How can it have a system partition which is read only and still make the user create and use its files? How does it differ from Linux in terms of permissions and user management? How are the users kind of “confined” in android?
It looks really complicated, very different from Linux! I cannot understand properly all the sandboxing thing… But I guess it’s years of development and policies enforcement… Now I can see why Android it’s much more closed compared to a normal Linux distro, I guess this provides a lot of security but less customization. I also have to understand the role of the device manager in all of this. Is there any Linux distro that behaves similarly?
Why so much effort into securing it? Isn’t the Linux behaviour with users etc enough?
FWIW SELinux is a standard Linux feature - mostly used by RedHat distros.
The difference is the approach to how much a system should be locked down. Desktop systems are traditionally more flexible, probably more for historic reasons, partly due to being used by more technically sophisticated users (or at least assuming users would be more sophisticated). Smart phones, however, were marketed towards the lowest-common denominator users running on a device with many limitations as well. I’m not disparaging these users mind - just stating a fact. So things need to be locked down more. And since these platforms had no legacy expectations on them they could do it however they like (e.g. they can dictate which directories are used for what purposes).
The desktop is sorta moving in this direction as well. Flatpaks and snaps run applications in containers which can be restricted and isolated from each other as well as from the rest of the system. It takes time for applications to catch up to being sandboxed though so it is happening slowly.
Android is Linux using SELinux for user confinement plus users do not have root access and it uses verified boot to enforce all that.
Keep in mind the system meaning root can do anything it wants. User apps cannot though they can ask the system to do certain things for example by SUID executables for example or other methods. Not sure how android actually does it.
What is different about Android is owner, user, work profiles, and the new private space structure. Not sure low level how that is done but presumably combination of different users, SELinix, and different encryption keys.
Only a part is immutable, but you can alter other files, which are mounted with write permissions. Kind of like NixOS works. Here, this is part of the output if I enter “mount” in termux
/dev/block/dm-7 on /system/lib64/netd_event_listener_interface-V1-cpp.so type ext4 (ro,relatime,seclabel,discard) /dev/block/dm-7 on /system/lib64/oemnetd_aidl_interface-cpp.so type ext4 (ro,relatime,seclabel,discard) /dev/block/dm-7 on /system/lib64/packagemanager_aidl-cpp.so type ext4 (ro,relatime,seclabel,discard) /dev/block/dm-7 on /system/lib64/server_configurable_flags.so type ext4 (ro,relatime,seclabel,discard) /dev/block/dm-7 on /system/lib64/service.incremental.so type ext4 (ro,relatime,seclabel,discard) /dev/block/dm-7 on /system/lib64/shared-file-region-aidl-cpp.so type ext4 (ro,relatime,seclabel,discard) /dev/block/dm-7 on /system/lib64/spatializer-aidl-cpp.so type ext4 (ro,relatime,seclabel,discard) /dev/block/dm-7 on /system/lib64/vendor.qti.hardware.display.config-V5-ndk.so type ext4 (ro,relatime,seclabel,discard) tmpfs on /storage type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,mode=755,gid=1000) /dev/fuse on /storage/emulated type fuse (rw,nosuid,nodev,noexec,noatime,lazytime,user_id=0,group_id=0,allow_other) /data/media on /storage/emulated/0/Android/data type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal,unshared_obb) /data/media on /storage/emulated/0/Android/obb type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal,unshared_obb)Look how the paths are mounted. /data/media has read/write permission, while other mount points not. I could probably mount /bin and /sbin read only and it wouldnt harm my system at all. It would probably only than changed, if I perform some update (Lets say rm has suddenly some critical bug). You can also read about A/B partituons on the Internet. This works a bit complexer under the hood, meaning creating a way to perform updates and so on.
