Data caging means that the applications and the users have access only to certain areas of the file system. In practice the applications can access their own private folders and folders that are marked as open. It means, for example, that one application cannot access the private folder and data of another application. There are restricted file storage areas for system, private, and resource data.
The file system has the following structure:
The \sys folder is the restricted system area. You need AllFiles capability to read the content, and Trusted Computing Base (TCB) capability to modify the content.
The subfolder \sys\bin\ contains all binaries (exe, dll, etc.). All binaries must have a different name. An application can only be launched from this subfolder.
The \private\ folder includes folders for all applications.
The \private\<SID>\ subfolder contains private data only to be accessed by the application itself. SID is determined by the Secure Identifier of the process. Without any capabilities you can read and write only in the application's own directory. You need AllFiles capability to access all private directories. Backup software can read and write to this directory.
The \private\<SID>\import\ subfolder is for resource files, such as registration files, that are not directly related to the application. You can write into this subfolder only after it is created and named correctly.
Application registration resource files should be installed in the \private\10003a3f\import\apps subfolder.
The \resource folder is for sharing resource files. This data can be icons, bitmaps, and other material useful for all the applications. You do not need any capabilities to read these files. You need TCB capability to modify the content.
ECom registration resource files should be installed in the \resource\plugins subfolder.
For more information, see File locations.