Minijail: Running Untrusted Programs Safely

Explore the intricacies of Minijail, a powerful sandboxing and containment tool, in this informative 38-minute conference talk by Jorge Lucangeli Obes from Google. Delve into the various Linux kernel features for sandboxing, containment, and privilege-dropping, and learn how Minijail leverages these capabilities to create secure environments for executing untrusted code. Discover Minijail's widespread use across Google platforms, including Chrome OS, Android, and server environments like ClusterFuzz. Gain insights into its applications outside of Google, such as in coding competitions and build farms. Explore the implementation of a containerized version of Android in Chrome OS, allowing native execution of Android applications. Benefit from Jorge's expertise as the platform security lead for Brillo and his experience with Chrome OS security as he covers topics including capabilities, policies, file system and process capabilities, namespaces, and Android integration.

Introduction
Why Minijail
The Problem
Capabilities
Policies
File System Capabilities
Process Capabilities
namespaces
Pin namespace
User names
Android
Acknowledgements
Questions