Conversation

This Tweet was deleted by the Tweet author. Learn more
Justin Schuh
@justinschuh
Replying to
@lcamtuf
and
@ryanaraine
This is the correct explanation—I know firsthand—and I would add to the list of reasons the very different architectures of the systems themselves. So yeah, there's no big strategic change. It's just a case of two different orgs doing their own thing, as is typical at Google.
1
7
Justin Schuh
@justinschuh
Replying to
@andyburns
@lcamtuf
and
@ryanaraine
Android and Chrome are two very different systems, and what works for one doesn't necessarily work for the other (at least not without ground up redesign). So, I think it's healthy for each to pursue an approach that plays to their own unique strengths and constraints.
1
4
Justin Schuh
@justinschuh
Replying to
@justinschuh
@andyburns
and 2 others
Case in point, Android's zygote design makes processes significantly more expensive than on other systems. Since processes are a core sandboxing primitive, Jeff is right to note that expense and favor alternative security mechanisms. But it's a different story on other systems.
2
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@justinschuh
and 3 others
Android does have lightweight processes without the high-level language runtime for Java/Kotlin. Many processes are managed app processes, but there are also many lightweight processes. Apps can use lighter processes. OS doesn't mandate that you only use Java/Kotlin processes.
1
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@justinschuh
and 3 others
Chromium uses an isolatedProcess service for each renderer sandbox and those are managed app processes. A different approach could have been used. It's entirely possible to spawn lightweight processes sandboxed with a strict seccomp-bpf policy rather than primarily via SELinux.
1
1
Show replies