security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

refer to shims as fallback code to simplify

Browse Source
This commit is contained in:
Daniel Micay 2021-08-05 00:14:33 -04:00
parent 3d6f9ef0ce
commit c9dbcca1ab
1 changed files with 16 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
static/usage.html
View File

@ -682,11 +682,11 @@
services), com.google.android.gsf (Google Services Framework) as regular sandboxed
apps in a specific profile. These receive no special privileges and the OS itself
doesn't use them for anything. They run as unprivileged, sandboxed apps like any
others. GrapheneOS simply provides shims teaching them how to run without any of
the special privileged permissions and SELinux policy they depend on having. Even
within the same profile, apps not explicitly choosing to use Google services won't
use them because the OS doesn't integrate support for it or use it as the backend
for APIs in the OS like the stock OS.</p>
others. GrapheneOS simply provides fallback code teaching them how to run without
any of the special privileged permissions and SELinux policy they depend on
having. Even within the same profile, apps not explicitly choosing to use Google
services won't use them because the OS doesn't integrate support for it or use it
as the backend for APIs in the OS like the stock OS.</p>
<p>You should install all 3 apps including the Play Store rather than only Play
services or there will be missing functionality. Play Store is not simply a user
@ -714,24 +714,23 @@
<p>The Play Store app cannot install and update apps as it normally would since it
depends entirely on privileged permissions for unattended app installation,
updates and removal. GrapheneOS currently includes partial shims to make this
partially work. It's currently unclear if we'll flesh this out and include it in
the production version of this feature or whether we'll drop it and simply have
people use Aurora Store with the Play Store only installed to provide APIs used by
apps using Play services.</p>
updates and removal. GrapheneOS includes a partial implementation of fallback code
to get this working. It currently isn't fully wired up and leads to the Play Store
stalling and needing to be force stopped. For the time being, it's easier to use
the alternative Aurora Store frontend to the Play Store.</p>
<p>The core functionality and APIs are almost entirely supported already since
GrapheneOS largely only has to coerce these apps into continuing to run without
being able to use any of the usual invasive OS integration. Certain functionality
is not yet supported. Play Store feature delivery and Play services functionality
delivered via dynamite modules are not supported yet. Shims will be required to
make this work without depending on weakening SELinux MAC and MLS policies to
permit it like the stock OS. The current generation Maps API is a common example
of functionality depending on a dynamite module.</p>
delivered via dynamite modules are not supported yet. Fallback code will be
required to make this work without depending on weakening SELinux MAC and MLS
policies to permit it like the stock OS. The current generation Maps API is a
common example of functionality depending on a dynamite module.</p>
<p>Since there's no OS integration beyond shims to make it function without any
special privileges, there isn't a way to launch the settings activity. We'll need
to make a tiny app providing a way to launch it.</p>
<p>Since there's no OS integration beyond fallback code to make it function
without any special privileges, there isn't a way to launch the settings activity.
We'll need to make a tiny app providing a way to launch it.</p>
</section>
</main>
<footer>