Re: [chromium-dev] Sandboxing on Android

402 views
Skip to first unread message

Primiano Tucci

unread,
Sep 10, 2015, 11:11:38 AM9/10/15
to bali...@gmail.com, securi...@chromium.org
+security-dev, chromium-dev to BCC

The main deal about  isolatedProcess is not just the process isolation itself. Is the fact that it triggers a more restrictive set of SELinux policies (where supported, which should be KitKat and higher)
security-dev might give you more useful info probably.



On Thu, Sep 10, 2015 at 2:45 PM, Edit Bálint-Ördög <bali...@gmail.com> wrote:

Hi All,


I am playing around sandboxing on Android, and wondering if it would be safe to set the isolatedProcess=false for the SandboxedProcessService in the Manifest file, or would this cause any security issues? In other words I am interested, what kind of sandboxing method can be used on Android besides the process isolation?


Thank you,


Edit

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

Robert Sesek

unread,
Sep 10, 2015, 11:24:08 AM9/10/15
to Primiano Tucci, bali...@gmail.com, Security-dev
I would strongly recommend against disabling isolatedProcess as it would have serious, deleterious effects on security. As Primiano mentions, the isolatedProcess flag opts the process into much more restrictive SELinux policies. The isolated_app policy restricts access to Chrome's user data, access to other Binder services (which expose significant, privileged attack surface), and in some cases access to raw device nodes. The isolatedProcess flag also puts the process into a different user ID, so that it runs under a different security principal, isolating it from the main browser process (this happens pre-KitKat as well). Removing the isolatedProcess flag effectively means that the service process is not sandboxed. There is not really another option for creating a semantics layer sandbox to restrict resource access of a process on Android. It's possible stack other sandboxing technologies on top of the isolated_app SELinux sandbox, such as seccomp-bpf, to reduce attack surface; but the layer one sandbox should be this restrictive SELinux policy.

rsesek / @chromium.org
Reply all
Reply to author
Forward
0 new messages