GrapheneOS is immune to the Copy Fail vulnerability due to the deep integration of SELinux in the Android Open Source Project (AOSP). AOSP only permits using specific types of sockets throughout the OS. It only permits the dumpstate process used to create bug report zips to access AF_ALG sockets.
SELinux is based on explicitly listing out everything that’s permitted and anything not listed isn’t allowed. AOSP uses strict, fine-grained SELinux policies for the whole OS. Instead of simply permitting everything that’s used in a fine-grained way, the rest of the OS is developed with it in mind.
Android makes extensive use of neverallow rules to define and enforce the security goals for the SELinux. Since SELinux uses an allowlist approach, neverallow rules don’t directly disallow anything at runtime but rather prevent creating rules violating the constraints. It does this for socket types.
Here’s where Android defines a neverallow for many types of sockets including AF_ALG for regular sandboxed apps:
Android has a versioned app sandbox which gets stricter for new API levels. The versioned domains inherit from that untrusted_app_all domain.
Android’s usage of SELinux is drastically different from mainstream desktop and server Linux distributions where it’s only lightly used in a very targeted way. This is a nice example showing how it massively reduces Linux kernel attack surface on AOSP-based operating systems including GrapheneOS.
Android splits SELinux into system and vendor policies. Both of these must conform to the extensive neverallow rules. The vendor policies are defined as part of implementing hardware support for a device and permit what’s required by the drivers. Most of the driver code is sandboxed userspace code.
Android extended SELinux with support for ioctl command allowlists to reduce kernel attack surface. These ioctl command allowlists are used for sockets and many other core kernel devices to limit attack surface. It’s also used with drivers in the vendor policies such as GPU ioctl command allowlists.
The site for Copy Fail says it impacts every mainstream Linux distribution but that’s not really the case. Mainstream mobile Linux is based on AOSP and doesn’t have nearly as much kernel attack surface as desktop and server distributions combined with having much more hardening enabled.
We’ll be moving this kind of content to our forum soon where we can write more about it and use proper formatting including headers and relevant inline images. We haven’t moved to the new approach yet but we’ve published this thread on our forum too:
Random question: I personally have become pretty dependent on my z fold 7, do you guys think there will ever be a way to get graphene os or any alternative? Or will there be an alternative phone in the future with the same features as the z fold? I do value my privacy and I’ve done all I can on my phone rn.
GrapheneOS only works on Google Pixel devices, and in the future it will work on some Motorola devices. No other devices are supported nor will be supported for the foreseeable future.
Apparently, you can’t even blame them for having chosen devices that meet certain criteria
There will be motorola devices in 2027