rewrite sandboxed Play services section
This commit is contained in:
Daniel Micay
parent
edfb3c3842
commit
6de01bb6bc
@ -782,29 +782,44 @@
|
|||||||
<section id="sandboxed-play-services">
|
<section id="sandboxed-play-services">
|
||||||
<h2><a href="#sandboxed-play-services">Sandboxed Play services</a></h2>
|
<h2><a href="#sandboxed-play-services">Sandboxed Play services</a></h2>
|
||||||
|
|
||||||
<p>GrapheneOS has support for installing the official releases of
|
<p>GrapheneOS has a compatibility layer providing the option to install and use
|
||||||
com.android.vending (Google Play Store), com.google.android.gms (Google Play
|
the official releases of Play services in the standard app sandbox. Play services
|
||||||
services), com.google.android.gsf (Google Services Framework) as regular sandboxed
|
receives absolutely no special or privileges on GrapheneOS as opposed to bypassing
|
||||||
apps in a specific profile. These receive no special privileges and the OS itself
|
the app sandbox and receiving a massive amount of highly privileged access. It
|
||||||
doesn't use them for anything. They run as unprivileged, sandboxed apps like any
|
also doesn't become a backend for the OS services as it does elsewhere. GrapheneOS
|
||||||
others. GrapheneOS simply provides fallback code teaching them how to run without
|
itself doesn't use Play services even when it's installed. Since the Play services
|
||||||
any of the special privileged permissions and SELinux policy they depend on
|
apps are simply regular apps on GrapheneOS, they get installed by the user within
|
||||||
having. You can choose which apps will use them by using a dedicated user profile
|
a specific user or work profile and are only available within that profile. Only
|
||||||
since apps can't share data or communicate across users. A work profile also
|
apps within the same profile can use it and they need to explicitly choose to use
|
||||||
works, although without as much isolation. Even within the same profile, apps not
|
it. It works the same way as any other app and has no special capabilities. As
|
||||||
explicitly choosing to use Google services won't use them because the OS doesn't
|
with any other app, it can't access data of other apps and requires explicit user
|
||||||
integrate support for it or use it as the backend for APIs in the OS like the
|
consent to gain access to profile data or the standard permissions.</p>
|
||||||
stock OS.</p>
|
|
||||||
|
|
||||||
<p>The core functionality and APIs are almost entirely supported already since
|
<p>The core functionality and APIs are almost entirely supported already since
|
||||||
GrapheneOS largely only has to coerce these apps into continuing to run without
|
GrapheneOS largely only has to coerce these apps into continuing to run without
|
||||||
being able to use any of the usual invasive OS integration. A compatibility layer
|
being able to use any of the usual invasive OS integration. A compatibility layer
|
||||||
is also provided to support dynamically downloaded/loaded modules (dynamite
|
is also provided to support dynamically downloaded/loaded modules (dynamite
|
||||||
modules).</p>
|
modules). The compatibility layer will be gradually expanded and improved in order
|
||||||
|
to get more of the Play services functionality working.</p>
|
||||||
|
|
||||||
<section id="sandboxed-play-services-installation">
|
<section id="sandboxed-play-services-installation">
|
||||||
<h3><a href="#sandboxed-play-services-installation">Installation</a></h3>
|
<h3><a href="#sandboxed-play-services-installation">Installation</a></h3>
|
||||||
|
|
||||||
|
<p>Play services is divided up into 3 separate apps: Google Services Framework
|
||||||
|
(com.google.android.gsf), Google Play services (com.google.android.gms) and
|
||||||
|
Google Play Store (com.android.vending). To use sandboxed Play services, you
|
||||||
|
simply need to install the official releases of these 3 apps in the user and
|
||||||
|
work profiles where you want to use it.</p>
|
||||||
|
|
||||||
|
<p>The simplest approach is to only use the Owner user profile. Apps installed
|
||||||
|
in the Owner profile are sandboxed the same way as everywhere else and don't
|
||||||
|
receive any special access. If you want to choose which apps use Play services
|
||||||
|
rather than making it available to all of them, install it in a separate user
|
||||||
|
or work profile for apps depending on Play services. You could also do it the
|
||||||
|
other way around, but it makes more sense to try to use as much as possible
|
||||||
|
without Play services rather than treating not using it as the exceptional
|
||||||
|
case.</p>
|
||||||
|
|
||||||
<p>Install com.google.android.gsf, then com.google.android.gms and finally use
|
<p>Install com.google.android.gsf, then com.google.android.gms and finally use
|
||||||
a split APK installer to install all 5 of the APKs for com.android.vending
|
a split APK installer to install all 5 of the APKs for com.android.vending
|
||||||
together. Make sure to install all 3 in the correct order and don't skip
|
together. Make sure to install all 3 in the correct order and don't skip
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user