Commit | Line | Data |
---|---|---|
d05bb22f S |
1 | # Copyright (C) 2012 The Android Open Source Project |
2 | # | |
3 | # IMPORTANT: Do not create world writable files or directories. | |
4 | # This is a common source of Android security bugs. | |
5 | # | |
6 | ||
7 | import /init.environ.rc | |
8 | import /init.usb.rc | |
9 | import /init.${ro.hardware}.rc | |
10 | import /init.${ro.zygote}.rc | |
11 | import /init.trace.rc | |
12 | ||
13 | on early-init | |
14 | # Set init and its forked children's oom_adj. | |
15 | write /proc/1/oom_score_adj -1000 | |
16 | ||
17 | # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. | |
18 | write /sys/fs/selinux/checkreqprot 0 | |
19 | ||
20 | # Set the security context for the init process. | |
21 | # This should occur before anything else (e.g. ueventd) is started. | |
22 | setcon u:r:init:s0 | |
23 | ||
24 | # Set the security context of /adb_keys if present. | |
25 | restorecon /adb_keys | |
26 | ||
27 | start ueventd | |
28 | ||
29 | # create mountpoints | |
30 | mkdir /mnt 0775 root system | |
31 | ||
32 | on init | |
33 | sysclktz 0 | |
34 | ||
35 | loglevel 6 #### | |
36 | write /proc/bootprof "INIT: on init start" #### | |
37 | ||
38 | # Backward compatibility | |
39 | symlink /system/etc /etc | |
40 | symlink /sys/kernel/debug /d | |
41 | ||
42 | # Right now vendor lives on the same filesystem as system, | |
43 | # but someday that may change. | |
44 | symlink /system/vendor /vendor | |
45 | ||
46 | # Create cgroup mount point for cpu accounting | |
47 | mkdir /acct | |
48 | mount cgroup none /acct cpuacct | |
49 | mkdir /acct/uid | |
50 | ||
51 | # Create cgroup mount point for memory | |
52 | mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 | |
53 | mkdir /sys/fs/cgroup/memory 0750 root system | |
54 | mount cgroup none /sys/fs/cgroup/memory memory | |
55 | write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 | |
56 | chown root system /sys/fs/cgroup/memory/tasks | |
57 | chmod 0660 /sys/fs/cgroup/memory/tasks | |
58 | mkdir /sys/fs/cgroup/memory/sw 0750 root system | |
59 | write /sys/fs/cgroup/memory/sw/memory.swappiness 100 | |
60 | write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 | |
61 | chown root system /sys/fs/cgroup/memory/sw/tasks | |
62 | chmod 0660 /sys/fs/cgroup/memory/sw/tasks | |
63 | ||
64 | ##bsp config enable | |
65 | write /sys/class/misc/tp_cfg/cfg_load_enable 1 | |
66 | ||
67 | mkdir /system | |
68 | mkdir /data 0771 system system | |
69 | mkdir /cache 0770 system cache | |
70 | mkdir /config 0500 root root | |
71 | ||
72 | # See storage config details at http://source.android.com/tech/storage/ | |
73 | mkdir /mnt/shell 0700 shell shell | |
74 | mkdir /mnt/media_rw 0700 media_rw media_rw | |
75 | mkdir /storage 0751 root sdcard_r | |
76 | ||
77 | # Directory for putting things only root should see. | |
78 | mkdir /mnt/secure 0700 root root | |
79 | ||
80 | # Directory for staging bindmounts | |
81 | mkdir /mnt/secure/staging 0700 root root | |
82 | ||
83 | # Directory-target for where the secure container | |
84 | # imagefile directory will be bind-mounted | |
85 | mkdir /mnt/secure/asec 0700 root root | |
86 | ||
87 | # Secure container public mount points. | |
88 | mkdir /mnt/asec 0700 root system | |
89 | mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 | |
90 | ||
91 | # Filesystem image public mount points. | |
92 | mkdir /mnt/obb 0700 root system | |
93 | mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 | |
94 | ||
95 | # memory control cgroup | |
96 | mkdir /dev/memcg 0700 root system | |
97 | mount cgroup none /dev/memcg memory | |
98 | ||
99 | write /proc/sys/kernel/panic_on_oops 1 | |
100 | write /proc/sys/kernel/hung_task_timeout_secs 0 | |
101 | write /proc/cpu/alignment 4 | |
102 | write /proc/sys/kernel/sched_latency_ns 10000000 | |
