security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

use Sandboxed Google Play instead of Play services

Browse Source
This commit is contained in:
Daniel Micay 2022-01-13 13:52:03 -05:00
parent fd34e03608
commit c4ad2b8cc7
3 changed files with 48 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
static/js/redirect.js
View File

@ -16,6 +16,10 @@ const redirects = new Map([
["/#upstream", "/faq#upstream"],
["/usage#default-connections", "/faq#default-connections"],
["/usage#sandboxed-play-services", "/usage#sandboxed-google-play"],
["/usage#sandboxed-play-services-installation", "/usage#sandboxed-google-play-installation"],
["/usage#sandboxed-play-services-limitations", "/usage#sandboxed-google-play-limitations"],
["/faq#dns", "/faq#custom-dns"],
["/install/cli#fastboot-as-non-root", "/install/cli#flashing-as-non-root"],
["/install/web#fastboot-as-non-root", "/install/web#flashing-as-non-root"],

42
static/releases.html
View File

@ -512,7 +512,7 @@
<p>Changes since the 2022010500 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: add support for Play Asset Delivery and Play Feature Delivery by extending relevant hooks to the Play Store in addition to Play services</li>
<li>Sandboxed Google Play compatibility layer: add support for Play Asset Delivery and Play Feature Delivery by extending relevant hooks to the Play Store in addition to Play services</li>
</ul>
</article>
-->
@ -534,9 +534,9 @@
<li>fix handling of MVNOs in CarrierConfig database generation to greatly improve out-of-the-box MVNO support</li>
<li>Camera: update to <a href="https://github.com/GrapheneOS/Camera/releases/tag/9">version 9</a></li>
<li>TalkBack (screen reader): update base version to 370044210 and port our changes (other than Play services vision library removal since it now provides useful OCR functionality we need to replace rather than removing)</li>
<li>Sandboxed Play services compatibility layer: extend compatibility layer to Play Games Services (Google Play Games can be installed from the Play Store)</li>
<li>Sandboxed Play services compatibility layer: always allow removing Google account to bypass broken check for whether removal is allowed</li>
<li>Sandboxed Play services compatibility layer: improve account sign in UX by pretending the backup service is inactive so Play services doesn't try to access it</li>
<li>Sandboxed Google Play compatibility layer: extend compatibility layer to Play Games Services (Google Play Games can be installed from the Play Store)</li>
<li>Sandboxed Google Play compatibility layer: always allow removing Google account to bypass broken check for whether removal is allowed</li>
<li>Sandboxed Google Play compatibility layer: improve account sign in UX by pretending the backup service is inactive so Play services doesn't try to access it</li>
<li>Pixel 4a (5G), Pixel 5, Pixel 5a: add SELinux policy to allow the hardware keystore secure confirmation UI</li>
<li>Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.A2 vendor files (minor APN update for 1 carrier)</li>
</ul>
@ -622,7 +622,7 @@
<p>Changes since the 2021120717 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: mark location service as a foreground location service</li>
<li>Sandboxed Google Play compatibility layer: mark location service as a foreground location service</li>
<li>Vanadium: update Chromium base to 96.0.4664.92</li>
<li>TalkBack (screen reader): update dependencies</li>
<li>Seedvault: restore requiring that the profile is unlocked for the hardware keystore key</li>
@ -646,7 +646,7 @@
<li>full 2021-12-01 security patch level</li>
<li>full 2021-12-05 security patch level</li>
<li>rebased onto SQ1A.211205.008 release, the first quarterly maintenance/feature release for Android 12</li>
<li>Sandboxed Play services compatibility layer: improve robustness of Play Store compatibility layer</li>
<li>Sandboxed Google Play compatibility layer: improve robustness of Play Store compatibility layer</li>
<li>Camera: update to <a href="https://github.com/GrapheneOS/Camera/releases/tag/7">version 7</a></li>
<li>TalkBack (screen reader): update dependencies</li>
<li>avoid per-network randomization mode (AOSP default) being displayed as per-connection randomization mode (GrapheneOS default not available in AOSP) after rebooting despite persisting and working properly (caused by an additional abstraction layer introduced in Android 12)</li>
