Created
September 30, 2013 08:16
-
-
Save skyisle/6760764 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (C) 2012 The Android Open Source Project | |
| # | |
| # IMPORTANT: Do not create world writable files or directories. | |
| # This is a common source of Android security bugs. | |
| # | |
| import /init.${ro.hardware}.rc | |
| import /init.usb.rc | |
| import /init.trace.rc | |
| on early-init | |
| # Set init and its forked children's oom_adj. | |
| write /proc/1/oom_adj -16 | |
| start ueventd | |
| # create mountpoints | |
| mkdir /mnt 0775 root system | |
| on init | |
| sysclktz 0 | |
| loglevel 3 | |
| # setup the global environment | |
| export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin | |
| export LD_LIBRARY_PATH /vendor/lib:/system/lib | |
| export ANDROID_BOOTLOGO 1 | |
| export ANDROID_ROOT /system | |
| export ANDROID_ASSETS /system/app | |
| export ANDROID_DATA /data | |
| export ASEC_MOUNTPOINT /mnt/asec | |
| export LOOP_MOUNTPOINT /mnt/obb | |
| export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar | |
| # Backward compatibility | |
| symlink /system/etc /etc | |
| symlink /sys/kernel/debug /d | |
| # Right now vendor lives on the same filesystem as system, | |
| # but someday that may change. | |
| symlink /system/vendor /vendor | |
| # Create cgroup mount point for cpu accounting | |
| mkdir /acct | |
| mount cgroup none /acct cpuacct | |
| mkdir /acct/uid | |
| mkdir /system | |
| mkdir /data 0771 system system | |
| mkdir /cache 0770 system cache | |
| mkdir /config 0500 root root | |
| # Directory for putting things only root should see. | |
| mkdir /mnt/secure 0700 root root | |
| # Directory for staging bindmounts | |
| mkdir /mnt/secure/staging 0700 root root | |
| # Directory-target for where the secure container | |
| # imagefile directory will be bind-mounted | |
| mkdir /mnt/secure/asec 0700 root root | |
| # Secure container public mount points. | |
| mkdir /mnt/asec 0700 root system | |
| mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 | |
| # Filesystem image public mount points. | |
| mkdir /mnt/obb 0700 root system | |
| mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 | |
| write /proc/sys/kernel/panic_on_oops 1 | |
| write /proc/sys/kernel/hung_task_timeout_secs 0 | |
| write /proc/cpu/alignment 4 | |
| write /proc/sys/kernel/sched_latency_ns 10000000 | |
| write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 | |
| write /proc/sys/kernel/sched_compat_yield 1 | |
| write /proc/sys/kernel/sched_child_runs_first 0 | |
| write /proc/sys/kernel/randomize_va_space 2 | |
| write /proc/sys/kernel/kptr_restrict 2 | |
| write /proc/sys/kernel/dmesg_restrict 1 | |
| write /proc/sys/vm/mmap_min_addr 32768 | |
| write /proc/sys/kernel/sched_rt_runtime_us 950000 | |
| write /proc/sys/kernel/sched_rt_period_us 1000000 | |
| # Create cgroup mount points for process groups | |
| mkdir /dev/cpuctl | |
| mount cgroup none /dev/cpuctl cpu | |
| chown system system /dev/cpuctl | |
| chown system system /dev/cpuctl/tasks | |
| chmod 0660 /dev/cpuctl/tasks | |
| write /dev/cpuctl/cpu.shares 1024 | |
| write /dev/cpuctl/cpu.rt_runtime_us 950000 | |
| write /dev/cpuctl/cpu.rt_period_us 1000000 | |
| mkdir /dev/cpuctl/apps | |
| chown system system /dev/cpuctl/apps/tasks | |
| chmod 0666 /dev/cpuctl/apps/tasks | |
| write /dev/cpuctl/apps/cpu.shares 1024 | |
| write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 | |
| write /dev/cpuctl/apps/cpu.rt_period_us 1000000 | |
| mkdir /dev/cpuctl/apps/bg_non_interactive | |
| chown system system /dev/cpuctl/apps/bg_non_interactive/tasks | |
| chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks | |
| # 5.0 % | |
| write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 | |
| write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 | |
| write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 | |
| # Allow everybody to read the xt_qtaguid resource tracking misc dev. | |
| # This is needed by any process that uses socket tagging. | |
| chmod 0644 /dev/xt_qtaguid | |
| on fs | |
| # mount mtd partitions | |
| # Mount /system rw first to give the filesystem a chance to save a checkpoint | |
| mount yaffs2 mtd@system /system | |
| mount yaffs2 mtd@system /system ro remount | |
