Published on December 8, 2016 by TheLinuxFoundation

Minijail: Running Untrusted Programs Safely – Jorge Lucangeli Obes, Google

The Linux kernel provides several sandboxing, containment and privilege-dropping features. Many of these features provide the same functionality, while others compose nicely to create de-privileged running environments for executing untrusted code.

In this talk we’ll describe Minijail, a sandboxing and containment tool initially developed for Chrome OS and now used across Google, including client platforms (like Android) and server environments (like Chrome’s fuzzing infrastructure ClusterFuzz). Minijail is also used outside of Google to create sandboxed environments in coding competitions, build farms and everything in between.

Finally, we’ll describe how Minijail is used in Chrome OS to implement a containerized version of Android that allows Chrome OS devices to run Android applications natively.

About Jorge Lucangeli Obes

Jorge is the platform security lead for Brillo, Google’s Android-based operating system for Internet-connected devices. Before working on Brillo and Android, Jorge worked on Chrome OS security. He has presented on Chrome OS security at Ekoparty, IATP Secure By Default (organized by CESG), and internal security summits at Google.

Leave a Reply

Be the First to Comment!

Notify of