Data caging means that the applications and the users have access only to certain areas of the file system. In practice the applications can access their own private folders and folders that are marked as open. It means, for example, that one application cannot access the private folder and data of another application. There are restricted file storage areas for system, private, and resource data.
The file system has the following structure:
The \sys folder is the restricted
system area. You need AllFiles capability to read
the content, and Trusted Computing Base (TCB) capability
to modify the content.
The subfolder \sys\bin\ contains all binaries (exe, dll, etc.). All binaries must have a different name. An application
can only be launched from this subfolder.
The \private\ folder includes
folders for all applications.
The \private\<SID>\ subfolder contains private data only to be accessed by the application
itself. SID is determined by the secure identifier of the process.
Without any capabilities you can read and write only in the application's
own directory. You need AllFiles capability to access
all private directories. Backup software can read and write to this
directory.
The \private\<SID>\import\ subfolder is for resource files, such as registration files, that
are not directly related to the application. You can write into this
subfolder only after it is created and named correctly.
Application registration resource files should be installed in the \private\10003a3f\import\apps subfolder.
The \resource folder is for
sharing resource files. This data can be icons, bitmaps, and other
material useful for all the applications. You do not need any capabilities
to read these files. You need TCB capability to modify
the content.
ECom registration resource files should be
installed in the \resource\plugins subfolder.
For more information, see File locations.