@ -667,8 +667,8 @@
<p>Changes since the 2021112123 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: add another UserManager shim to fix issue with FCM in secondary user profiles</li>
<li>Sandboxed Play services compatibility layer: mark the compatibility layer's Play Store confirmation notification as ongoing to avoid users dismissing the notification and then being unable to accept or reject the install/update/uninstall action</li>
<li>Sandboxed Google Play compatibility layer: add another UserManager shim to fix issue with FCM in secondary user profiles</li>
<li>Sandboxed Google Play compatibility layer: mark the compatibility layer's Play Store confirmation notification as ongoing to avoid users dismissing the notification and then being unable to accept or reject the install/update/uninstall action</li>
<li>Camera: update to <a href="https://github.com/GrapheneOS/Camera/releases/tag/6">version 6</a></li>
</ul>
</article>
@ -706,8 +706,8 @@
<p>Changes since the 2021111414 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: expand Play Store compatibility layer to fully support app installation, uninstallation and unattended updates via the standard unprivileged APIs</li>
<li>Sandboxed Play services compatibility layer: expand Play Store compatibility layer to support the Play Store updating itself via the standard unprivileged APIs</li>
<li>Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to fully support app installation, uninstallation and unattended updates via the standard unprivileged APIs</li>
<li>Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to support the Play Store updating itself via the standard unprivileged APIs</li>
<li>Settings: clearer wording for the default GrapheneOS per-connection MAC randomization</li>
<li>Vanadium: update Chromium base to 96.0.4664.45</li>
<li>Auditor: update to <a href="https://github.com/GrapheneOS/Auditor/releases/tag/35">version 35</a></li>
@ -732,7 +732,7 @@
<p>Changes since the 2021110617 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: improve AppOps compatibility layer for long-lived operations via the new startProxyOp/finishProxyOp API which previously had to be mimicked via the existing APIs</li>
<li>Sandboxed Google Play compatibility layer: improve AppOps compatibility layer for long-lived operations via the new startProxyOp/finishProxyOp API which previously had to be mimicked via the existing APIs</li>
<li>Updater: only allow privileged apps including Settings to open the settings activity since other apps like the launcher have no reason to open it</li>
<li>android-prepare-vendor carriersettings-extractor: strip out carrier provisioning configuration (OMA device management is not included in GrapheneOS so this references an app that's not present)</li>
<li>android-prepare-vendor carriersettings-extractor: always enable the ability to disable 2G</li>
@ -915,7 +915,7 @@
<li>full port of <a href="/features">all existing GrapheneOS features</a> to Android 12</li>
<li>full 2021-10-05 security patch level for userspace device support code (kernel already on 2021-10-05)</li>
<li>rebased onto SP1A.210812.015 release</li>
<li>Sandboxed Play services compatibility layer: add support for Play services Android 12 releases (Android 11 releases still mostly work but we'll be recommending/mirroring the Android 12 releases)</li>
<li>Sandboxed Google Play compatibility layer: add support for Play services Android 12 releases (Android 11 releases still mostly work but we'll be recommending/mirroring the Android 12 releases)</li>
<li>make release signing otacerts.zip generation reproducible</li>
<li>Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: target ARMv8.2-DotProd architecture and Cortex-A76 CPU for ART and native code instead of producing generic ARMv8 code</li>
<li>use modern rounded corners by default</li>
@ -1060,9 +1060,9 @@
<p>Changes since the 2021090819 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: stub out DeviceConfig APIs by ignoring device configuration writes instead of throwing a SecurityException</li>
<li>Sandboxed Play services compatibility layer: stub out DropBoxManager API by pretending no crash dumps, logs, etc. are available instead of throwing a SecurityException</li>
