security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Add Storage Scopes section and ToC entry

Browse Source
This commit is contained in:
Jorge Luis Carrillo 2023-09-08 18:43:34 -07:00 committed by Daniel Micay
parent 115735c944
commit 5942134bc6
1 changed files with 42 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
static/usage.html
View File

@ -49,7 +49,12 @@
<li><a href="#3-button-navigation">3-button navigation</a></li> <li><a href="#3-button-navigation">3-button navigation</a></li>
</ul> </ul>
</li> </li>
<li><a href="#storage-access">Storage access</a></li> <li>
<a href="#storage-access">Storage access</a>
<ul>
<li><a href="#storage-scopes">Storage Scopes</a></li>
</ul>
</li>
<li><a href="#accessibility">Accessibility</a></li> <li><a href="#accessibility">Accessibility</a></li>
<li><a href="#auditor">Auditor</a></li> <li><a href="#auditor">Auditor</a></li>
<li> <li>
@ -265,47 +270,49 @@
providers and modern Android has removed the legacy approach for accessing providers and modern Android has removed the legacy approach for accessing
external drives.</p> external drives.</p>
<h3>Storage Scopes</h3> <section id="storage-scopes">
<h3><a href="#storage-scopes">Storage Scopes</a></h3>
<p>GrapheneOS provides the Storage Scopes feature as a fully compatible alternative <p>GrapheneOS provides the Storage Scopes feature as a fully compatible alternative
to the standard Android storage permissions. to the standard Android storage permissions.
Storage Scopes can be enabled only if the app doesn't have any storage permission. Storage Scopes can be enabled only if the app doesn't have any storage permission.
Enabling Storage Scopes makes the app assume that it has all of storage permissions Enabling Storage Scopes makes the app assume that it has all of storage permissions
that were requested by it, despite not actually having any of them.</p> that were requested by it, despite not actually having any of them.</p>
<p>This means that the app can't see any of the files that were created by other apps. <p>This means that the app can't see any of the files that were created by other apps.
The app is still allowed to create files and directories, same as any other modern The app is still allowed to create files and directories, same as any other modern
app that doesn't have any storage access permission.</p> app that doesn't have any storage access permission.</p>
<p>Apps that would normally use the legacy storage mode are switched to the <p>Apps that would normally use the legacy storage mode are switched to the
modern storage mode when Storage Scopes is enabled.</p> modern storage mode when Storage Scopes is enabled.</p>
<p>If the app requests the "All files access" permission (or is a legacy app <p>If the app requests the "All files access" permission (or is a legacy app
that requests <code>WRITE_EXTERNAL_STORAGE</code> permission), then the write that requests <code>WRITE_EXTERNAL_STORAGE</code> permission), then the write
restrictions that are normally applied to apps that don't have a storage access restrictions that are normally applied to apps that don't have a storage access
permission are relaxed to provide the same write access that the app would have if permission are relaxed to provide the same write access that the app would have if
it was granted the "All files access" permission. it was granted the "All files access" permission.
This is done to ensure compatibility with apps that, for example, create a new This is done to ensure compatibility with apps that, for example, create a new
directory in the root of shared storage, or write a text file (eg lyrics.txt) to directory in the root of shared storage, or write a text file (eg lyrics.txt) to
the Music/ directory (normally, only audio files can be placed there). the Music/ directory (normally, only audio files can be placed there).
No additional read access is granted to such apps, they still can see only their No additional read access is granted to such apps, they still can see only their
own files. own files.
</p> </p>
<p>For all other apps, enabling Storage Scopes doesn't grant any additional <p>For all other apps, enabling Storage Scopes doesn't grant any additional
storage access beyond what a modern app that doesn't have any storage permission storage access beyond what a modern app that doesn't have any storage permission
already has.</p> already has.</p>
<p>Optionally, users can specify which of the files created by other apps the app <p>Optionally, users can specify which of the files created by other apps the app
can access. Access can be granted to a specific file or to all files in can access. Access can be granted to a specific file or to all files in
a directory. The standard SAF picker is used for this purpose in a special mode a directory. The standard SAF picker is used for this purpose in a special mode
where it shows only shared storage files/directories.</p> where it shows only shared storage files/directories.</p>
<p>The most significant limitation of Storage Scopes is the fact that the app <p>The most significant limitation of Storage Scopes is the fact that the app
will lose access to files that it created if it's uninstalled and then installed will lose access to files that it created if it's uninstalled and then installed
again, same as any other app that doesn't have a storage access permission. again, same as any other app that doesn't have a storage access permission.
As a workaround, users can manually grant access to these files/directories via As a workaround, users can manually grant access to these files/directories via
SAF picker.</p> SAF picker.</p>
</section>
</section> </section>
<section id="accessibility"> <section id="accessibility">