|
|
|
|
|
|
by stefankomatsu
3288 days ago
|
|
|
Thanks. How about virtualization? Using an example from the doc, if your child process accesses "/dev/class/framebuffer", can you intercept its communications? Can a process create a custom sandbox and run, say, AppMgr with limited permission to limit the permissions of all apps it manages? |
|
|
Yes. When creating the namespace for the child, the parent can map names to what whatever communication channels it chooses. If the parent wants to interpose on the child's access to "/dev/class/framebuffer", the parent could map that name to a channel that leads back to the parent.
> Can a process create a custom sandbox and run, say, AppMgr with limited permission to limit the permissions of all apps it manages?
Yes. That's useful for testing as well as for sandboxing.