<li>Sandboxed Play services compatibility layer: stub out getImei API by pretending IMEI cannot be retrieved instead of throwing a SecurityException</li>
<li>Sandboxed Google Play compatibility layer: stub out DeviceConfig APIs by ignoring device configuration writes instead of throwing a SecurityException</li>
<li>Sandboxed Google Play compatibility layer: stub out DropBoxManager API by pretending no crash dumps, logs, etc. are available instead of throwing a SecurityException</li>
<li>Sandboxed Google Play compatibility layer: stub out getImei API by pretending IMEI cannot be retrieved instead of throwing a SecurityException</li>
<li>Seedvault: add missing permission needed for UserManager restriction security fix in the last release</li>
<li>Seedvault: update to latest revision</li>
<li>TalkBack (screen reader): update base version to 370044210 and port our changes (Switch Access service has been dropped upstream)</li>
@ -1138,9 +1138,9 @@
<li>Auditor: update to <a href="https://github.com/GrapheneOS/Auditor/releases/tag/28">version 28</a></li>
<li>Vanadium: move search suggestions toggle to privacy menu</li>
<li>Vanadium: remove empty account category and Services menu from the main menu</li>
<li>Sandboxed Play services compatibility layer: add shim to make Play services use the regular cellular geolocation API instead of attempting and failing to use a special API requiring MODIFY_PHONE_STATE to attribute power consumption to the app responsible for the request to Play services</li>
<li>Sandboxed Play services compatibility layer: add shims making Play services use the unprivileged AppOps proxy API instead of attempting and failing to use the privileged APIs for blaming other apps (it can still blame other apps via the proxy API, but the OS treats it as an untrusted claim)</li>
<li>Sandboxed Play services compatibility layer: add shim making Play services use UserManager.hasUserRestriction instead of UserManager.hasBaseUserRestriction to avoid requiring privileged permissions and to return correct answers since it can't bypass device management</li>
<li>Sandboxed Google Play compatibility layer: add shim to make Play services use the regular cellular geolocation API instead of attempting and failing to use a special API requiring MODIFY_PHONE_STATE to attribute power consumption to the app responsible for the request to Play services</li>
<li>Sandboxed Google Play compatibility layer: add shims making Play services use the unprivileged AppOps proxy API instead of attempting and failing to use the privileged APIs for blaming other apps (it can still blame other apps via the proxy API, but the OS treats it as an untrusted claim)</li>
<li>Sandboxed Google Play compatibility layer: add shim making Play services use UserManager.hasUserRestriction instead of UserManager.hasBaseUserRestriction to avoid requiring privileged permissions and to return correct answers since it can't bypass device management</li>
</ul>
</article>
@ -1161,8 +1161,8 @@
<li>Settings: fix upstream bug preventing setting pictures for user profiles</li>
<li>Settings: backport upstream fix for user edit dialog breaking from rotation</li>
<li>Settings: add LTE only mode entry when carrier enables world mode too</li>
<li>Sandboxed Play services compatibility layer: fix detection of system processes in secondary users</li>
<li>Sandboxed Play services compatibility layer: handle edge case of packages without data directories</li>
<li>Sandboxed Google Play compatibility layer: fix detection of system processes in secondary users</li>
<li>Sandboxed Google Play compatibility layer: handle edge case of packages without data directories</li>
</ul>
</article>
@ -1286,7 +1286,7 @@
<p>Changes since the 2021.07.07.19 release:</p>
<ul>
<li>add <a href="/usage#sandboxed-play-services">experimental support for running Play services and friends as sandboxed user-installed apps without any special privileges</a></li>
<li>add <a href="/usage#sandboxed-google-play">experimental support for running Play services and friends as sandboxed user-installed apps without any special privileges</a></li>
<li>Settings: use alternate implementation of Wi-Fi auto-turn-off setting matching the Bluetooth auto-turn-off UX</li>
<li>overhaul Wi-Fi auto-turn-off implementation including handling the case of Wi-Fi being turned on without connecting to a network</li>
<li>add lower auto-reboot timeout options</li>

