Linux Security Summit 2015/Abstracts/Smalley
SELinux in Android Lollipop and Android M
Stephen Smalley, NSA
At last year's LSS, we looked at how SELinux had been applied to protect the Android Trusted Computing Base (TCB), starting with selective root daemon confinement in the Android 4.4 KitKat release and then working toward full confinement and enforcing a core set of TCB protection goals in what was then referred to as Android L, subsequently released as Android 5.0 Lollipop in early November of last year. Android 5.0 Lollipop is the first mainline Android release to ship with SELinux enforcing for all processes, although a number of Samsung devices were shipping with SELinux enforcing for all processes as early as Android 4.3.
In this talk, we will first briefly review the final state of SELinux in the Android 5.0 Lollipop release, including any changes made in subsequent Lollipop updates (e.g. Android 5.1). We will then look at how the Android SELinux support has advanced in the Android Open Source Project (AOSP) master branch since Lollipop was forked and what we expect to be present in the upcoming Android M release later this year (a preview of the M release was just made available and announced at Google I/O). The talk will include discussion of how SELinux has been applied to reinforce user isolation for Android's multi-user model and how SELinux has been applied to strengthen the Chrome sandbox among other hardening improvements. We will also examine enhancements to the Android Compatibility Test Suite (CTS) to validate the Android SELinux policy for all Android devices and how these tests reduce the risk that OEMs will undermine the system security goals.