diff options
| author | 2022-04-06 15:35:26 +0000 | |
|---|---|---|
| committer | 2022-09-15 11:10:11 +0000 | |
| commit | 4b0e57f6295607c4f7873403d2b452d25d1c1a16 (patch) | |
| tree | bd4e72ad812d09e17ade6de5acb0659f41aff4ad /libs/androidfw/ConfigDescription.cpp | |
| parent | fd32695aa6367c64e876727f52cf5e35a50289f5 (diff) | |
Isolate sdk sandbox data
Similar to app data isolation, sdk sandbox data isolation is done to
prevent the sandbox from checking the existence of other apps via paths
containing the app package name like:
* Sandbox data paths such as /data/misc_ce/0/sdksandbox/<app-package-name>
* Regular app data paths
* JIT profile data paths
and checking if EACCESS or ENOENT error comes up.
This is done by mounting tmpfs on each of these data paths in a separate
mount namespace and then bind mounting the required data for that
process from the data mirror. For example, in the case of an sdk sandbox
process, tmpfs is mounted on misc_ce, misc_de storage, app data paths
and JIT profile paths. Then, a sandbox data path is created and data for
that process is bind mounted from the mirror.
In the case of app processes, access to sdk sandbox storage is
restricted through selinux.
Bug: 214241165
Test: atest GtsSdkSandboxInprocessTests
Change-Id: I79fd5967b157c711cc75e340da7411f2b2f3bf00
Merged-In: I79fd5967b157c711cc75e340da7411f2b2f3bf00
Diffstat (limited to 'libs/androidfw/ConfigDescription.cpp')
0 files changed, 0 insertions, 0 deletions