Skip to content
Commit 4482ab53 authored by Ricky Wai's avatar Ricky Wai
Browse files

App data directory isolation

- During Zygote fork (before setuid), Zygote will create a tmpfs overlay
(mount namespace) on its DE and CE directories, so app process cannot
access the actual DE CE directory anymore.

- In the overlay tmpfs directory, zygote will create its app and
whitelisted app data directories.

- Bind mount (namespace) the mirror data directory to the directories in
tmpfs overlay.

- When CE storage is ready, ask installd to prepare CE storage's data mirror.

Bug: 143937733
Test: Test app shows it cannot access other apps data directory anymore
Test: Test app shows it can access whitelisted app / same uid app data
directory.
Change-Id: I64e06c1ffd962a7134a176aad33c06b5f661f7cd
parent 5a8fe7a0
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment