There's not really that much difference between using Android with Chrome in the app sandbox or using ChromeOS with Android inside a container. The kernel is the same, verified boot and update system is comparable, and security between apps and Chrome is essentially the same too.
Conversation
Replying to
Yes, but I don't want any of that. Not their kernel, not verified boot, etc. Stock Linux kernel (or in the future, something better) and ability to run legacy apps safely.
1
Replying to
Anbox depends on having an Android kernel, i.e. having the Android modules like Binder. You are effectively running a whole Android OS since you've got an Android kernel and the whole userspace within namespaces. It's separated to some extent from the rest of the OS, but poorly.
1
1
Unlike ChromeOS, they aren't actually implementing a proper isolation boundary around it with the namespaces and bridging. It has moved towards that, but it's not at that point. Even the ChromeOS implementation is really just properly separated / contained, not so much sandboxed.
1
If you want to avoid turning your 'host' OS into Android, you pretty much need either a virtual machine or another approach to intercepting all the system calls. github.com/google/gvisor uses either a ptrace (quite slow) or KVM (without running another Linux kernel) backend.
2
I don't think gVisor is close to the point where it could run Android inside it though. It would need a fair bit more work to reach that point. ChromeOS and Anbox are taking the short cut of just turning the host OS into Android, with Anbox also not doing meaningful isolation.
2
Replying to
That's not what I said. I said that you need the host to have an Android kernel. They use modules to make it into one if it isn't built with Android support included:
github.com/anbox/anbox-mo
The Android container uses the host kernel directly including the Binder module.
1
BTW do apps use Binder syscalls inline anyway? Or just via the Android runtime libs? If the latter you can just patch it out of the libs rather than emulating...
1
2
Replying to
Most apps probably don't use it directly but they can do that. It's not the only issue though. One of the biggest issues is throwing away the usual sandboxing and security model, which I don't think is at all necessary. Namespaces should be extended as needed to properly do it.