103 | write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 | |
104 | write /proc/sys/kernel/sched_compat_yield 1 | |
105 | write /proc/sys/kernel/sched_child_runs_first 0 | |
106 | write /proc/sys/kernel/randomize_va_space 2 | |
107 | write /proc/sys/kernel/kptr_restrict 2 | |
108 | write /proc/sys/vm/mmap_min_addr 32768 | |
109 | write /proc/sys/net/ipv4/ping_group_range "0 2147483647" | |
110 | write /proc/sys/net/unix/max_dgram_qlen 300 | |
111 | write /proc/sys/kernel/sched_rt_runtime_us 950000 | |
112 | write /proc/sys/kernel/sched_rt_period_us 1000000 | |
113 | ||
114 | # reflect fwmark from incoming packets onto generated replies | |
115 | write /proc/sys/net/ipv4/fwmark_reflect 1 | |
116 | write /proc/sys/net/ipv6/fwmark_reflect 1 | |
117 | ||
118 | # set fwmark on accepted sockets | |
119 | write /proc/sys/net/ipv4/tcp_fwmark_accept 1 | |
120 | ||
121 | # Create cgroup mount points for process groups | |
122 | mkdir /dev/cpuctl | |
123 | mount cgroup none /dev/cpuctl cpu | |
124 | chown system system /dev/cpuctl | |
125 | chown system system /dev/cpuctl/tasks | |
126 | chmod 0660 /dev/cpuctl/tasks | |
127 | write /dev/cpuctl/cpu.shares 1024 | |
128 | write /dev/cpuctl/cpu.rt_runtime_us 950000 | |
129 | write /dev/cpuctl/cpu.rt_period_us 1000000 | |
130 | ||
131 | mkdir /dev/cpuctl/apps | |
132 | chown system system /dev/cpuctl/apps/tasks | |
133 | chmod 0666 /dev/cpuctl/apps/tasks | |
134 | write /dev/cpuctl/apps/cpu.shares 1024 | |
135 | write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 | |
136 | write /dev/cpuctl/apps/cpu.rt_period_us 1000000 | |
137 | ||
138 | mkdir /dev/cpuctl/apps/bg_non_interactive | |
139 | chown system system /dev/cpuctl/apps/bg_non_interactive/tasks | |
140 | chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks | |
141 | # 5.0 % | |
142 | write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 | |
143 | write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 | |
144 | write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 | |
145 | ||
146 | # qtaguid will limit access to specific data based on group memberships. | |
147 | # net_bw_acct grants impersonation of socket owners. | |
148 | # net_bw_stats grants access to other apps' detailed tagged-socket stats. | |
149 | chown root net_bw_acct /proc/net/xt_qtaguid/ctrl | |
150 | chown root net_bw_stats /proc/net/xt_qtaguid/stats | |
151 | ||
152 | # Allow everybody to read the xt_qtaguid resource tracking misc dev. | |
153 | # This is needed by any process that uses socket tagging. | |
154 | chmod 0644 /dev/xt_qtaguid | |
155 | ||
156 | # Create location for fs_mgr to store abbreviated output from filesystem | |
157 | # checker programs. | |
158 | mkdir /dev/fscklogs 0770 root system | |
159 | ||
160 | # pstore/ramoops previous console log | |
161 | mount pstore pstore /sys/fs/pstore | |
162 | chown system log /sys/fs/pstore/console-ramoops | |
163 | chmod 0440 /sys/fs/pstore/console-ramoops | |
164 | ||
165 | # ion device | |
166 | chmod 0666 /dev/ion | |
167 | ||
168 | # Healthd can trigger a full boot from charger mode by signaling this | |
169 | # property when the power button is held. | |
170 | on property:sys.boot_from_charger_mode=1 | |
171 | class_stop charger | |
172 | trigger late-init | |
173 | ||
174 | # Load properties from /system/ + /factory after fs mount. | |
175 | on load_all_props_action | |
176 | load_all_props | |
177 | ||
178 | # Indicate to fw loaders that the relevant mounts are up. | |
179 | on firmware_mounts_complete | |
180 | rm /dev/.booting | |
181 | ||
182 | # Mount filesystems and start core system services. | |
183 | on late-init | |
184 | trigger early-fs | |
185 | trigger fs | |
186 | trigger post-fs | |
187 | trigger post-fs-data | |
188 | ||
