security/hakurei.app
5
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

use Sandboxed Google Play instead of Play services

Browse Source
This commit is contained in:
Daniel Micay
2022-01-13 13:52:03 -05:00
parent fd34e03608
commit c4ad2b8cc7
3 changed files with 48 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
static/releases.html
View File

@@ -512,7 +512,7 @@
<p>Changes since the 2022010500 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: add support for Play Asset Delivery and Play Feature Delivery by extending relevant hooks to the Play Store in addition to Play services</li>
<li>Sandboxed Google Play compatibility layer: add support for Play Asset Delivery and Play Feature Delivery by extending relevant hooks to the Play Store in addition to Play services</li>
</ul>
</article>
-->
@@ -534,9 +534,9 @@
<li>fix handling of MVNOs in CarrierConfig database generation to greatly improve out-of-the-box MVNO support</li>
<li>Camera: update to <a href="https://github.com/GrapheneOS/Camera/releases/tag/9">version 9</a></li>
<li>TalkBack (screen reader): update base version to 370044210 and port our changes (other than Play services vision library removal since it now provides useful OCR functionality we need to replace rather than removing)</li>
<li>Sandboxed Play services compatibility layer: extend compatibility layer to Play Games Services (Google Play Games can be installed from the Play Store)</li>
<li>Sandboxed Play services compatibility layer: always allow removing Google account to bypass broken check for whether removal is allowed</li>
<li>Sandboxed Play services compatibility layer: improve account sign in UX by pretending the backup service is inactive so Play services doesn't try to access it</li>
<li>Sandboxed Google Play compatibility layer: extend compatibility layer to Play Games Services (Google Play Games can be installed from the Play Store)</li>
<li>Sandboxed Google Play compatibility layer: always allow removing Google account to bypass broken check for whether removal is allowed</li>
<li>Sandboxed Google Play compatibility layer: improve account sign in UX by pretending the backup service is inactive so Play services doesn't try to access it</li>
<li>Pixel 4a (5G), Pixel 5, Pixel 5a: add SELinux policy to allow the hardware keystore secure confirmation UI</li>
<li>Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.A2 vendor files (minor APN update for 1 carrier)</li>
</ul>
@@ -622,7 +622,7 @@
<p>Changes since the 2021120717 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: mark location service as a foreground location service</li>
<li>Sandboxed Google Play compatibility layer: mark location service as a foreground location service</li>
<li>Vanadium: update Chromium base to 96.0.4664.92</li>
<li>TalkBack (screen reader): update dependencies</li>
<li>Seedvault: restore requiring that the profile is unlocked for the hardware keystore key</li>
@@ -646,7 +646,7 @@
<li>full 2021-12-01 security patch level</li>
<li>full 2021-12-05 security patch level</li>
<li>rebased onto SQ1A.211205.008 release, the first quarterly maintenance/feature release for Android 12</li>
<li>Sandboxed Play services compatibility layer: improve robustness of Play Store compatibility layer</li>
<li>Sandboxed Google Play compatibility layer: improve robustness of Play Store compatibility layer</li>
<li>Camera: update to <a href="https://github.com/GrapheneOS/Camera/releases/tag/7">version 7</a></li>
<li>TalkBack (screen reader): update dependencies</li>
<li>avoid per-network randomization mode (AOSP default) being displayed as per-connection randomization mode (GrapheneOS default not available in AOSP) after rebooting despite persisting and working properly (caused by an additional abstraction layer introduced in Android 12)</li>
@@ -667,8 +667,8 @@
<p>Changes since the 2021112123 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: add another UserManager shim to fix issue with FCM in secondary user profiles</li>
<li>Sandboxed Play services compatibility layer: mark the compatibility layer's Play Store confirmation notification as ongoing to avoid users dismissing the notification and then being unable to accept or reject the install/update/uninstall action</li>
<li>Sandboxed Google Play compatibility layer: add another UserManager shim to fix issue with FCM in secondary user profiles</li>
<li>Sandboxed Google Play compatibility layer: mark the compatibility layer's Play Store confirmation notification as ongoing to avoid users dismissing the notification and then being unable to accept or reject the install/update/uninstall action</li>
<li>Camera: update to <a href="https://github.com/GrapheneOS/Camera/releases/tag/6">version 6</a></li>
</ul>
</article>
@@ -706,8 +706,8 @@
<p>Changes since the 2021111414 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: expand Play Store compatibility layer to fully support app installation, uninstallation and unattended updates via the standard unprivileged APIs</li>
<li>Sandboxed Play services compatibility layer: expand Play Store compatibility layer to support the Play Store updating itself via the standard unprivileged APIs</li>
<li>Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to fully support app installation, uninstallation and unattended updates via the standard unprivileged APIs</li>
<li>Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to support the Play Store updating itself via the standard unprivileged APIs</li>
<li>Settings: clearer wording for the default GrapheneOS per-connection MAC randomization</li>
<li>Vanadium: update Chromium base to 96.0.4664.45</li>
<li>Auditor: update to <a href="https://github.com/GrapheneOS/Auditor/releases/tag/35">version 35</a></li>
@@ -732,7 +732,7 @@
<p>Changes since the 2021110617 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: improve AppOps compatibility layer for long-lived operations via the new startProxyOp/finishProxyOp API which previously had to be mimicked via the existing APIs</li>
<li>Sandboxed Google Play compatibility layer: improve AppOps compatibility layer for long-lived operations via the new startProxyOp/finishProxyOp API which previously had to be mimicked via the existing APIs</li>
