security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

split out sandboxed Google Play section

Browse Source
This commit is contained in:
Daniel Micay 2022-05-09 14:59:01 -04:00
parent c8a712bd65
commit 0a673cfa25
2 changed files with 43 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
static/features.html
View File

@ -88,6 +88,7 @@
<li> <li>
<a href="#grapheneos">GrapheneOS</a> <a href="#grapheneos">GrapheneOS</a>
<ul> <ul>
<li><a href="#sandboxed-google-play">Sandboxed Google Play</a></li>
<li><a href="#more-complete-patching">More complete patching</a></li> <li><a href="#more-complete-patching">More complete patching</a></li>
<li><a href="#disabling-secondary-user-app-installation">Disabling secondary <li><a href="#disabling-secondary-user-app-installation">Disabling secondary
user app installation</a></li> user app installation</a></li>
@ -310,11 +311,47 @@
they avoid requiring invasive OS integration. Building privileged support for they avoid requiring invasive OS integration. Building privileged support for
Google services into the OS isn't something we're going to be doing, even if Google services into the OS isn't something we're going to be doing, even if
that's partially open source like microG.</li> that's partially open source like microG.</li>
<li><a href="/usage#sandboxed-google-play">Compatibility layer for coercing
user installed Google Play services into running as sandboxed apps without any
special privileges.</a></li>
</ul> </ul>
<section id="sandboxed-google-play">
<h3><a href="#sandboxed-google-play">Sandboxed Google Play</a></h3>
<p>GrapheneOS has a compatibility layer providing the option to install and use
the official releases of Google Play in the standard app sandbox. Google Play
receives absolutely no special access or privileges on GrapheneOS as opposed to
bypassing the app sandbox and receiving a massive amount of highly privileged
access. Instead, the compatibility layer teaches it how to work within the full
app sandbox. It also isn't used as a backend for the OS services as it would be
elsewhere since GrapheneOS doesn't use Google Play even when it's installed.</p>
<p>Since the Google Play apps are simply regular apps on GrapheneOS, you install
them within a specific user or work profile and they're only available within that
profile. Only apps within the same profile can use it and they need to explicitly
choose to use it. It works the same way as any other app and has no special
capabilities. As with any other app, it can't access data of other apps and
requires explicit user consent to gain access to profile data or the standard
permissions. Apps within the same profile can communicate with mutual consent and
it's no different for sandboxed Google Play.</p>
<p>The core functionality and APIs are almost entirely supported already since
GrapheneOS largely only has to coerce these apps into continuing to run without
being able to use any of the usual invasive OS integration. A compatibility layer
is also provided to support dynamically downloaded/loaded modules (dynamite
modules). The compatibility layer will be gradually expanded and improved in order
to get more of the Google Play functionality working.</p>
<p>GrapheneOS provides a dedicated compatibility layer for Play Store app
installation/updates/removal teaching it to use the standard unprivileged approach
available to sandboxed apps. It prompts the user to permit it as an app source and
then prompts for the initial app install/update or removal. It will use Android
12's support for unattended updates when possible which means it can do unattended
updates of modern (API 29+) apps where it was the installer for the currently
installed version already.</p>
<p>See the <a href="/usage#sandboxed-google-play-installation">usage guide
section on sandboxed Google Play</a> for instructions.</p>
</section>
<section id="more-complete-patching"> <section id="more-complete-patching">
<h3><a href="#more-complete-patching">More complete patching</a></h3> <h3><a href="#more-complete-patching">More complete patching</a></h3>

3
static/usage.html
View File

@ -813,6 +813,9 @@
<section id="sandboxed-google-play"> <section id="sandboxed-google-play">
<h2><a href="#sandboxed-google-play">Sandboxed Google Play</a></h2> <h2><a href="#sandboxed-google-play">Sandboxed Google Play</a></h2>
<!-- keep in sync with features.html since we aren't simply linking to
features.html to avoid people skipping this important explanation -->
<p>GrapheneOS has a compatibility layer providing the option to install and use <p>GrapheneOS has a compatibility layer providing the option to install and use
the official releases of Google Play in the standard app sandbox. Google Play the official releases of Google Play in the standard app sandbox. Google Play
receives absolutely no special access or privileges on GrapheneOS as opposed to receives absolutely no special access or privileges on GrapheneOS as opposed to