Anyone have experience with Anbox? Does it properly sandbox apps? Does it senselessly depend on a glibc host or particular container runtimes? Can you easily do one app per sandbox, or only whole Android? anbox.io
Conversation
Replying to
It doesn't provide meaningful sandboxing and doesn't approach it the way that you want. Their comparison to the Android integration in ChromeOS is also wrong / misleading. You're better off using the Android emulator for a KVM / QEMU based VM without everything hacked together.
2
Using the standard VM approach isn't substantially more heavyweight. It performs well and is much more robust and compatible. ChromeOS isn't currently using virtualization for performance reasons but they really should be doing it that way. As is, it turns ChromeOS into Android.
There's not really that much difference between using Android with Chrome in the app sandbox or using ChromeOS with Android inside a container. The kernel is the same, verified boot and update system is comparable, and security between apps and Chrome is essentially the same too.
2
If they were using a virtual machine, they could have preserved a lot more of the distinction between ChromeOS and Android including a better verified boot implementation and not running third party native code with direct access to the kernel. Namespaces aren't a tight sandbox.
1
Show replies
Replying to
It's *a lot* heavier, especially if you do one VM per app which is the way you have to do it to be secure (apps are threats to each other). It's also harder to provide any decent integrated UX.