189 | # Load properties from /system/ + /factory after fs mount. Place | |
190 | # this in another action so that the load will be scheduled after the prior | |
191 | # issued fs triggers have completed. | |
192 | trigger load_all_props_action | |
193 | ||
194 | # Remove a file to wake up anything waiting for firmware. | |
195 | trigger firmware_mounts_complete | |
196 | ||
197 | trigger early-boot | |
198 | trigger boot | |
199 | ||
200 | ||
201 | on post-fs | |
202 | # once everything is setup, no need to modify / | |
203 | mount rootfs rootfs / ro remount | |
204 | # mount shared so changes propagate into child namespaces | |
205 | mount rootfs rootfs / shared rec | |
206 | ||
207 | # We chown/chmod /cache again so because mount is run as root + defaults | |
208 | chown system cache /cache | |
209 | chmod 0770 /cache | |
210 | # We restorecon /cache in case the cache partition has been reset. | |
211 | restorecon_recursive /cache | |
212 | ||
213 | # This may have been created by the recovery system with odd permissions | |
214 | chown system cache /cache/recovery | |
215 | chmod 0770 /cache/recovery | |
216 | ||
217 | #change permissions on vmallocinfo so we can grab it from bugreports | |
218 | chown root log /proc/vmallocinfo | |
219 | chmod 0440 /proc/vmallocinfo | |
220 | ||
221 | chown root log /proc/slabinfo | |
222 | chmod 0440 /proc/slabinfo | |
223 | ||
224 | #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks | |
225 | chown root system /proc/kmsg | |
226 | chmod 0440 /proc/kmsg | |
227 | chown root system /proc/sysrq-trigger | |
228 | chmod 0220 /proc/sysrq-trigger | |
229 | chown system log /proc/last_kmsg | |
230 | chmod 0440 /proc/last_kmsg | |
231 | ||
232 | # make the selinux kernel policy world-readable | |
233 | chmod 0444 /sys/fs/selinux/policy | |
234 | ||
235 | # create the lost+found directories, so as to enforce our permissions | |
236 | mkdir /cache/lost+found 0770 root root | |
237 | ||
238 | on post-fs-data | |
239 | # We chown/chmod /data again so because mount is run as root + defaults | |
240 | chown system system /data | |
241 | chmod 0771 /data | |
242 | # We restorecon /data in case the userdata partition has been reset. | |
243 | restorecon /data | |
244 | ||
245 | # Avoid predictable entropy pool. Carry over entropy from previous boot. | |
246 | copy /data/system/entropy.dat /dev/urandom | |
247 | ||
248 | # Create dump dir and collect dumps. | |
249 | # Do this before we mount cache so eventually we can use cache for | |
250 | # storing dumps on platforms which do not have a dedicated dump partition. | |
251 | mkdir /data/dontpanic 0750 root log | |
252 | ||
253 | # Collect apanic data, free resources and re-arm trigger | |
254 | copy /proc/apanic_console /data/dontpanic/apanic_console | |
255 | chown root log /data/dontpanic/apanic_console | |
256 | chmod 0640 /data/dontpanic/apanic_console | |
257 | ||
258 | copy /proc/apanic_threads /data/dontpanic/apanic_threads | |
259 | chown root log /data/dontpanic/apanic_threads | |
260 | chmod 0640 /data/dontpanic/apanic_threads | |
261 | ||
262 | write /proc/apanic_console 1 | |
263 | ||
264 | # create basic filesystem structure | |
265 | mkdir /data/misc 01771 system misc | |
266 | mkdir /data/misc/adb 02750 system shell | |
267 | mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack | |
268 | mkdir /data/misc/bluetooth 0770 system system | |
269 | mkdir /data/misc/keystore 0700 keystore keystore | |
270 | mkdir /data/misc/keychain 0771 system system | |
271 | mkdir /data/misc/net 0750 root shell | |
272 | mkdir /data/misc/radio 0770 system radio | |
273 | mkdir /data/misc/sms 0770 system radio | |
274 | mkdir /data/misc/zoneinfo 0775 system system | |
275 | mkdir /data/misc/vpn 0770 system vpn | |
276 | mkdir /data/misc/shared_relro 0771 shared_relro shared_relro | |
