I have modified zygote in the Dalvik VM to place android applications into
separate pid namespaces. This is done in a multi-user scenario, where there
is a pid namespace created for each user, and then all the android apps
started by the user are placed into that namespace. Currently, I am only
creating pid namespaces as a first step. I have noted that Zygote already
creates mount namespaces for android apps so that a private emulated
storage directory can be bind mounted.
I do this by creating a namespace init process for each user. This init
process is forked from the dalvik vm, in the forkAndSpecializeCommon()
function of dalvik_system_Zygote.cpp, so it shares the same process
context of normal android apps. Then, at the point where zygote normally
forks to create an android app, the code is modified to signal the
namespace init process to fork the app instead.
I am having a problem where the android app is running an SELinux getcon()
in selinux_android_setcontext() to set the SEAndroid context for the app.
The getcon() is returning -1 for Operation not permitted. I am running in
permissive mode. It is likely that there is a bug in my code, but, I wanted
to ask if there was a fundamental problem with what I am trying to do. For
instance, is there any reason why SELinux calls like getcon() will not work
in kernel pid namespaces?
Cheers,
Chris Stone.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
