the policy MUST compile with all neverallow rules present, for both AOSP SELinux
domains as well as device/vendor specific domains.
[C-1-5] MUST run third-party applications targeting API level 28 or higher in per-
application SELinux sandboxes with per-app SELinux restrictions on each application's
private data directory.
SHOULD retain the default SELinux policy provided in the system/sepolicy folder of the
upstream Android Open Source Project and only further add to this policy for their own
device-specific configuration.
If device implementations use kernel other than Linux, they:
[C-2-1] MUST use a mandatory access control system that is equivalent to SELinux.
Android contains multiple defense-in-depth features that are integral to device security.
Device implementations:
[C-SR] Are STRONGLY RECOMMENDED not to disable Control-Flow Integrity (CFI) or
Integer Overflow Sanitization (IntSan) on components that have it enabled.
[C-SR] Are STRONGLY RECOMMENDED to enable both CFI and IntSan for any additional
security-sensitive userspace components as explained in
CFI
and
IntSan
.
9.8. Privacy
9.8.1. Usage History
Android stores the history of the user's choices and manages such history by
UsageStatsManager
.
Device implementations:
[C-0-1] MUST keep a reasonable retention period of such user history.
[SR] Are STRONGLY RECOMMENDED to keep the 14 days retention period as configured
by default in the AOSP implementation.
Android stores the system events using the
StatsLog
identifiers, and manages such history via the
StatsManager
and the
IncidentManager
System API.
Device implementations:
[C-0-2] MUST only include the fields marked with
DEST_AUTOMATIC
in the incident report
created by the System API class
IncidentManager
.
[C-0-3] MUST not use the system event identifiers to log any other event than what is
described in the
StatsLog
SDK documents. If additional system events are logged, they
MAY use a different atom identifier in the range between 100,000 and 200,000.
9.8.2. Recording
Device implementations:
[C-0-1] MUST NOT preload or distribute software components out-of-box that send the
user's private information (e.g. keystrokes, text displayed on the screen) off the device
without the user's consent or clear ongoing notifications.
If device implementations include functionality in the system that captures the contents displayed on
the screen and/or records the audio stream played on the device, they:
Page 119 of 132