12-05-2011 04:50 PM
How do you define 'sandbox' in 'Application executed on PlayBook' context? What exactly does it mean? Documentation gives list of folders that should be accessible by the App but I can easily read root / from my App.
Is there a list of all restrictions that 'sandbox' implies?
Solved! Go to Solution.
12-05-2011 07:45 PM
What I know about sandboxing of non-root applications on BBX:
- One application cannot access the screen context of another application.
- The "app" and "data" folders of one application can only be accessed by that application.
12-05-2011 08:52 PM
I'm not sure of a documented list, but here's what should be a fairly complete summary.
1. the term "sandbox" may not be rigorously defined, but generally would refer to the whole set of folders under the current directory when the app is launched, especially the data/ folder where they can write private data which no other app can access.
2. apps should generally not access anything outside their sandbox, except through the symlinks provided inside (there are certainly exceptions, such as native apps loading shared libraries)
3.apps *can* read lots of stuff outside the sandbox, and in theory everything out there should be adequately protected so you can't see stuff you're not supposed to (modulo root exploits) or write to anything except what's already available through your sandbox symlinks
4. you should access your app's static/read-only data through the app/ folder, not through its entry under /apps/
5. you should access your data through data/, not through your entry under /accounts/1000/appdata/
6. your stderr/stdout are redirected to logs/log and possibly other files depending on the runtime in question (e.g. AIR may have air-log and air-trace)
7. you may create folders/files under tmp/ but don't count on them persisting between runs of your app
8. you should access the shared folders through shared/ which is a symlink, rather than through /accounts/1000/shared, and your app must request the access_files permission to be able to do so (in either location)
I think that mostly answers your question. The term "sandbox" doesn't refer to restrictions that are in place to prevent your app from accessing anything outside its runtime current directory, though best practices dictate that the app not do so except in the few exceptional cases where it must.
12-06-2011 09:23 AM
A general overview of sandboxing can be found at: http://docs.blackberry.com/en/admin/deliverables/2
There is also an overview of the application directories for AIR applications at: http://docs.blackberry.com/en/developers/deliverab
For the most part this also applies to native applications, other than the references to the AIR APIs to access each of the directories.