Minijail: Running Untrusted Programs Safely by Jorge Lucangeli Obes, Google

Minijail: Running Untrusted Programs Safely - Jorge Lucangeli Obes, Google The Linux kernel provides several sandboxing, containment and privilege-dropping features. Many of these features provide the same functionality, while others compose nicely to create de-privileged running environments for executing untrusted code. In this talk we’ll describe Minijail, a sandboxing and containment tool initially developed for Chrome OS and now used across Google, including client platforms (like Android) and server environments (like Chrome’s fuzzing infrastructure ClusterFuzz). Minijail is also used outside of Google to create sandboxed environments in coding competitions, build farms and everything in between. Finally, we’ll describe how Minijail is used in Chrome OS to implement a containerized version of Android that allows Chrome OS devices to run Android applications natively. About Jorge Lucangeli Obes Jorge is the platform security lead for Brillo, Google’s Android-based operating system for Internet-conne