Minijail: Running Untrusted Programs Safely – Jorge Lucangeli Obes, Google
The Linux kernel provides several sandboxing, containment and privilege-dropping features. Many of these features provide the same functionality, while others compose nicely to create de-privileged running environments for executing untrusted code.
In this talk we’ll describe Minijail, a sandboxing and containment tool initially developed for Chrome OS and now used across Google, including client platforms (like Android) and server environments (like Chrome’s fuzzing infrastructure ClusterFuzz). Minijail is also used outside of Google to create sandboxed environments in coding competitions, build farms and everything in between.
Finally, we’ll describe how Minijail is used in Chrome OS to implement a containerized version of Android that allows Chrome OS devices to run Android applications natively.
About Jorge Lucangeli Obes
Jorge is the platform security lead for Brillo, Google’s Android-based operating system for Internet-connected devices. Before working on Brillo and Android, Jorge worked on Chrome OS security. He has presented on Chrome OS security at Ekoparty, IATP Secure By Default (organized by CESG), and internal security summits at Google.