[pxeger1]

Wouldn't Android's kernel have most of the hardening steps / disabled features described in GP's comment?

[quotemstr]

No. Things like eBPF, strace, and packet filtering are enabled. Android uses SELinux and other facilities to limit the amount of code the kernel will allow to access these features. Big difference from their being compiled out of the kernel entirely as the OP suggests is necessary.

[galangalalgol]

Container isolation can fail at shared libraries in shared layers too can't it? My evil service is based on the same cooltechframework base layer as your safety critical hardware control service and if there is a mistake in the framework...

[immibis]

then it affects each one separately since they are separate processes. The fact they run the same code is irrelevant if the data is separate.

[galangalalgol]

Separate processes running the same shared instructions. If you compromise and modify those shared instructions, the othe container runs instructions of your choosing.

[kbolino]

Layers are COW so one container modifying a layer has no effect on other containers started from the same image. Of course, preexisting vulnerabilities will remain but they'd have to be separately exploited in each container.

[galangalalgol]

I learned something new today! Thank you.

Edit: to be clear, I knew the disk was COW but I thought it saved memory by loading one instance of shared objects into memory.

[egberts1]

Worse, cannot disable eBPF due to too many packages demanding it.

Namely, nft tables and its filtering.