Another *nasty* problem facing Flatpak is that it has to support systems with SELinux not in use. It can’t rely on SELinux because not every distro supports SELinux. And Flatpak apps are usually native apps, unlike Android where everything uses abstracted APIs.
Conversation
SELinux is an implementation detail on Android from app perspective and could be something else. There's a lot of value in declarative, static security policies.
Linux kernel has decided LSMs and eBPF obsolete doing things other ways so that's another major reason for it.
2
Android used to have gid-based socket restrictions similar to the grsecurity patches and a network usage monitoring kernel module, etc. All that stuff has been removed since it supports mainline kernels. Instead netd (but nothing else) can use a bpfloader program to use eBPF.
1
Just the direction things are headed for Linux. They had to replace a 40 line of code kernel patch and a 500 line of code kernel module with thousands of lines of userspace management code and thousands of lines of eBPF management and compilation stuff. I don't find it cleaner.
1
They only "had to" do that at all because it was the bad security model they inherited. Better would be not to have either.
1
The network usage monitoring isn't really part of the security model but rather properly monitoring and controlling application data usage. It's a mix of netfilter with eBPF code. They previously had a netfilter module handling everything and had to replace it to use mainline.
2
OK, but you could just give each app its own virtual interface in its own network namespace, and watch the stats on the interface, and cut it off from the real network interface when you don't want it to have access.
1
The way it's wired up to netfilter gives a kind of push design since netfilter updates the per app stats as things happen without needing to poll for them.
It has to fit into the overall per-network metering, etc.
Network ns would be nice for per-profile localhost though.
2
1
Our plan for that is supporting any number of lightweight nested profiles with it trivial to run each app in a separate one since we need to restrict all forms of app communication (which profiles do) rather than just one form of it.
1
1
Android 12 adds support for nested profiles without requiring work profiles anymore so we have something to build on now and can get that done in a limited form in a couple months instead of feeling like it'd be too invasive to even attempt it previously.