Running Android in a Container How the play store runs on Chrome OS - - PowerPoint PPT Presentation

running android in a container
SMART_READER_LITE
LIVE PREVIEW

Running Android in a Container How the play store runs on Chrome OS - - PowerPoint PPT Presentation

Nov 05, 2023 193 likes •297 views

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL,

slide-1
SLIDE 1

Running Android in a Container

How the play store runs on Chrome OS

slide-2
SLIDE 2

How Android Runs On Chrome OS

Chrome IPC Bridge IPC Bridge Android System (*/init*) CROS systems service (CRAS, powerd, Shill) Chrome OS Linux Kernel Chrome IPC Graphics Buffer (Prime FD) Binder Input Events

network config, screen-on locks audio buffers GL, Network traffic, File I/O, Binder, etc

slide-3
SLIDE 3

Android Containerization

  • Namespaces
  • Device Access
  • File System
  • Input
  • Audio/Video/Graphics
  • Network
slide-4
SLIDE 4

PID Namespace

  • Allows Android’s init to be PID 1

Chrome OS

cros# pstree -ap init,1 | ... <snip> ... |-minijail0,4514 -u cras -g cras -G -- /usr/bin/cras | `-cras,4865,cras | ... <snip> ... |-session_manager,1744 | |-chrome,1811,chronos | | |-chrome,2372 | | … <snip> ... | `-init,6057,android-root --second-stage | |-adbd,6143,657360 --root_seclabel=u:r:su:s0 | | `-{adbd},6144 | |-keystore,6140,656377 /data/misc/keystore | |-mediaserver,6138,656373 | | |-{mediaserver},6167 | | ... <snip> ... | |-servicemanager,6117,656360 | |-surfaceflinger,6118,656360 | | |-{surfaceflinger},6125 | ... <snip> ... andoid# ps USER PID PPID NAME root 1 0 /init shell 40 1 /sbin/adbd keystore 37 1 /system/bin/keystore media 35 1 /system/bin/mediaserver system 17 1 /system/bin/servicemanager system 18 1 /system/bin/surfaceflinger ... <snip> ...

Android Container

slide-5
SLIDE 5

User Namespace

  • Allows Android to believe it is running as

root

  • Android actually runs as UID=655360
  • Clone flag CLONE_NEWUSER
  • Allows mounting of certain file systems
slide-6
SLIDE 6

Mount Namespace

  • Gives Android its own view of system

mounts

  • Pivot root to new location that Android

sees as root

  • Really a squash FS filesystem image
  • Android can modify this mount namespace
slide-7
SLIDE 7

Net Namespace

  • Isolates Android network interfaces
  • Give Android one bridged interface “arc0”
  • Network configuration is handled outside the container by shill

arc0

192.168.254.2

veth_android

(no IP)

br0

192.168.254.1

NAT

iptables –j MASQUERADE

wlan0

LAN wifi

eth1

LAN wired

tun0

VPN Android container Chrome OS host (init.ns)

slide-8
SLIDE 8

cgroup Namespace

cros# tree /sys/fs/cgroup/cpu/ |-- <control files, e.g. cpu.shares> |-- session_manager_containers | |-- android | | |-- bg_non_interactive | | | |-- <control files, e.g. cpu.shares> | | | `-- tasks | | |-- <control files, e.g. cpu.shares> | | `-- tasks | |-- <control files, e.g. cpu.shares> | `-- tasks |-- tasks android# tree /dev/cpuctl |-- bg_non_interactive | |-- <control files, e.g. cpu.shares> | `-- tasks |-- <control files, e.g. cpu.shares> `-- tasks

}

Android owned

slide-9
SLIDE 9

Speed

Boot Time Android Startup Chrome Performance App Performance

slide-10
SLIDE 10

Security

  • Maintain Chrome OS security story
  • Verity, root of trust
  • Updates
  • Cgroups
  • Android Device Node Access
  • Alt-syscall
  • SELinux