executor: fixed sandbox 'android'

2 files changed, 4 insertions, 2 deletions

diff --git a/executor/common_linux.h b/executor/common_linux.h
index b30366a87..48236ce3b 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -4163,6 +4163,8 @@ static int do_sandbox_android(void)
 	if (setresgid(UNTRUSTED_APP_GID, UNTRUSTED_APP_GID, UNTRUSTED_APP_GID) != 0)
 		fail("do_sandbox_android: setresgid failed");
 
+	setup_binderfs();
+
 #if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
 	// Will fail() if anything fails.
 	// Must be called when the new process still has CAP_SYS_ADMIN, in this case,
@@ -4179,7 +4181,6 @@ static int do_sandbox_android(void)
 	setfilecon(".", SELINUX_LABEL_APP_DATA_FILE);
 	setcon(SELINUX_CONTEXT_UNTRUSTED_APP);
 
-	setup_binderfs();
 	loop();
 	doexit(1);
 }
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 4f53bc197..65c326dde 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -9300,6 +9300,8 @@ static int do_sandbox_android(void)
 	if (setresgid(UNTRUSTED_APP_GID, UNTRUSTED_APP_GID, UNTRUSTED_APP_GID) != 0)
 		fail("do_sandbox_android: setresgid failed");
 
+	setup_binderfs();
+
 #if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
 	set_app_seccomp_filter();
 #endif
@@ -9311,7 +9313,6 @@ static int do_sandbox_android(void)
 	setfilecon(".", SELINUX_LABEL_APP_DATA_FILE);
 	setcon(SELINUX_CONTEXT_UNTRUSTED_APP);
 
-	setup_binderfs();
 	loop();
 	doexit(1);
 }