SELinux in Android Lollipop and M

More documents

Recommendations

Info

Android 5.0 Lollipop• Officially announced mid-October 2014.• Released to AOSP on November 4, 2014.• First shipped on the Nexus 6, 9, and Player.• Currently running on ~18% of active Android devices.• First official Android release to ship with SELinuxenforcing for all processes.– From the root daemons to the apps.– Mandated by Android 5.0 CDD, tested by CTS.4
SELinux in Android 5.0 Lollipop• All system services and apps are confined.– Including root daemons.• Only two domains are “unconfined”.– kernel and init• Even these two domains are not completelyunrestricted by SELinux.– TCB protection goals are applied universally.– No domain/process is all-powerful.5
Page 1 and 2: SELinux in Android Lollipop and MSt
Page 3: CLASSIFICATION HEADERToday's Talk
Page 7 and 8: Service-specific Protection via SEL
Page 9 and 10: Lollipop Updates●●●5.0.1 thro
Page 11 and 12: SELinux in Android M●●●●●
Page 13 and 14: SELinux and Android Multi-User●
Page 15 and 16: The Chrome for Android sandbox●
Page 17 and 18: Locking down the Binder• Binder i
Page 19 and 20: Policy Hardening• Forced init to
Page 21 and 22: Android & Upstream SELinux• Andro
Page 23 and 24: Ongoing and Future Work• Enable a

SELinux in Android Lollipop and M

Create successful ePaper yourself

Delete template?

Save as template?