← Back to context

Comment by fc417fc802

6 days ago

> hand out a different, temporary IPv6 address to every app and segment off any other interface that might be expose

Yes, but (AFAIK) not out of the box (unless one of the security focused ROMs already supports this). The kernel supports network namespaces and there's plenty of documentation available explaining how to make use of those. However I don't know if typical android ROMs ship with the necessary tooling.

Approximately, you'd just need to patch the logic where zygote changes the PID to also configure and switch to a network namespace.

2 comments

fc417fc802

Reply
jeroenhd  6 days ago

I've looked into network namespaces a bit but from what I can tell you need to do a lot of manual routing and other weird stuff to actually make IPv6 addresses reachable through them.

In theory all you need to do is have zygote constrain the app further with a network namespaces, and run a CLAT daemon for legacy networks, but in practice I'm not sure if that approach works well with 200 apps that each need their IPs rotated regularly.

Plus, you'd need to reconfigure the sandbox when switching between WiFi/5G/ethernet. Not impossible to overcome, but not the weekend project I'd hoped it would be.

  • fc417fc802  5 days ago

    I don't follow? Your system is either routing packets or not. IPv6 vs IPv4 should not be a notable difference here.

    I've never tested network namespace scalability on a mobile device but I doubt a few hundred of them should break anything (famous last words).

    In the primary namespace you will need to configure some very basic routing. You will also need a solution for assigning IP addresses. That solution needs to be able to rotate IP assignments when the external IP block changes. That's pretty standard DHCP stuff. On a desktop distro doing the equivalent with systemd-networkd is possible out of the box with only a handful of lines in a config file.

    Honestly a lot of Docker network setups are much more complicated than this. The difficult part here is not the networking but rather patching the zygote logic and authoring a custom build of android that incorporates the changes.