rewrite sandboxed Play services section

This commit is contained in:
Daniel Micay 2021-11-12 10:43:52 -05:00
parent edfb3c3842
commit 6de01bb6bc

View File

@ -782,29 +782,44 @@
<section id="sandboxed-play-services">
<h2><a href="#sandboxed-play-services">Sandboxed Play services</a></h2>
<p>GrapheneOS has support for installing the official releases of
com.android.vending (Google Play Store), com.google.android.gms (Google Play
services), com.google.android.gsf (Google Services Framework) as regular sandboxed
apps in a specific profile. These receive no special privileges and the OS itself
doesn't use them for anything. They run as unprivileged, sandboxed apps like any
others. GrapheneOS simply provides fallback code teaching them how to run without
any of the special privileged permissions and SELinux policy they depend on
having. You can choose which apps will use them by using a dedicated user profile
since apps can't share data or communicate across users. A work profile also
works, although without as much isolation. Even within the same profile, apps not
explicitly choosing to use Google services won't use them because the OS doesn't
integrate support for it or use it as the backend for APIs in the OS like the
stock OS.</p>
<p>GrapheneOS has a compatibility layer providing the option to install and use
the official releases of Play services in the standard app sandbox. Play services
receives absolutely no special or privileges on GrapheneOS as opposed to bypassing
the app sandbox and receiving a massive amount of highly privileged access. It
also doesn't become a backend for the OS services as it does elsewhere. GrapheneOS
itself doesn't use Play services even when it's installed. Since the Play services
apps are simply regular apps on GrapheneOS, they get installed by the user within
a specific user or work profile and are only available within that profile. Only
apps within the same profile can use it and they need to explicitly choose to use
it. It works the same way as any other app and has no special capabilities. As
with any other app, it can't access data of other apps and requires explicit user
consent to gain access to profile data or the standard permissions.</p>
<p>The core functionality and APIs are almost entirely supported already since
GrapheneOS largely only has to coerce these apps into continuing to run without
being able to use any of the usual invasive OS integration. A compatibility layer
is also provided to support dynamically downloaded/loaded modules (dynamite
modules).</p>
modules). The compatibility layer will be gradually expanded and improved in order
to get more of the Play services functionality working.</p>
<section id="sandboxed-play-services-installation">
<h3><a href="#sandboxed-play-services-installation">Installation</a></h3>
<p>Play services is divided up into 3 separate apps: Google Services Framework
(com.google.android.gsf), Google Play services (com.google.android.gms) and
Google Play Store (com.android.vending). To use sandboxed Play services, you
simply need to install the official releases of these 3 apps in the user and
work profiles where you want to use it.</p>
<p>The simplest approach is to only use the Owner user profile. Apps installed
in the Owner profile are sandboxed the same way as everywhere else and don't
receive any special access. If you want to choose which apps use Play services
rather than making it available to all of them, install it in a separate user
or work profile for apps depending on Play services. You could also do it the
other way around, but it makes more sense to try to use as much as possible
without Play services rather than treating not using it as the exceptional
case.</p>
<p>Install com.google.android.gsf, then com.google.android.gms and finally use
a split APK installer to install all 5 of the APKs for com.android.vending
together. Make sure to install all 3 in the correct order and don't skip