# disabled | |
# This trigger is run by our modified init after boot has finished | |
on ready | |
class_start mer | |
# Notify Mer's systemd that we're done | |
# This is started at the end of boot after both core and main classes | |
service droid_init_done /bin/sh /usr/bin/droid/droid-init-done.sh | |
class mer | |
oneshot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment