Conversation

Replying to

What I'm interested in needs no internal security model because it's single privilege domain (one app). Only isolation from host.

Replying to

The internal security model protects the kernel from apps, and hides a lot of information leaked from the kernel to apps. By disabling SELinux, it's substantially breaking down the separation between the kernel and the app, making it less isolated than it would be even normally.

Replying to

What information? Don't mount proc or sys.

Replying to

You can't avoid mounting the stuff that the system and apps depend on to run. You are running a whole Android userspace instance including init, vold and all the privileged base system components inside the container. Security model protects the kernel and base system from apps.

Replying to

Sure you can. You get to dummy all that out.

Replying to

and

No privileged base system components at all.

Replying to

It's designed around doing that though, which is why they are using namespaces the way that they are. If you just want an Android runtime and apps, you don't need to approach it this way. Can be done like Fuchsia or the original ChromeOS approach which used NaCl not containers.

Replying to

The ChromeOS stuff only runs on ChromeOS not normal Linux...

Replying to

The original ARC approach worked fine elsewhere. There was an ARChon fork designed to be used outside ChromeOS. Their new container approach is fundamentally less secure but a lot easier to implement. It at least preserves the security model and sandboxing model though.

Replying to

and

Anbox is essentially the same thing as the new ChromeOS implementation. I don't like the new ChromeOS implementation since it gave up on securing it more than simply running Android natively. It was nice that it ran apps in a solid sandbox instead of just Android in a container.

Replying to

and

And by essentially the same, I mean the concept behind the design. Unlike the ChromeOS implementation, it has quite severe security problems both internally and in terms of protecting the 'host' from the container, except there is not *really* actually a host vs. guest here.

3:53 AM · Apr 16, 2019Twitter Web Client

Replying to

and

In ChromeOS, they do have the container properly separated, but it trusts user namespaces. The security model inside Android is preserved though, so the kernel is protected to the same extent as native Android, and internal security model is still fully intact. It's not as bad.