Isolate sdk sandbox data
Similar to app data isolation, sdk sandbox data isolation is done to prevent the sandbox from checking the existence of other apps via paths containing the app package name like: * Sandbox data paths such as /data/misc_ce/0/sdksandbox/<app-package-name> * Regular app data paths * JIT profile data paths and checking if EACCESS or ENOENT error comes up. This is done by mounting tmpfs on each of these data paths in a separate mount namespace and then bind mounting the required data for that process from the data mirror. For example, in the case of an sdk sandbox process, tmpfs is mounted on misc_ce, misc_de storage, app data paths and JIT profile paths. Then, a sandbox data path is created and data for that process is bind mounted from the mirror. In the case of app processes, access to sdk sandbox storage is restricted through selinux. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Change-Id: I79fd5967b157c711cc75e340da7411f2b2f3bf00
Loading
Please register or sign in to comment