On 04/29/2015 10:53 AM, Stephen Smalley wrote: > On 04/29/2015 10:10 AM, Clifford Liem wrote: >> Background: >> >> We are using eCryptfs as a way to encrypt directories as well as PID >> namespaces as a way to isolate processes. > > I believe Samsung has been using ecryptfs as well, not sure how they are > addressing it, but perhaps they can do all of the mounting from vold or > zygote. > > Wondering how use of PID namespaces might affect binder services that > rely on the sender PID information provided by the kernel binder driver > and those that rely on getpidcon(), e.g. servicemanager and keystore.
BTW, what do you see as the security benefit of PID namespaces? They are primarily advertised as a way to support process suspend/resume/migration, not a security feature. If you just want to prevent accessing another process' /proc/pid files, you can already do that via SELinux (if you run them in different security contexts, either using different domains or levelFrom=), or by using hidepid. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
