2013-06-04 16:51 1# Copyright (C) 2012 The Android Open Source Project2# Copyright (C) 3# Copyright (C) 4#5# IMPORTANT: Do not create world writable files or directories.6# This is a common source of Android security bugs.7#89import /init.${ro.hardware}.rc //import <filename> : 包含其他的*.rc,类似include10import /init.usb.rc11import /init.trace.rc1213on early-init //最先做 其中的action, 开始early-init 段14 # Set init and its forked children's oom_adj.15 write /proc/1/oom_adj -16 //直接写入procfs1617 start ueventd //启动一个服务,注意ueventd 必须是一个service,在359行有定义1819# create mountpoints20 mkdir /mnt 0775 root system //创建目录,具体用法与shell中的mkdir命令一样2122on init //开始init段,其中的action在 early-init,property-init后执行2324sysclktz 0 //设置系统时钟,如果是0表示用GMT的时钟ticks2526loglevel 3 //log的输出级别[0,7],控制的kernel的log输出2728# setup the global environment 29 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin //export,shell命令,设置全局环境变量30 export LD_LIBRARY_PATH /vendor/lib:/system/lib31 export ANDROID_BOOTLOGO 132 export ANDROID_ROOT /system33 export ANDROID_ASSETS /system/app34 export ANDROID_DATA /data35 export ASEC_MOUNTPOINT /mnt/asec36 export LOOP_MOUNTPOINT /mnt/obb37 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/framework_ext.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar3839# Backward compatibility40 symlink /system/etc /etc //创建一个指向/system/etc的软连接/etc, 也就是/etc目录实际上指向/system/etc41 symlink /sys/kernel/debug /d4243# Right now vendor lives on the same filesystem as system,44# but someday that may change.45 symlink /system/vendor /vendor4647# Create cgroup mount point for cpu accounting48 mkdir /acct49 mount cgroup none /acct cpuacct //mount <type> <device> <dir> [mountoption] 把device(none)挂载到type为cgroup 的文件系统/acct下 //其中<device>可以是以mtd@name形式指定的一个mtd块设备. mountoption可以是mode=0755,gid=100050 mkdir /acct/uid5152 mkdir /system53 mkdir /data 0771 system system54 mkdir /cache 0770 system cache55 mkdir /config 0500 root root5657 # Directory for putting things only root should see.58 mkdir /mnt/secure 0700 root root5960 # Directory for staging bindmounts61 mkdir /mnt/secure/staging 0700 root root6263 # Directory-target for where the secure container64 # imagefile directory will be bind-mounted65 mkdir /mnt/secure/asec 0700 root root6667 # Secure container public mount points.68 mkdir /mnt/asec 0700 root system69 mount tmpfs tmpfs /mnt/asec mode=0755,gid=10007071 # Filesystem image public mount points.72 mkdir /mnt/obb 0700 root system73 mount tmpfs tmpfs /mnt/obb mode=0755,gid=10007475 write /proc/sys/kernel/panic_on_oops 176 write /proc/sys/kernel/hung_task_timeout_secs 077 write /proc/cpu/alignment 478 write /proc/sys/kernel/sched_latency_ns 1000000079 write /proc/sys/kernel/sched_wakeup_granularity_ns 200000080 write /proc/sys/kernel/sched_compat_yield 181 write /proc/sys/kernel/sched_child_runs_first 082 write /proc/sys/kernel/randomize_va_space 283 write /proc/sys/kernel/kptr_restrict 284 write /proc/sys/kernel/dmesg_restrict 185 write /proc/sys/vm/mmap_min_addr 3276886 write /proc/sys/kernel/sched_rt_runtime_us 95000087 write /proc/sys/kernel/sched_rt_period_us 10000008889# Create cgroup mount points for process groups90 mkdir /dev/cpuctl91 mount cgroup none /dev/cpuctl cpu92 chown system system /dev/cpuctl //改变目录(/dev/cpuctl)的使用群体为system93 chown system system /dev/cpuctl/tasks94 chmod 0660 /dev/cpuctl/tasks //改变文件(/dev/cpuctl/tasks)的使用权限为066095 write /dev/cpuctl/cpu.shares 102496 write /dev/cpuctl/cpu.rt_runtime_us 95000097 write /dev/cpuctl/cpu.rt_period_us 10000009899 mkdir /dev/cpuctl/apps100 chown system system /dev/cpuctl/apps/tasks101 chmod 0666 /dev/cpuctl/apps/tasks102 write /dev/cpuctl/apps/cpu.shares 1024103 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000104 write /dev/cpuctl/apps/cpu.rt_period_us 1000000105106 mkdir /dev/cpuctl/apps/bg_non_interactive107 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks108 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks109 # 5.0 %110 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52111 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000112 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000113114# Allow everybody to read the xt_qtaguid resource tracking misc dev.115# This is needed by any process that uses socket tagging.116 chmod 0644 /dev/xt_qtaguid117118on fs //??????119# mount mtd partitions120 # Mount /system rw first to give the filesystem a chance to save a checkpoint121 mount yaffs2 mtd@system /system122 mount yaffs2 mtd@system /system ro remount123 mount yaffs2 mtd@userdata /data nosuid nodev124 mount yaffs2 mtd@cache /cache nosuid nodev125126on post-fs127 # once everything is setup, no need to modify /128 mount rootfs rootfs / ro remount129130 # We chown/chmod /cache again so because mount is run as root + defaults131 chown system cache /cache132 chmod 0770 /cache133134 # This may have been created by the recovery system with odd permissions135 mkdir /cache/recovery136 chown system cache /cache/recovery137 chmod 0770 /cache/recovery138139 #change permissions on vmallocinfo so we can grab it from bugreports140 chown root log /proc/vmallocinfo141 chmod 0440 /proc/vmallocinfo142143 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks144 chown root system /proc/kmsg145 chmod 0440 /proc/kmsg146 chown root system /proc/sysrq-trigger147 chmod 0220 /proc/sysrq-trigger148149 # create the lost+found directories, so as to enforce our permissions150 # Moved to init.target.rc in the Sony product git151 # mkdir /cache/lost+found 0770 root root152153on post-fs-data154 # We chown/chmod /data again so because mount is run as root + defaults155 chown system system /data156 chmod 0771 /data157158 # Create dump dir and collect dumps.159 # Do this before we mount cache so eventually we can use cache for160 # storing dumps on platforms which do not have a dedicated dump partition.161 mkdir /data/dontpanic 0750 root log162163 # Collect apanic data, free resources and re-arm trigger164 copy /proc/apanic_console /data/dontpanic/apanic_console165 chown root log /data/dontpanic/apanic_console166 chmod 0640 /data/dontpanic/apanic_console167168 copy /proc/apanic_threads /data/dontpanic/apanic_threads169 chown root log /data/dontpanic/apanic_threads170 chmod 0640 /data/dontpanic/apanic_threads171172 write /proc/apanic_console 1173174 # create basic filesystem structure175 mkdir /data/misc 01771 system misc176 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth177 mkdir /data/misc/bluetooth 0770 system system178 mkdir /data/misc/keystore 0700 keystore keystore179 mkdir /data/misc/keychain 0771 system system180 mkdir /data/misc/vpn 0770 system vpn181 mkdir /data/misc/systemkeys 0700 system system182 # give system access to wpa_supplicant.conf for backup and restore183 mkdir /data/misc/wifi 0770 wifi wifi184 chmod 0660 /data/misc/wifi/wpa_supplicant.conf185 mkdir /data/local 0751 root root186 chmod 2770 /data/radio187188 # For security reasons, /data/local/tmp should always be empty.189 # Do not place files or directories in /data/local/tmp190 mkdir /data/local/tmp 0771 shell shell191 mkdir /data/data 0771 system system192 mkdir /data/app-private 0771 system system193 mkdir /data/app-asec 0700 root root194 mkdir /data/app 0771 system system195 mkdir /data/property 0700 root root196 mkdir /data/ssh 0750 root shell197 mkdir /data/ssh/empty 0700 root root198199 # create dalvik-cache, so as to enforce our permissions200 mkdir /data/dalvik-cache 0771 system system201202 # create resource-cache and double-check the perms203 mkdir /data/resource-cache 0771 system system204 chown system system /data/resource-cache205 chmod 0771 /data/resource-cache206207 # create the lost+found directories, so as to enforce our permissions208 # Moved to init.target.rc in the Sony product git209 # mkdir /data/lost+found 0770 root root210211 # create directory for DRM plug-ins - give drm the read/write access to212 # the following directory.213 mkdir /data/drm 0770 drm drm214215 # If there is no fs-post-data action in the init.<device>.rc file, you216 # must uncomment this line, otherwise encrypted filesystems217 # won't work.218 # Set indication (checked by vold) that we have finished this action219 #setprop vold.post_fs_data_done 1220221on boot //开始boot段,其中的action在 early-init,property-init,init后执行222# basic network init223 ifup lo //启动网路接口 lo, 但lo是啥接口?224 hostname localhost //设置手机主机名为localhost225 domainname localdomain //设置域名localdomain226227# set RLIMIT_NICE to allow priorities from 19 to -20228 setrlimit 13 40 40229230# Memory management. Basic kernel parameters, and allow the high231# level system server to be able to adjust the kernel OOM driver232# parameters to match how it is managing things.233 write /proc/sys/vm/overcommit_memory 1234 write /proc/sys/vm/min_free_order_shift 4235 chown root system /sys/module/lowmemorykiller/parameters/adj236 chmod 0664 /sys/module/lowmemorykiller/parameters/adj237 chown root system /sys/module/lowmemorykiller/parameters/minfree238 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree239240 # Tweak background writeout241 write /proc/sys/vm/dirty_expire_centisecs 200242 write /proc/sys/vm/dirty_background_ratio 5243244 # Permissions for System Server and daemons.245 chown radio system /sys/android_power/state246 chown radio system /sys/android_power/request_state247 chown radio system /sys/android_power/acquire_full_wake_lock248 chown radio system /sys/android_power/acquire_partial_wake_lock249 chown radio system /sys/android_power/release_wake_lock250 chown system system /sys/power/state251 chown system system /sys/power/autosleep252 chown system system /sys/power/wakeup_count253 chown radio system /sys/power/wake_lock254 chown radio system /sys/power/wake_unlock255 chmod 0660 /sys/power/state256 chmod 0660 /sys/power/wake_lock257 chmod 0660 /sys/power/wake_unlock258259 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate260 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate261 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time262 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time263 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq264 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq265 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load266 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load267 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay268 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay269 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost270 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost271 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse272 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost273 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost274275 # Assume SMP uses shared cpufreq policy for all CPUs276 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq277 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq278279 chown system system /sys/class/timed_output/vibrator/enable280 chown system system /sys/class/leds/keyboard-backlight/brightness281 chown system system /sys/class/leds/lcd-backlight/brightness282 chown system system /sys/class/leds/button-backlight/brightness283 chown system system /sys/class/leds/jogball-backlight/brightness284 chown system system /sys/class/leds/red/brightness285 chown system system /sys/class/leds/green/brightness286 chown system system /sys/class/leds/blue/brightness287 chown system system /sys/class/leds/red/device/grpfreq288 chown system system /sys/class/leds/red/device/grppwm289 chown system system /sys/class/leds/red/device/blink290 chown system system /sys/class/leds/red/brightness291 chown system system /sys/class/leds/green/brightness292 chown system system /sys/class/leds/blue/brightness293 chown system system /sys/class/leds/red/device/grpfreq294 chown system system /sys/class/leds/red/device/grppwm295 chown system system /sys/class/leds/red/device/blink296 chown system system /sys/class/timed_output/vibrator/enable297 chown system system /sys/module/sco/parameters/disable_esco298 chown system system /sys/kernel/ipv4/tcp_wmem_min299 chown system system /sys/kernel/ipv4/tcp_wmem_def300 chown system system /sys/kernel/ipv4/tcp_wmem_max301 chown system system /sys/kernel/ipv4/tcp_rmem_min302 chown system system /sys/kernel/ipv4/tcp_rmem_def303 chown system system /sys/kernel/ipv4/tcp_rmem_max304 chown root radio /proc/cmdline305306# Define TCP buffer sizes for various networks307# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,308 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208309 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576310 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576311 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208312 setprop net.tcp.buffersize.hspa 4094,87380,1220608,4096,16384,1220608313 setprop net.tcp.buffersize.hsupa 4094,87380,1220608,4096,16384,1220608314 setprop net.tcp.buffersize.hsdpa 4094,87380,1220608,4096,16384,110208315 setprop net.tcp.buffersize.hspap 4094,87380,2097152,4096,16384,1220608316 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040317 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680318 setprop net.tcp.buffersize.evdo_b 4094,87380,262144,4096,16384,262144319320# Assign TCP buffer thresholds to be ceiling value of technology maximums321# Increased technology maximums should be reflected here.322 write /proc/sys/net/core/rmem_max 2097152323 write /proc/sys/net/core/wmem_max 1220608324325# Set this property so surfaceflinger is not started by system_init326 setprop system_init.startsurfaceflinger 0327328 class_start core //如果所有的class类别为core 的服务没有运行,则马上启动它们329 class_start main330331on nonencrypted332 class_start late_start333334on charger335 class_start charger336337on property:vold.decrypt=trigger_reset_main338 class_reset main339340on property:vold.decrypt=trigger_load_persist_props341 load_persist_props342343on property:vold.decrypt=trigger_post_fs_data344 trigger post-fs-data //触发一个事件post-fs-data, 该事件是用on post-fs-data定义的,位于后面345346on property:vold.decrypt=trigger_restart_min_framework347 class_start main348349on property:vold.decrypt=trigger_restart_framework350 class_start main351 class_start late_start352353on property:vold.decrypt=trigger_shutdown_framework354 class_reset late_start355 class_reset main356357## Daemon processes to be run by init.358##359service ueventd /sbin/ueventd //表示service段,语法: service <服务名字> <服务对应的执行文件>; 声明服务名字为ueventd的服务,其具体执行路径 //为/sbin/ueventd360 class core //表示属于class 类别为core 的服务,如果没有设置,则表示该服务的默认类别为default361 critical //362363service console /system/bin/sh364 class core365 console366 disabled367 user shell368 group log369370on property:ro.debuggable=1 //如果用setprop命令设置属性 ro.debuggable变成1,则触发下面的start console371 start console372373# adbd is controlled via property triggers in init.<platform>.usb.rc374service adbd /sbin/adbd375 class core376 disabled //该服务不能通过启动一类服务来启动,比如 class_start core来启动,只能以单独的名字来启动 start adbd.377378# adbd on at boot in emulator379on property:ro.kernel.qemu=1380 start adbd381382service servicemanager /system/bin/servicemanager383 class core384 user system //在该服务启动前,把用户名切换到 system,默认是root385 group system //在该服务启动前,把组名切换到 system.386 critical //说明该服务是个对于设备很关键的服务,如果4分钟内退出大于4次,则系统将重启并进入recovery恢复模式387 onrestart exec /system/bin/sync //当该服务重启时,执行后面的命令 exec //exec创建和执行一个程序(/system/bin/sync),在程序完全执行完之前,init会被阻塞。所以极有可能引起init卡死388 onrestart write /proc/sysrq-trigger c389390service vold /system/bin/vold391 class core392 socket vold stream 0660 root mount //语法:socket <name> <type> <perm> <user> <group>, 创建一个名字为vold<name>,类别为stream<type> //访问权限为0660<perm> 用户为root,用户组为mount393 ioprio be 2394395service netd /system/bin/netd396 class main397 socket netd stream 0660 root system398 socket dnsproxyd stream 0660 root inet399 socket mdns stream 0660 root system400401service debuggerd /system/bin/debuggerd402 class main403404service ril-daemon /system/bin/rild405 class main406 socket rild stream 660 root radio407 socket rild-debug stream 660 radio system408 user root409 group radio cache inet misc audio sdcard_r sdcard_rw qcom_oncrpc diag qcom_diag log410411service surfaceflinger /system/bin/surfaceflinger412 class main413 user system414 group graphics415 onrestart exec /system/bin/sync416 onrestart write /proc/sysrq-trigger c417418service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server419 class main420 socket zygote stream 660 root system421 onrestart exec /system/bin/sync422 onrestart write /proc/sysrq-trigger c423424service drm /system/bin/drmserver425 class main426 user drm427 group drm system inet drmrpc sdcard_r428429service media /system/bin/mediaserver430 class main431 user media432 group system audio camera inet net_bt net_bt_admin net_bw_acct drmrpc input qcom_diag433 ioprio rt 4434435service bootanim /system/bin/bootanimation436 class main437 user graphics438 group graphics439 disabled440 oneshot //该服务只启动一次,退出后不再运行441442service dbus /system/bin/dbus-daemon --system --nofork443 class main444 socket dbus stream 660 bluetooth bluetooth445 user bluetooth446 group bluetooth net_bt_admin447448service bluetoothd /system/bin/logwrapper /system/bin/bluetoothd -n449 class main450 socket bluetooth stream 660 bluetooth bluetooth451 socket dbus_bluetooth stream 660 bluetooth bluetooth452 # init.rc does not yet support applying capabilities, so run as root and453 # let bluetoothd drop uid to bluetooth with the right linux capabilities454 group bluetooth net_bt_admin misc455 disabled456457service installd /system/bin/installd458 class main459 socket installd stream 600 system system460461service flash_recovery /system/etc/install-recovery.sh462 class main463 oneshot464465service racoon /system/bin/racoon466 class main467 socket racoon stream 600 system system468 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.469 group vpn net_admin inet470 disabled471 oneshot472473service mtpd /system/bin/mtpd474 class main475 socket mtpd stream 600 system system476 user vpn477 group vpn net_admin inet net_raw478 disabled479 oneshot480481service keystore /system/bin/keystore /data/misc/keystore482 class main483 user keystore484 group keystore drmrpc485 socket keystore stream 666486487service dumpstate /system/bin/dumpstate -s488 class main489 socket dumpstate stream 0660 shell log490 disabled491 oneshot492493service sshd /system/bin/start-ssh494 class main495 disabled496497service mdnsd /system/bin/mdnsd498 class main499 user mdnsr500 group inet net_raw501 socket mdnsd stream 0660 mdnsr inet502 disabled503 oneshot504 |
|
来自: jiffes > 《Linux&android》