Back in April of this year, signs were unsurprisingly pointed to the eventual arrival of Android Q on Chrome OS, but we’ve not heard much on this front in the ensuing weeks since that initial nugget of info was uncovered. Meanwhile, the Android team has been full steam ahead getting the final pieces in place for the initial roll out of Android 10 (no more desert names) on Pixel phones. With all the hype around Android 10, the slight marketing changes around the Android logo, and the excitement around some of the new features arriving in the platform, it is easy to forget that Chromebooks also stand to benefit from this latest upgrade as well.
We’re not sure exactly what parts of Android 10 that developers will be able to fully leverage on a Chromebook, but it is clear that work is underway to get it on board sooner than later. On September 4th, a new commit was added to the Chromium Repositories that quite clearly shows the migration to Android Q is fully underway.
sepolicy: add Q too.
For a tad bit of reference, SEPolicy is in reference to SELinux, which is part of what Google uses to securely bring the Android Framework to Chromebooks so that you can enjoy the entire Play Store experience on Chrome OS. SE stands for security-enhanced and the SEPolicy helps to define what parts can and cannot be accessed by the OS, down to the file level if need be. Check out this summary from Embedded & Distributed:
It is much fine-grained. It has lots of permissions defined for different type of resources. It is based on the principle of default denial. We need to write rules explicitly state what a process, or a type of process (called domain in SELinux), are allowed to do. That means even root processes are contained. A malicious process belongs to no domain actually end up can do nothing at all. This is a great enhancement to the DAC based security module, and hence the name Security-Enhanced Linux, aka SELinux.
It is really a very fine-grained type system. Take a look at those different types of proc_xxx. Because of this fine-grained labeling, we can write accurate rules that will only allow a process to access a very narrow subset of resources, or even a single file, when that type labels only a single file.
I’ll be honest, there’s a lot about SELinux that I don’t have a firm grasp on, but I do understand enough about what is going on here to confidently say that if they are adding the SEPolicy for Andoid 10, we should be seeing signs of it in Chrome OS in the next update or two. As for what we hope to see from this latest update, my mind immediately goes to dark mode (we have reason to believe it is coming soon to Chrome OS, too), live captions, and the insanely-fast Google Assistant we saw back at I/O. Whether any of these new Android features actually come to Chrome OS via an Android update is still yet to be seen. After all, for Chromebooks, we really just leverage the Android Framework, so Chrome OS isn’t really that dependent on system-level changes to Android. As we learn more, we’ll keep you updated.