277 | mkdir /data/misc/systemkeys 0700 system system | |
278 | mkdir /data/misc/wifi 0770 wifi wifi | |
279 | mkdir /data/misc/wifi/sockets 0770 wifi wifi | |
280 | mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi | |
281 | mkdir /data/misc/ethernet 0770 system system | |
282 | mkdir /data/misc/dhcp 0770 dhcp dhcp | |
283 | mkdir /data/misc/user 0771 root root | |
284 | # give system access to wpa_supplicant.conf for backup and restore | |
285 | chmod 0660 /data/misc/wifi/wpa_supplicant.conf | |
286 | mkdir /data/local 0751 root root | |
287 | mkdir /data/misc/media 0700 media media | |
288 | ||
289 | # For security reasons, /data/local/tmp should always be empty. | |
290 | # Do not place files or directories in /data/local/tmp | |
291 | mkdir /data/local/tmp 0771 shell shell | |
292 | mkdir /data/data 0771 system system | |
293 | mkdir /data/app-private 0771 system system | |
294 | mkdir /data/app-asec 0700 root root | |
295 | mkdir /data/app-lib 0771 system system | |
296 | mkdir /data/app 0771 system system | |
297 | mkdir /data/property 0700 root root | |
298 | ||
299 | # create dalvik-cache, so as to enforce our permissions | |
300 | mkdir /data/dalvik-cache 0771 root root | |
301 | mkdir /data/dalvik-cache/profiles 0711 system system | |
302 | ||
303 | # create resource-cache and double-check the perms | |
304 | mkdir /data/resource-cache 0771 system system | |
305 | chown system system /data/resource-cache | |
306 | chmod 0771 /data/resource-cache | |
307 | ||
308 | # create the lost+found directories, so as to enforce our permissions | |
309 | mkdir /data/lost+found 0770 root root | |
310 | ||
311 | # create directory for DRM plug-ins - give drm the read/write access to | |
312 | # the following directory. | |
313 | mkdir /data/drm 0770 drm drm #### | |
314 | # mkdir /data/drm 0774 drm system #### | |
315 | ||
316 | # create directory for MediaDrm plug-ins - give drm the read/write access to | |
317 | # the following directory. | |
318 | mkdir /data/mediadrm 0770 mediadrm mediadrm | |
319 | ||
320 | # symlink to bugreport storage location | |
321 | symlink /data/data/com.android.shell/files/bugreports /data/bugreports | |
322 | ||
323 | # Separate location for storing security policy files on data | |
324 | mkdir /data/security 0711 system system | |
325 | ||
326 | # add for mediaserver data | |
327 | mkdir /data/mediaserver 0775 media media | |
328 | restorecon /data/mediaserver | |
329 | ||
330 | # Reload policy from /data/security if present. | |
331 | setprop selinux.reload_policy 1 | |
332 | ||
333 | # Set SELinux security contexts on upgrade or policy update. | |
334 | restorecon_recursive /data | |
335 | ||
336 | # If there is no fs-post-data action in the init.<device>.rc file, you | |
337 | # must uncomment this line, otherwise encrypted filesystems | |
338 | # won't work. | |
339 | # Set indication (checked by vold) that we have finished this action | |
340 | #setprop vold.post_fs_data_done 1 | |
341 | ||
342 | on boot | |
343 | # basic network init | |
344 | ifup lo | |
345 | hostname localhost | |
346 | domainname localdomain | |
347 | ||
348 | # set RLIMIT_NICE to allow priorities from 19 to -20 | |
349 | setrlimit 13 40 40 | |
350 | ||
351 | # Memory management. Basic kernel parameters, and allow the high | |
352 | # level system server to be able to adjust the kernel OOM driver | |
353 | # parameters to match how it is managing things. | |
354 | write /proc/sys/vm/overcommit_memory 1 | |
355 | write /proc/sys/vm/min_free_order_shift 4 | |
356 | chown root system /sys/module/lowmemorykiller/parameters/adj | |
357 | chmod 0220 /sys/module/lowmemorykiller/parameters/adj | |
358 | chown root system /sys/module/lowmemorykiller/parameters/minfree | |
359 | chmod 0220 /sys/module/lowmemorykiller/parameters/minfree | |
360 | ||
361 | # Tweak background writeout | |
362 | write /proc/sys/vm/dirty_expire_centisecs 200 | |
363 | write /proc/sys/vm/dirty_background_ratio 5 | |
364 | ||
365 | # Permissions for System Server and daemons. | |
366 | chown radio system /sys/android_power/state | |
367 | chown radio system /sys/android_power/request_state | |
368 | chown radio system /sys/android_power/acquire_full_wake_lock | |
369 | chown radio system /sys/android_power/acquire_partial_wake_lock | |
370 | chown radio system /sys/android_power/release_wake_lock | |
371 | chown system system /sys/power/autosleep | |
372 | chown system system /sys/power/state | |
373 | chown system system /sys/power/wakeup_count | |
374 | chown radio system /sys/power/wake_lock | |
375 | chown radio system /sys/power/wake_unlock | |
376 | chmod 0660 /sys/power/state | |
377 | chmod 0660 /sys/power/wake_lock | |
378 | chmod 0660 /sys/power/wake_unlock | |
379 | ||
380 | chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate | |
381 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate | |
382 | chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack | |
383 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack | |
384 | chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time | |
385 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time | |
386 | chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq | |
387 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq | |
388 | chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads | |
389 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads | |
390 | chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load | |
391 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load | |
392 | chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay | |
393 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay | |
394 | chown system system /sys/devices/system/cpu/cpufreq/interactive/boost | |
395 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost | |
396 | chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse | |
397 | chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost | |
398 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost | |
399 | chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration | |
400 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration | |
401 | chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy | |
402 | chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy | |
403 | ||
404 | # Assume SMP uses shared cpufreq policy for all CPUs | |
405 | chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq | |
406 | chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq | |
407 | ||
408 | chown system system /sys/class/timed_output/vibrator/enable | |
409 | chown system system /sys/class/leds/keyboard-backlight/brightness | |
410 | chown system system /sys/class/leds/lcd-backlight/brightness | |
411 | chown system system /sys/class/leds/button-backlight/brightness | |
412 | chown system system /sys/class/leds/jogball-backlight/brightness | |
413 | chown system system /sys/class/leds/red/brightness | |
414 | chown system system /sys/class/leds/green/brightness | |
415 | chown system system /sys/class/leds/blue/brightness | |
416 | chown system system /sys/class/leds/red/device/grpfreq | |
417 | chown system system /sys/class/leds/red/device/grppwm | |
418 | chown system system /sys/class/leds/red/device/blink | |
419 | chown system system /sys/class/timed_output/vibrator/enable | |
420 | chown system system /sys/module/sco/parameters/disable_esco | |
421 | chown system system /sys/kernel/ipv4/tcp_wmem_min | |
422 | chown system system /sys/kernel/ipv4/tcp_wmem_def | |
423 | chown system system /sys/kernel/ipv4/tcp_wmem_max | |
424 | chown system system /sys/kernel/ipv4/tcp_rmem_min | |
