Always run ensureInAppMountNamespace() to make sure app process runs in its mount namespace (9408c746) · Commits · e / os / android_frameworks_base

core/jni/com_android_internal_os_Zygote.cpp

+5 −5

Original line number	Diff line number	Diff line
		@@ -1559,7 +1559,6 @@ static void isolateAppData(JNIEnv* env, jobjectArray pkg_data_info_list,
		jobjectArray whitelisted_data_info_list, uid_t uid, const char* process_name,
		jstring managed_nice_name, fail_fn_t fail_fn) {

		ensureInAppMountNamespace(fail_fn);
		std::vector<std::string> merged_data_info_list;
		insertPackagesToMergedList(env, merged_data_info_list, pkg_data_info_list,
		process_name, managed_nice_name, fail_fn);
		@@ -1706,10 +1705,11 @@ static void SpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray gids,

		MountEmulatedStorage(uid, mount_external, need_pre_initialize_native_bridge, fail_fn);

		// System services, isolated process, webview/app zygote, old target sdk app, should
		// give a null in same_uid_pkgs and private_volumes so they don't need app data isolation.
		// Isolated process / webview / app zygote should be gated by SELinux and file permission
		// so they can't even traverse CE / DE directories.
		// Make sure app is running in its own mount namespace before isolating its data directories.
		ensureInAppMountNamespace(fail_fn);

		// Sandbox data and jit profile directories by overlaying a tmpfs on those dirs and bind
		// mount all related packages separately.
		if (mount_data_dirs) {
		isolateAppData(env, pkg_data_info_list, whitelisted_data_info_list,
		uid, process_name, managed_nice_name, fail_fn);