rewrite sandboxed Play services section
This commit is contained in:
parent
edfb3c3842
commit
6de01bb6bc
@ -782,29 +782,44 @@
|
||||
<section id="sandboxed-play-services">
|
||||
<h2><a href="#sandboxed-play-services">Sandboxed Play services</a></h2>
|
||||
|
||||
<p>GrapheneOS has support for installing the official releases of
|
||||
com.android.vending (Google Play Store), com.google.android.gms (Google Play
|
||||
services), com.google.android.gsf (Google Services Framework) as regular sandboxed
|
||||
apps in a specific profile. These receive no special privileges and the OS itself
|
||||
doesn't use them for anything. They run as unprivileged, sandboxed apps like any
|
||||
others. GrapheneOS simply provides fallback code teaching them how to run without
|
||||
any of the special privileged permissions and SELinux policy they depend on
|
||||
having. You can choose which apps will use them by using a dedicated user profile
|
||||
since apps can't share data or communicate across users. A work profile also
|
||||
works, although without as much isolation. Even within the same profile, apps not
|
||||
explicitly choosing to use Google services won't use them because the OS doesn't
|
||||
integrate support for it or use it as the backend for APIs in the OS like the
|
||||
stock OS.</p>
|
||||
<p>GrapheneOS has a compatibility layer providing the option to install and use
|
||||
the official releases of Play services in the standard app sandbox. Play services
|
||||
receives absolutely no special or privileges on GrapheneOS as opposed to bypassing
|
||||
the app sandbox and receiving a massive amount of highly privileged access. It
|
||||
also doesn't become a backend for the OS services as it does elsewhere. GrapheneOS
|
||||
itself doesn't use Play services even when it's installed. Since the Play services
|
||||
apps are simply regular apps on GrapheneOS, they get installed by the user within
|
||||
a specific user or work profile and are only available within that profile. Only
|
||||
apps within the same profile can use it and they need to explicitly choose to use
|
||||
it. It works the same way as any other app and has no special capabilities. As
|
||||
with any other app, it can't access data of other apps and requires explicit user
|
||||
consent to gain access to profile data or the standard permissions.</p>
|
||||
|
||||
<p>The core functionality and APIs are almost entirely supported already since
|
||||
GrapheneOS largely only has to coerce these apps into continuing to run without
|
||||
being able to use any of the usual invasive OS integration. A compatibility layer
|
||||
is also provided to support dynamically downloaded/loaded modules (dynamite
|
||||
modules).</p>
|
||||
modules). The compatibility layer will be gradually expanded and improved in order
|
||||
to get more of the Play services functionality working.</p>
|
||||
|
||||
<section id="sandboxed-play-services-installation">
|
||||
<h3><a href="#sandboxed-play-services-installation">Installation</a></h3>
|
||||
|
||||
<p>Play services is divided up into 3 separate apps: Google Services Framework
|
||||
(com.google.android.gsf), Google Play services (com.google.android.gms) and
|
||||
Google Play Store (com.android.vending). To use sandboxed Play services, you
|
||||
simply need to install the official releases of these 3 apps in the user and
|
||||
work profiles where you want to use it.</p>
|
||||
|
||||
<p>The simplest approach is to only use the Owner user profile. Apps installed
|
||||
in the Owner profile are sandboxed the same way as everywhere else and don't
|
||||
receive any special access. If you want to choose which apps use Play services
|
||||
rather than making it available to all of them, install it in a separate user
|
||||
or work profile for apps depending on Play services. You could also do it the
|
||||
other way around, but it makes more sense to try to use as much as possible
|
||||
without Play services rather than treating not using it as the exceptional
|
||||
case.</p>
|
||||
|
||||
<p>Install com.google.android.gsf, then com.google.android.gms and finally use
|
||||
a split APK installer to install all 5 of the APKs for com.android.vending
|
||||
together. Make sure to install all 3 in the correct order and don't skip
|
||||
|
Loading…
x
Reference in New Issue
Block a user