46
static/usage.html
View File

@ -94,10 +94,10 @@
</li>
<li><a href="#lte-only-mode">LTE-only mode</a></li>
<li>
<a href="#sandboxed-play-services">Sandboxed Play services</a>
<a href="#sandboxed-google-play">Sandboxed Google Play</a>
<ul>
<li><a href="#sandboxed-play-services-installation">Installation</a></li>
<li><a href="#sandboxed-play-services-limitations">Limitations</a></li>
<li><a href="#sandboxed-google-play-installation">Installation</a></li>
<li><a href="#sandboxed-google-play-limitations">Limitations</a></li>
</ul>
</li>
<li><a href="#banking-apps">Banking apps</a></li>
@ -605,8 +605,8 @@
<section id="google-camera">
<h3><a href="#google-camera">Google Camera</a></h3>
<p>Google Camera can be used with the <a href="#sandboxed-play-services">sandboxed
Play services compatibility layer</a> and can take full advantage of the
<p>Google Camera can be used with the <a href="#sandboxed-google-play">sandboxed
Google Play compatibility layer</a> and can take full advantage of the
available cameras and image processing hardware as it can on the stock OS. It
currently only depends on GSF and can be used without Play services (GMS) or
the Play Store.</p>
@ -783,32 +783,32 @@
exploitation by disabling an enormous amount of legacy code.</p>
</section>
<section id="sandboxed-play-services">
<h2><a href="#sandboxed-play-services">Sandboxed Play services</a></h2>
<section id="sandboxed-google-play">
<h2><a href="#sandboxed-google-play">Sandboxed Google Play</a></h2>
<p>GrapheneOS has a compatibility layer providing the option to install and use
the official releases of Play services in the standard app sandbox. Play services
the official releases of Google Play in the standard app sandbox. Google Play
receives absolutely no special access or privileges on GrapheneOS as opposed to
bypassing the app sandbox and receiving a massive amount of highly privileged
access. Instead, the compatibility layer teaches it how to work within the full
app sandbox. It also isn't used as a backend for the OS services as it would be
elsewhere since GrapheneOS doesn't use Play services even when it's installed.</p>
elsewhere since GrapheneOS doesn't use Google Play even when it's installed.</p>
<p>Since the Play services apps are simply regular apps on GrapheneOS, you install
<p>Since the Google Play apps are simply regular apps on GrapheneOS, you install
them within a specific user or work profile and they're only available within that
profile. Only apps within the same profile can use it and they need to explicitly
choose to use it. It works the same way as any other app and has no special
capabilities. As with any other app, it can't access data of other apps and
requires explicit user consent to gain access to profile data or the standard
permissions. Apps within the same profile can communicate with mutual consent and
it's no different for sandboxed Play services.</p>
it's no different for sandboxed Google Play.</p>
<p>The core functionality and APIs are almost entirely supported already since
GrapheneOS largely only has to coerce these apps into continuing to run without
being able to use any of the usual invasive OS integration. A compatibility layer
is also provided to support dynamically downloaded/loaded modules (dynamite
modules). The compatibility layer will be gradually expanded and improved in order
to get more of the Play services functionality working.</p>
to get more of the Google Play functionality working.</p>
<p>GrapheneOS provides a dedicated compatibility layer for Play Store app
installation/updates/removal teaching it to use the standard unprivileged approach
@ -818,22 +818,22 @@
updates of modern (API 29+) apps where it was the installer for the currently
installed version already.</p>
<section id="sandboxed-play-services-installation">
<h3><a href="#sandboxed-play-services-installation">Installation</a></h3>
<section id="sandboxed-google-play-installation">
<h3><a href="#sandboxed-google-play-installation">Installation</a></h3>
<p>Play services is divided up into 3 separate apps: Google Services Framework
<p>Google Play is divided up into 3 separate apps: Google Services Framework
(com.google.android.gsf), Google Play services (com.google.android.gms) and
Google Play Store (com.android.vending). To use sandboxed Play services, you
Google Play Store (com.android.vending). To use sandboxed Google Play, you
simply need to install the official releases of these 3 apps in the user and
work profiles where you want to use it.</p>
<p>The simplest approach is to only use the Owner user profile. Apps installed
in the Owner profile are sandboxed the same way as everywhere else and don't
receive any special access. If you want to choose which apps use Play services
receive any special access. If you want to choose which apps use Google Play
rather than making it available to all of them, install it in a separate user
or work profile for apps depending on Play services. You could also do it the
or work profile for apps depending on Google Play. You could also do it the
other way around, but it makes more sense to try to use as much as possible
without Play services rather than treating not using it as the exceptional
without Google Play rather than treating not using it as the exceptional
case.</p>
<p>Install com.google.android.gsf, then com.google.android.gms and finally use
@ -844,7 +844,7 @@
F-Droid or the developers of the app via their GitHub releases, etc.</p>
<p>In the future, we'll have a client app for our repository so you'll be able
to install and update the official Play services apps through that app and you
to install and update the official Google Play apps through that app and you
won't need to deal with split APK installation manually.</p>
<ul>
@ -870,8 +870,8 @@
so you need to get those from our repository.</p>
</section>
<section id="sandboxed-play-services-limitations">
<h3><a href="#sandboxed-play-services-limitations">Limitations</a></h3>
<section id="sandboxed-google-play-limitations">
<h3><a href="#sandboxed-google-play-limitations">Limitations</a></h3>
<p>Functionality depending on privileged access such as special access to
hardware isn't available. We would need to implement compatibility layers
@ -902,7 +902,7 @@
<p>Banking apps are a particularly problematic class of apps for compatibility
with alternate operating systems. Some of these work fine with any GrapheneOS
configuration but most of them have extensive dependencies on Play services. For
many of these apps, it's enough to set up the GrapheneOS sandboxed Play services
many of these apps, it's enough to set up the GrapheneOS sandboxed Google Play
feature in the same profile. Unfortunately, there are further complications not
generally encountered with non-financial apps.</p>