Conversation

Replying to

The internal security model protects the kernel from apps, and hides a lot of information leaked from the kernel to apps. By disabling SELinux, it's substantially breaking down the separation between the kernel and the app, making it less isolated than it would be even normally.

2

Replying to

What information? Don't mount proc or sys.

1

Replying to

You can't avoid mounting the stuff that the system and apps depend on to run. You are running a whole Android userspace instance including init, vold and all the privileged base system components inside the container. Security model protects the kernel and base system from apps.

2

Replying to

Sure you can. You get to dummy all that out.

1

Replying to

and

No privileged base system components at all.

1

Replying to

It's designed around doing that though, which is why they are using namespaces the way that they are. If you just want an Android runtime and apps, you don't need to approach it this way. Can be done like Fuchsia or the original ChromeOS approach which used NaCl not containers.

2

Replying to

and

The original ChromeOS approach didn't give Android apps direct kernel access. It compiled them to NaCl apps (would be WebAssembly instead now doesn't make much difference) which have low-level containment for native code and are also run inside the tight browser renderer sandbox.

1

1

Replying to

Eew.

1

Replying to

They were still native code, executing on hardware directly (NaCl is was different than WebAssembly, and also shipped code as native unlike PNaCl which used LLVM IR). It used Chrome infrastructure for the sandboxing but they certainly weren't tied to web content in any way.

2

Replying to

Shipping native code and asking us to trust it rather than sandboxing it is just no.

1

Replying to

It is sandboxed. It runs inside the Chrome renderer sandbox, with even more distrust than the the usual ones since it doesn't count as part of the browser. NaCl / PNaCl / WebAssembly are another layer of security inside the renderer sandbox, rather than full native code exec.

3:59 AM · Apr 16, 2019Twitter Web Client

Replying to

and

The whole point of NaCl was that they came up with a scheme for running native code without arbitrary uncontained code execution. It was still run with the OS sandbox, but the point was not just giving the untrusted code full native code execution inside of that OS sandbox.

1

Replying to

and

PNaCl changed it by making it portable, and WebAssembly is effectively the same thing but from scratch with complete portability / avoidance of undefined behavior as a core part of it rather than based on a frozen LLVM IR subset like PNaCl with an attempt to purge those things.

1

Show replies