<li>Updater: only allow privileged apps including Settings to open the settings activity since other apps like the launcher have no reason to open it</li>
<li>android-prepare-vendor carriersettings-extractor: strip out carrier provisioning configuration (OMA device management is not included in GrapheneOS so this references an app that's not present)</li>
<li>android-prepare-vendor carriersettings-extractor: always enable the ability to disable 2G</li>
@@ -915,7 +915,7 @@
<li>full port of <a href="/features">all existing GrapheneOS features</a> to Android 12</li>
<li>full 2021-10-05 security patch level for userspace device support code (kernel already on 2021-10-05)</li>
<li>rebased onto SP1A.210812.015 release</li>
<li>Sandboxed Play services compatibility layer: add support for Play services Android 12 releases (Android 11 releases still mostly work but we'll be recommending/mirroring the Android 12 releases)</li>
<li>Sandboxed Google Play compatibility layer: add support for Play services Android 12 releases (Android 11 releases still mostly work but we'll be recommending/mirroring the Android 12 releases)</li>
<li>make release signing otacerts.zip generation reproducible</li>
<li>Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: target ARMv8.2-DotProd architecture and Cortex-A76 CPU for ART and native code instead of producing generic ARMv8 code</li>
<li>use modern rounded corners by default</li>
@@ -1060,9 +1060,9 @@
<p>Changes since the 2021090819 release:</p>
<ul>
<li>Sandboxed Play services compatibility layer: stub out DeviceConfig APIs by ignoring device configuration writes instead of throwing a SecurityException</li>
<li>Sandboxed Play services compatibility layer: stub out DropBoxManager API by pretending no crash dumps, logs, etc. are available instead of throwing a SecurityException</li>
<li>Sandboxed Play services compatibility layer: stub out getImei API by pretending IMEI cannot be retrieved instead of throwing a SecurityException</li>
<li>Sandboxed Google Play compatibility layer: stub out DeviceConfig APIs by ignoring device configuration writes instead of throwing a SecurityException</li>
<li>Sandboxed Google Play compatibility layer: stub out DropBoxManager API by pretending no crash dumps, logs, etc. are available instead of throwing a SecurityException</li>
<li>Sandboxed Google Play compatibility layer: stub out getImei API by pretending IMEI cannot be retrieved instead of throwing a SecurityException</li>
<li>Seedvault: add missing permission needed for UserManager restriction security fix in the last release</li>
<li>Seedvault: update to latest revision</li>
<li>TalkBack (screen reader): update base version to 370044210 and port our changes (Switch Access service has been dropped upstream)</li>
@@ -1138,9 +1138,9 @@
<li>Auditor: update to <a href="https://github.com/GrapheneOS/Auditor/releases/tag/28">version 28</a></li>
<li>Vanadium: move search suggestions toggle to privacy menu</li>
<li>Vanadium: remove empty account category and Services menu from the main menu</li>
<li>Sandboxed Play services compatibility layer: add shim to make Play services use the regular cellular geolocation API instead of attempting and failing to use a special API requiring MODIFY_PHONE_STATE to attribute power consumption to the app responsible for the request to Play services</li>
<li>Sandboxed Play services compatibility layer: add shims making Play services use the unprivileged AppOps proxy API instead of attempting and failing to use the privileged APIs for blaming other apps (it can still blame other apps via the proxy API, but the OS treats it as an untrusted claim)</li>
<li>Sandboxed Play services compatibility layer: add shim making Play services use UserManager.hasUserRestriction instead of UserManager.hasBaseUserRestriction to avoid requiring privileged permissions and to return correct answers since it can't bypass device management</li>
<li>Sandboxed Google Play compatibility layer: add shim to make Play services use the regular cellular geolocation API instead of attempting and failing to use a special API requiring MODIFY_PHONE_STATE to attribute power consumption to the app responsible for the request to Play services</li>
<li>Sandboxed Google Play compatibility layer: add shims making Play services use the unprivileged AppOps proxy API instead of attempting and failing to use the privileged APIs for blaming other apps (it can still blame other apps via the proxy API, but the OS treats it as an untrusted claim)</li>
<li>Sandboxed Google Play compatibility layer: add shim making Play services use UserManager.hasUserRestriction instead of UserManager.hasBaseUserRestriction to avoid requiring privileged permissions and to return correct answers since it can't bypass device management</li>
</ul>
</article>
@@ -1161,8 +1161,8 @@
<li>Settings: fix upstream bug preventing setting pictures for user profiles</li>
<li>Settings: backport upstream fix for user edit dialog breaking from rotation</li>
<li>Settings: add LTE only mode entry when carrier enables world mode too</li>
<li>Sandboxed Play services compatibility layer: fix detection of system processes in secondary users</li>
<li>Sandboxed Play services compatibility layer: handle edge case of packages without data directories</li>
<li>Sandboxed Google Play compatibility layer: fix detection of system processes in secondary users</li>
<li>Sandboxed Google Play compatibility layer: handle edge case of packages without data directories</li>
</ul>
</article>
@@ -1286,7 +1286,7 @@
<p>Changes since the 2021.07.07.19 release:</p>
<ul>
<li>add <a href="/usage#sandboxed-play-services">experimental support for running Play services and friends as sandboxed user-installed apps without any special privileges</a></li>
<li>add <a href="/usage#sandboxed-google-play">experimental support for running Play services and friends as sandboxed user-installed apps without any special privileges</a></li>
<li>Settings: use alternate implementation of Wi-Fi auto-turn-off setting matching the Bluetooth auto-turn-off UX</li>
<li>overhaul Wi-Fi auto-turn-off implementation including handling the case of Wi-Fi being turned on without connecting to a network</li>
<li>add lower auto-reboot timeout options</li>