Android uses the Unix permission model heavily - sandboxing is achieved by creating a new user per app, and filesystem, network, etc permissions are managed via user and group IDs just like with Unix.
So how is it "very different" (in implementation, not surface appearance)?
Surface appearance was my point -- it's possible to create a model that's very different from the user's perspective without changing the underlying model of the kernel.
So how is it "very different" (in implementation, not surface appearance)?