| mount yaffs2 mtd@userdata /data nosuid nodev | |
| mount yaffs2 mtd@cache /cache nosuid nodev | |
| on post-fs | |
| # once everything is setup, no need to modify / | |
| mount rootfs rootfs / ro remount | |
| # We chown/chmod /cache again so because mount is run as root + defaults | |
| chown system cache /cache | |
| chmod 0770 /cache | |
| # This may have been created by the recovery system with odd permissions | |
| chown system cache /cache/recovery | |
| chmod 0770 /cache/recovery | |
| #change permissions on vmallocinfo so we can grab it from bugreports | |
| chown root log /proc/vmallocinfo | |
| chmod 0440 /proc/vmallocinfo | |
| #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks | |
| chown root system /proc/kmsg | |
| chmod 0440 /proc/kmsg | |
| chown root system /proc/sysrq-trigger | |
| chmod 0220 /proc/sysrq-trigger | |
| # create the lost+found directories, so as to enforce our permissions | |
| mkdir /cache/lost+found 0770 root root | |
| on post-fs-data | |
| # We chown/chmod /data again so because mount is run as root + defaults | |
| chown system system /data | |
| chmod 0771 /data | |
| # Create dump dir and collect dumps. | |
| # Do this before we mount cache so eventually we can use cache for | |
| # storing dumps on platforms which do not have a dedicated dump partition. | |
| mkdir /data/dontpanic 0750 root log | |
| # Collect apanic data, free resources and re-arm trigger | |
| copy /proc/apanic_console /data/dontpanic/apanic_console | |
| chown root log /data/dontpanic/apanic_console | |
| chmod 0640 /data/dontpanic/apanic_console | |
| copy /proc/apanic_threads /data/dontpanic/apanic_threads | |
| chown root log /data/dontpanic/apanic_threads | |
| chmod 0640 /data/dontpanic/apanic_threads | |
| write /proc/apanic_console 1 | |
| # create basic filesystem structure | |
| mkdir /data/misc 01771 system misc | |
| mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth | |
| mkdir /data/misc/bluetooth 0770 system system | |
| mkdir /data/misc/keystore 0700 keystore keystore | |
| mkdir /data/misc/keychain 0771 system system | |
| mkdir /data/misc/vpn 0770 system vpn | |
| mkdir /data/misc/systemkeys 0700 system system | |
| # give system access to wpa_supplicant.conf for backup and restore | |
| mkdir /data/misc/wifi 0770 wifi wifi | |
| chmod 0660 /data/misc/wifi/wpa_supplicant.conf | |
| mkdir /data/local 0751 root root | |
| # For security reasons, /data/local/tmp should always be empty. | |
| # Do not place files or directories in /data/local/tmp | |
| mkdir /data/local/tmp 0771 shell shell | |
| mkdir /data/data 0771 system system | |
| mkdir /data/app-private 0771 system system | |
| mkdir /data/app-asec 0700 root root | |
| mkdir /data/app 0771 system system | |
| mkdir /data/property 0700 root root | |
| mkdir /data/ssh 0750 root shell | |
| mkdir /data/ssh/empty 0700 root root | |
| # create dalvik-cache, so as to enforce our permissions | |
| mkdir /data/dalvik-cache 0771 system system | |
| # create resource-cache and double-check the perms | |
| mkdir /data/resource-cache 0771 system system | |
| chown system system /data/resource-cache | |
| chmod 0771 /data/resource-cache | |
| # create the lost+found directories, so as to enforce our permissions | |
| mkdir /data/lost+found 0770 root root | |
| # create directory for DRM plug-ins - give drm the read/write access to | |
| # the following directory. | |
| mkdir /data/drm 0770 drm drm | |
| # If there is no fs-post-data action in the init.<device>.rc file, you | |
| # must uncomment this line, otherwise encrypted filesystems | |
| # won't work. | |
| # Set indication (checked by vold) that we have finished this action | |
| #setprop vold.post_fs_data_done 1 | |
| on boot | |
| # basic network init | |
| ifup lo | |
| hostname localhost | |
| domainname localdomain | |
| # set RLIMIT_NICE to allow priorities from 19 to -20 | |
| setrlimit 13 40 40 | |
| # Memory management. Basic kernel parameters, and allow the high | |
| # level system server to be able to adjust the kernel OOM driver | |
| # parameters to match how it is managing things. | |
| write /proc/sys/vm/overcommit_memory 1 | |
| write /proc/sys/vm/min_free_order_shift 4 | |
| chown root system /sys/module/lowmemorykiller/parameters/adj | |
| chmod 0664 /sys/module/lowmemorykiller/parameters/adj | |
