(no title)

> But I would say this result is probably a byproduct of whatever namespacing/containerisation Google is doing, rather than an intentional effort to prevent users from changing the root CAs even as root.

Yes, I think in practice that's true. The end result is still a big problem though!

> Isn't this just how mounts work? If you have a something mounted to /apex/whatever and each app has a separate mount namespace, then mounting over /apex/whatever in your namespace wouldn't change anything in any other mount namespace.

The latter 'separate mount namespace' here is the surprising bit. Previously, you could open a shell, mount things into the filesystem (or just modify it directly) and apps would happily read files from those mounts.

Now, for these cacert files, that's not the case, and additionally with the new approach direct modification is impossible.

Before this change, I wasn't even aware that Android apps were using their own mount namespaces! There's very little documentation on exactly how that works and I'm not sure if there's been a case where its been clearly visible until now.

> But I would say this result is probably a byproduct of whatever namespacing/containerisation Google is doing, rather than an intentional effort to prevent users from changing the root CAs even as root.

Technology is very convenient when it's complex enough to find an excuse to fit your business objective (see manifest v3).