The National Security Agency (NSA) releases the first version of Android Security Enhanced. The system is designed to minimize the impact of security holes on Android . SE Android project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the SE Android project is not limited to SELinux.
Distinctive features SE Android:
- Per-file security labeling support for yaffs2,
- Filesystem images (yaffs2 and ext4) labeled at build time,
- Kernel permission checks controlling Binder IPC,
- Labeling of service sockets and socket files created by init,
- Labeling of device nodes created by ueventd,
- Flexible, configurable labeling of apps and app data directories,
- Userspace permission checks controlling use of the Zygote socket commands,
- Minimal port of SELinux userspace,
- SELinux support for the Android toolbox,
- Small TE policy written from scratch for Android,
- Confined domains for system services and apps,
- Use of MLS categories to isolate apps.
- The Goal of Security Enhanced (SE) Android is to improve our understanding of Android security, Integrate SELinux into Android in acomprehensive and coherent manner,Demonstrate useful security functionality inAndroid using SELinux, Improve the suitability of SELinux for Android and Identify other security gaps in Android that needto be addressed.
How can SELinux help Android?
- Confine privileged daemons.
- Protect them from misuse.
- Limit the damage that can be done via them.
- Sandbox and isolate apps.
- Strongly separate apps from each other and from the system.
- Prevent privilege escalation by apps.
- Provide centralized, analyzable policy.