| chown root system /sys/module/lowmemorykiller/parameters/minfree | |
| chmod 0664 /sys/module/lowmemorykiller/parameters/minfree | |
| # Tweak background writeout | |
| write /proc/sys/vm/dirty_expire_centisecs 200 | |
| write /proc/sys/vm/dirty_background_ratio 5 | |
| # Permissions for System Server and daemons. | |
| chown radio system /sys/android_power/state | |
| chown radio system /sys/android_power/request_state | |
| chown radio system /sys/android_power/acquire_full_wake_lock | |
| chown radio system /sys/android_power/acquire_partial_wake_lock | |
| chown radio system /sys/android_power/release_wake_lock | |
| chown system system /sys/power/state | |
| chown system system /sys/power/wakeup_count | |
| chown radio system /sys/power/wake_lock | |
| chown radio system /sys/power/wake_unlock | |
| chmod 0660 /sys/power/state | |
| chmod 0660 /sys/power/wake_lock | |
| chmod 0660 /sys/power/wake_unlock | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate | |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time | |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq | |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load | |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay | |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boost | |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse | |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost | |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost | |
| # Assume SMP uses shared cpufreq policy for all CPUs | |
| chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq | |
| chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq | |
| chown system system /sys/class/timed_output/vibrator/enable | |
| chown system system /sys/class/leds/keyboard-backlight/brightness | |
| chown system system /sys/class/leds/lcd-backlight/brightness | |
| chown system system /sys/class/leds/button-backlight/brightness | |
| chown system system /sys/class/leds/jogball-backlight/brightness | |
| chown system system /sys/class/leds/red/brightness | |
| chown system system /sys/class/leds/green/brightness | |
| chown system system /sys/class/leds/blue/brightness | |
| chown system system /sys/class/leds/red/device/grpfreq | |
| chown system system /sys/class/leds/red/device/grppwm | |
| chown system system /sys/class/leds/red/device/blink | |
| chown system system /sys/class/leds/red/brightness | |
| chown system system /sys/class/leds/green/brightness | |
| chown system system /sys/class/leds/blue/brightness | |
| chown system system /sys/class/leds/red/device/grpfreq | |
| chown system system /sys/class/leds/red/device/grppwm | |
| chown system system /sys/class/leds/red/device/blink | |
| chown system system /sys/class/timed_output/vibrator/enable | |
| chown system system /sys/module/sco/parameters/disable_esco | |
| chown system system /sys/kernel/ipv4/tcp_wmem_min | |
| chown system system /sys/kernel/ipv4/tcp_wmem_def | |
| chown system system /sys/kernel/ipv4/tcp_wmem_max | |
| chown system system /sys/kernel/ipv4/tcp_rmem_min | |
| chown system system /sys/kernel/ipv4/tcp_rmem_def | |
| chown system system /sys/kernel/ipv4/tcp_rmem_max | |
| chown root radio /proc/cmdline | |
| # Define TCP buffer sizes for various networks | |
| # ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, | |
| setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 | |
| setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 | |
| setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 | |
| setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 | |
| setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 | |
| setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 | |
| setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 | |
| # Set this property so surfaceflinger is not started by system_init | |
| setprop system_init.startsurfaceflinger 0 | |
| class_start core | |
| class_start main | |
| on nonencrypted | |
| class_start late_start | |
| on charger | |
| class_start charger | |
| on property:vold.decrypt=trigger_reset_main | |
| class_reset main | |
| on property:vold.decrypt=trigger_load_persist_props | |
| load_persist_props | |
| on property:vold.decrypt=trigger_post_fs_data | |
| trigger post-fs-data | |
