Also see

Legato Sandboxes

Legato uses sandboxes to provide a security layer against untrusted apps running in the same system. Legato sandboxes isolate apps from the rest of the system. This allows OEM and ISV components to safely coexist on the same device without fear of interfering or breaking the stack.

Legato sandboxes are based on chroot jails. Chroot changes the root directory of a process to a specified location. The process then only has access to files and directories under its root directory. Only processes with certain capabilities can find their way outside of their chrooted root directory, and Legato ensures that sandboxed apps can't acquire those capabilities.

Legato sandboxes also provide resource limitations. Resource limitations place limits on the amount of system resources an app is allowed to consume. Without resource limits, an isolated app can still cause damage by consuming all available resources.

All sandboxes are created in non-persistent memory, which has the benefit of automatically removing all sandboxes on system shutdown. Legato sandboxes use bind mounts for importing files from the root file system into sandboxes. Bind-mounted files are updated when the file is updated in the root file system. Bind-mounted files are not copied so memory requirements are minimal.

A Legato sandboxed app can access services outside its sandbox, although not directly. All available services are advertised by the Service Directory. Apps connect to services through a request to the Service Directory. The Service Directory grants access only if the app is in the specified service’s access control list (ACL).