425 | chown system system /sys/kernel/ipv4/tcp_rmem_def | |
426 | chown system system /sys/kernel/ipv4/tcp_rmem_max | |
427 | chown root radio /proc/cmdline | |
428 | ||
429 | # Define default initial receive window size in segments. | |
430 | setprop net.tcp.default_init_rwnd 60 | |
431 | ||
432 | class_start core | |
433 | ||
434 | on nonencrypted | |
435 | class_start main | |
436 | class_start late_start | |
437 | ||
438 | on property:vold.decrypt=trigger_default_encryption | |
439 | start defaultcrypto | |
440 | ||
441 | on property:vold.decrypt=trigger_encryption | |
442 | start surfaceflinger | |
443 | start encrypt | |
444 | ||
445 | on property:sys.init_log_level=* | |
446 | loglevel ${sys.init_log_level} | |
447 | ||
448 | on charger | |
449 | class_start charger | |
450 | ||
451 | on property:vold.decrypt=trigger_reset_main | |
452 | class_reset main | |
453 | ||
454 | on property:vold.decrypt=trigger_load_persist_props | |
455 | load_persist_props | |
456 | ||
457 | on property:vold.decrypt=trigger_post_fs_data | |
458 | trigger post-fs-data | |
459 | ||
460 | on property:vold.decrypt=trigger_restart_min_framework | |
461 | class_start main | |
462 | ||
463 | on property:vold.decrypt=trigger_restart_framework | |
464 | class_start main | |
465 | class_start late_start | |
466 | ||
467 | on property:vold.decrypt=trigger_shutdown_framework | |
468 | class_reset late_start | |
469 | class_reset main | |
470 | ||
471 | on property:sys.powerctl=* | |
472 | powerctl ${sys.powerctl} | |
473 | ||
474 | # system server cannot write to /proc/sys files, | |
475 | # and chown/chmod does not work for /proc/sys/ entries. | |
476 | # So proxy writes through init. | |
477 | on property:sys.sysctl.extra_free_kbytes=* | |
478 | write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} | |
479 | ||
480 | # "tcp_default_init_rwnd" Is too long! | |
481 | on property:sys.sysctl.tcp_def_init_rwnd=* | |
482 | write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} | |
483 | ||
484 | ||
485 | ## Daemon processes to be run by init. | |
486 | ## | |
487 | service ueventd /sbin/ueventd | |
488 | class core | |
489 | critical | |
490 | seclabel u:r:ueventd:s0 | |
491 | ||
492 | service logd /system/bin/logd | |
493 | class core | |
494 | socket logd stream 0666 logd logd | |
495 | socket logdr seqpacket 0666 logd logd | |
496 | socket logdw dgram 0222 logd logd | |
497 | seclabel u:r:logd:s0 | |
498 | ||
499 | service healthd /sbin/healthd | |
500 | class core | |
501 | critical | |
502 | seclabel u:r:healthd:s0 | |
503 | ||
504 | service console /system/bin/sh | |
505 | class core | |
506 | console | |
507 | disabled | |
508 | user shell | |
509 | seclabel u:r:shell:s0 | |
510 | ||
511 | on property:ro.debuggable=1 | |
512 | start console | |
513 | ||
514 | # adbd is controlled via property triggers in init.<platform>.usb.rc | |
515 | service adbd /sbin/adbd --root_seclabel=u:r:su:s0 | |
516 | class core | |
517 | socket adbd stream 660 system system | |
518 | disabled | |
519 | seclabel u:r:adbd:s0 | |
520 | ||
521 | # adbd on at boot in emulator | |
522 | on property:ro.kernel.qemu=1 | |
523 | start adbd | |
524 | ||
525 | service lmkd /system/bin/lmkd | |
526 | class core | |
527 | critical | |
528 | socket lmkd seqpacket 0660 system system | |
529 | ||
530 | service servicemanager /system/bin/servicemanager | |
531 | class core | |
532 | user system | |
533 | group system | |
534 | critical | |
535 | onrestart restart healthd | |
536 | onrestart restart zygote | |
537 | onrestart restart media | |
538 | onrestart restart surfaceflinger | |
539 | onrestart restart drm | |
540 | ||
541 | service vold /system/bin/vold | |
542 | class core | |
543 | socket vold stream 0660 root mount | |
544 | ioprio be 2 | |
545 | ||
546 | service netd /system/bin/netd | |