| on property:vold.decrypt=trigger_restart_min_framework | |
| class_start main | |
| on property:vold.decrypt=trigger_restart_framework | |
| class_start main | |
| class_start late_start | |
| on property:vold.decrypt=trigger_shutdown_framework | |
| class_reset late_start | |
| class_reset main | |
| ## Daemon processes to be run by init. | |
| ## | |
| service ueventd /sbin/ueventd | |
| class core | |
| critical | |
| service console /system/bin/sh | |
| class core | |
| console | |
| disabled | |
| user shell | |
| group log | |
| on property:ro.debuggable=1 | |
| start console | |
| # adbd is controlled via property triggers in init.<platform>.usb.rc | |
| service adbd /sbin/adbd | |
| class core | |
| disabled | |
| # adbd on at boot in emulator | |
| on property:ro.kernel.qemu=1 | |
| start adbd | |
| service servicemanager /system/bin/servicemanager | |
| class core | |
| user system | |
| group system | |
| critical | |
| onrestart restart zygote | |
| onrestart restart media | |
| onrestart restart surfaceflinger | |
| onrestart restart drm | |
| service vold /system/bin/vold | |
| class core | |
| socket vold stream 0660 root mount | |
| ioprio be 2 | |
| service netd /system/bin/netd | |
| class main | |
| socket netd stream 0660 root system | |
| socket dnsproxyd stream 0660 root inet | |
| socket mdns stream 0660 root system | |
| service debuggerd /system/bin/debuggerd | |
| class main | |
| service ril-daemon /system/bin/rild | |
| class main | |
| socket rild stream 660 root radio | |
| socket rild-debug stream 660 radio system | |
| user root | |
| group radio cache inet misc audio sdcard_r sdcard_rw log | |
| service surfaceflinger /system/bin/surfaceflinger | |
| class main | |
| user system | |
| group graphics | |
| onrestart restart zygote | |
| service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server | |
| class main | |
| socket zygote stream 660 root system | |
| onrestart write /sys/android_power/request_state wake | |
| onrestart write /sys/power/state on | |
| onrestart restart media | |
| onrestart restart netd | |
| service drm /system/bin/drmserver | |
| class main | |
| user drm | |
| group drm system inet drmrpc sdcard_r | |
| service media /system/bin/mediaserver | |
| class main | |
| user media | |
| group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc | |
| ioprio rt 4 | |
| service bootanim /system/bin/bootanimation | |
| class main | |
| user graphics | |
| group graphics | |
| disabled | |
| oneshot | |
| service dbus /system/bin/dbus-daemon --system --nofork | |
| class main | |
| socket dbus stream 660 bluetooth bluetooth | |
| user bluetooth | |
| group bluetooth net_bt_admin | |
| service bluetoothd /system/bin/bluetoothd -n | |
| class main | |
| socket bluetooth stream 660 bluetooth bluetooth | |
| socket dbus_bluetooth stream 660 bluetooth bluetooth | |
| # init.rc does not yet support applying capabilities, so run as root and | |
| # let bluetoothd drop uid to bluetooth with the right linux capabilities | |
| group bluetooth net_bt_admin misc | |
| disabled | |
| service installd /system/bin/installd | |
| class main | |
| socket installd stream 600 system system | |
| service flash_recovery /system/etc/install-recovery.sh | |
| class main | |
| oneshot | |
| service racoon /system/bin/racoon | |
| class main | |
| socket racoon stream 600 system system | |
| # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. | |
| group vpn net_admin inet | |
| disabled | |
| oneshot | |
| service mtpd /system/bin/mtpd | |
| class main | |
| socket mtpd stream 600 system system | |
| user vpn | |
| group vpn net_admin inet net_raw | |
| disabled | |
| oneshot | |
| service keystore /system/bin/keystore /data/misc/keystore | |
| class main | |
| user keystore | |
| group keystore drmrpc | |
| socket keystore stream 666 | |
| service dumpstate /system/bin/dumpstate -s | |
| class main | |
| socket dumpstate stream 0660 shell log | |
| disabled | |
| oneshot | |
| service sshd /system/bin/start-ssh | |
| class main | |
| disabled | |
| service mdnsd /system/bin/mdnsd | |
| class main | |
| user mdnsr | |
| group inet net_raw | |
| socket mdnsd stream 0660 mdnsr inet | |
| disabled | |
| oneshot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment