From 6de01bb6bc95b790d88f468cb9bae5d42f23db51 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 12 Nov 2021 10:43:52 -0500 Subject: [PATCH] rewrite sandboxed Play services section --- static/usage.html | 43 +++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/static/usage.html b/static/usage.html index f0869985..1e63bfe2 100644 --- a/static/usage.html +++ b/static/usage.html @@ -782,29 +782,44 @@

Sandboxed Play services

-

GrapheneOS has support for installing the official releases of - com.android.vending (Google Play Store), com.google.android.gms (Google Play - services), com.google.android.gsf (Google Services Framework) as regular sandboxed - apps in a specific profile. These receive no special privileges and the OS itself - doesn't use them for anything. They run as unprivileged, sandboxed apps like any - others. GrapheneOS simply provides fallback code teaching them how to run without - any of the special privileged permissions and SELinux policy they depend on - having. You can choose which apps will use them by using a dedicated user profile - since apps can't share data or communicate across users. A work profile also - works, although without as much isolation. Even within the same profile, apps not - explicitly choosing to use Google services won't use them because the OS doesn't - integrate support for it or use it as the backend for APIs in the OS like the - stock OS.

+

GrapheneOS has a compatibility layer providing the option to install and use + the official releases of Play services in the standard app sandbox. Play services + receives absolutely no special or privileges on GrapheneOS as opposed to bypassing + the app sandbox and receiving a massive amount of highly privileged access. It + also doesn't become a backend for the OS services as it does elsewhere. GrapheneOS + itself doesn't use Play services even when it's installed. Since the Play services + apps are simply regular apps on GrapheneOS, they get installed by the user within + a specific user or work profile and are only available within that profile. Only + apps within the same profile can use it and they need to explicitly choose to use + it. It works the same way as any other app and has no special capabilities. As + with any other app, it can't access data of other apps and requires explicit user + consent to gain access to profile data or the standard permissions.

The core functionality and APIs are almost entirely supported already since GrapheneOS largely only has to coerce these apps into continuing to run without being able to use any of the usual invasive OS integration. A compatibility layer is also provided to support dynamically downloaded/loaded modules (dynamite - modules).

+ modules). The compatibility layer will be gradually expanded and improved in order + to get more of the Play services functionality working.

Installation

+

Play services is divided up into 3 separate apps: Google Services Framework + (com.google.android.gsf), Google Play services (com.google.android.gms) and + Google Play Store (com.android.vending). To use sandboxed Play services, you + simply need to install the official releases of these 3 apps in the user and + work profiles where you want to use it.

+ +

The simplest approach is to only use the Owner user profile. Apps installed + in the Owner profile are sandboxed the same way as everywhere else and don't + receive any special access. If you want to choose which apps use Play services + rather than making it available to all of them, install it in a separate user + or work profile for apps depending on Play services. You could also do it the + other way around, but it makes more sense to try to use as much as possible + without Play services rather than treating not using it as the exceptional + case.

+

Install com.google.android.gsf, then com.google.android.gms and finally use a split APK installer to install all 5 of the APKs for com.android.vending together. Make sure to install all 3 in the correct order and don't skip