547 | class main | |
548 | socket netd stream 0660 root system | |
549 | socket dnsproxyd stream 0660 root inet | |
550 | socket mdns stream 0660 root system | |
551 | socket fwmarkd stream 0660 root inet | |
552 | ||
553 | service debuggerd /system/bin/debuggerd | |
554 | class main | |
555 | ||
556 | service debuggerd64 /system/bin/debuggerd64 | |
557 | class main | |
558 | ||
559 | # for using TK init.modem.rc rild-daemon setting | |
560 | #service ril-daemon /system/bin/rild | |
561 | # class main | |
562 | # socket rild stream 660 root radio | |
563 | # socket rild-debug stream 660 radio system | |
564 | # user root | |
565 | # group radio cache inet misc audio log | |
566 | ||
567 | service surfaceflinger /system/bin/surfaceflinger | |
568 | class core | |
569 | user system | |
570 | group graphics drmrpc | |
571 | onrestart restart zygote | |
572 | ||
573 | #make sure drm server has rights to read and write sdcard #### | |
574 | service drm /system/bin/drmserver | |
575 | class main | |
576 | user drm | |
577 | # group drm system inet drmrpc #### | |
578 | group drm system inet drmrpc sdcard_r #### | |
579 | ||
580 | service media /system/bin/mediaserver | |
581 | class main | |
582 | user root #### | |
583 | # google default #### | |
584 | # user media #### | |
585 | group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm media sdcard_r system net_bt_stack #### | |
586 | # google default #### | |
587 | # group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm #### | |
588 | ||
589 | ioprio rt 4 | |
590 | ||
591 | # One shot invocation to deal with encrypted volume. | |
592 | service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted | |
593 | disabled | |
594 | oneshot | |
595 | # vold will set vold.decrypt to trigger_restart_framework (default | |
596 | # encryption) or trigger_restart_min_framework (other encryption) | |
597 | ||
598 | # One shot invocation to encrypt unencrypted volumes | |
599 | service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default | |
600 | disabled | |
601 | oneshot | |
602 | # vold will set vold.decrypt to trigger_restart_framework (default | |
603 | # encryption) | |
604 | ||
605 | service bootanim /system/bin/bootanimation | |
606 | class core | |
607 | user graphics | |
608 | # group graphics audio #### | |
609 | group graphics media audio #### | |
610 | disabled | |
611 | oneshot | |
612 | ||
613 | service installd /system/bin/installd | |
614 | class main | |
615 | socket installd stream 600 system system | |
616 | ||
617 | service flash_recovery /system/bin/install-recovery.sh | |
618 | class main | |
619 | seclabel u:r:install_recovery:s0 | |
620 | oneshot | |
621 | ||
622 | service racoon /system/bin/racoon | |
623 | class main | |
624 | socket racoon stream 600 system system | |
625 | # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. | |
626 | group vpn net_admin inet | |
627 | disabled | |
628 | oneshot | |
629 | ||
630 | service mtpd /system/bin/mtpd | |
631 | class main | |
632 | socket mtpd stream 600 system system | |
633 | user vpn | |
634 | group vpn net_admin inet net_raw | |
635 | disabled | |
636 | oneshot | |
637 | ||
638 | service keystore /system/bin/keystore /data/misc/keystore | |
639 | class main | |
640 | user keystore | |
641 | group keystore drmrpc | |
642 | ||
643 | service dumpstate /system/bin/dumpstate -s | |
644 | class main | |
645 | socket dumpstate stream 0660 shell log | |
646 | disabled | |
647 | oneshot | |
648 | ||
649 | service mdnsd /system/bin/mdnsd | |
650 | class main | |
651 | user mdnsr | |
652 | group inet net_raw | |
653 | socket mdnsd stream 0660 mdnsr inet | |
654 | disabled | |
655 | oneshot | |
656 | ||
657 | service pre-recovery /system/bin/uncrypt | |
658 | class main | |
659 | disabled | |
660 | oneshot |