From 9408c74699c46bedd31715eeb157405d79e07b4f Mon Sep 17 00:00:00 2001 From: Ricky Wai Date: Tue, 19 Jan 2021 15:21:40 +0000 Subject: [PATCH] Always run ensureInAppMountNamespace() to make sure app process runs in its mount namespace ensureInAppMountNamespace() should always run even if mount_data_dirs is false, as it may still runs BindMountStorageDirs(). Bug: 177821492 Test: Boot without selinux warnings Change-Id: I08c78be8b32c3c4ba215fb8ac58104795bd8c06c --- core/jni/com_android_internal_os_Zygote.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp index 22dd765f25261..73665479edd8d 100644 --- a/core/jni/com_android_internal_os_Zygote.cpp +++ b/core/jni/com_android_internal_os_Zygote.cpp @@ -1559,7 +1559,6 @@ static void isolateAppData(JNIEnv* env, jobjectArray pkg_data_info_list, jobjectArray whitelisted_data_info_list, uid_t uid, const char* process_name, jstring managed_nice_name, fail_fn_t fail_fn) { - ensureInAppMountNamespace(fail_fn); std::vector merged_data_info_list; insertPackagesToMergedList(env, merged_data_info_list, pkg_data_info_list, process_name, managed_nice_name, fail_fn); @@ -1706,10 +1705,11 @@ static void SpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray gids, MountEmulatedStorage(uid, mount_external, need_pre_initialize_native_bridge, fail_fn); - // System services, isolated process, webview/app zygote, old target sdk app, should - // give a null in same_uid_pkgs and private_volumes so they don't need app data isolation. - // Isolated process / webview / app zygote should be gated by SELinux and file permission - // so they can't even traverse CE / DE directories. + // Make sure app is running in its own mount namespace before isolating its data directories. + ensureInAppMountNamespace(fail_fn); + + // Sandbox data and jit profile directories by overlaying a tmpfs on those dirs and bind + // mount all related packages separately. if (mount_data_dirs) { isolateAppData(env, pkg_data_info_list, whitelisted_data_info_list, uid, process_name, managed_nice_name, fail_fn);