[defrost]

What prevents running a data stream in, transcoded data out sandbox with no access to unlimited resources, system files, system stacks, etc.

It's okay for a sandbox to fall over due to bad inputs and poor memory security if it can just be restarted and move onto other streams.

[ReactiveJelly]

I think Chromium already does sandbox ffmpeg in the renderer process because of their "Rule of Two": https://chromium.googlesource.com/chromium/src/+/HEAD/docs/s...

Thus:

1. Code which processes untrusted input

2. Code written in unsafe languages like C or C++

3. Code that runs without a sandbox

So ffmpeg should be sandboxed, same as the network code and GPU process are sandboxed.

[defrost]

I completely agree, with regard for the GP's point about Android TV's with onboard ffmpeg libraries and Addon Apps that call on said libraries (or pull in their own) ..

Cheap arse low resource TVs should either include some form of sandboxing OR the entire device should be treated as a "can fall over" sandbox .. well isolated from any household LAN of consequence, etc.

It seems unlikely that BoxStore Brand Android TVs will be well designed with an eye to security so <shrug> they're an exercise for home net admin masochists and/or an opportunity to market sensible easy to use IoT age routers that come preconfigured to handle bad-device(s).

[cubefox]

Am I getting this right, you expect TVs which are running Google TV (Android TV is the old name) to be less secure than TVs which are running a different operating system? I think the opposite is the case, because Google TV is developed by Google, which has a lot of experience with software security, while other TV operating systems are developed by companies which clearly don't have that experience.

[defrost]

There are a lot of "Android like" TVs out there.

[cubefox]

Those are running mainly on Google TV. Tizen or webOS are also common but are not based on Android.

[mr_toad]

Most of them require hardware acceleration from the CPU or GPU and that can potentially be exploited to escape the sandbox. GPUs in particular are difficult to sandbox.