Rate my Profile Isolation/Silos

jroddev

Just finished reading through the docs on the GrapheneOS website and I'm sold.
Will be picking up a Pixel 7 and switch to GrapheneOS (currently on Xiaomi MiA2 with CalyxOS).
Right now I'm doing some playing with of how I might break things up into different user profile silos.
Some of these ideas may not work, questions at the bottom.

Owner

Signal
Phone
SMS/MSM
CardDav (Contacts)
Camera

Personal

Photos
Ebooks
Audiobooks
CalDav (Calendar)

Personal Secure (forward notifications)

Banking
Password Vault

Work (forward notifications)

Google Frameworks
Aurora (Annoymous)
MS Authenticator
MS Outlook
MS Teams
PagerDuty
Slack
Uber

Google Annoymous

Google Frameworks
Aurora (Annoymous)
Google Maps

Google Real

Google Play
Paid Apps

Questions

I have the idea of keeping the Owner profile pretty content free. Is there any value to this or should I just merge Owner and Personal?
Am I able to copy anything between users? For example If I open my password vault in one user and copy a password to another - does that work?
Similar to above can I copy files between profiles? Documents / Images
Is there any cost to having lots of profiles? Storage - obviously, but I'm interested in Performance and Battery Life

Any other recommendations or thoughts?

jarell

jroddev I can't give a perfect answer but I can give you information that can help you make an informed choice.

You will not be able to copy text nor files between user profiles natively. You will have to use a third-party solution like syncing/cloud software.
Forwarded notifications will not show the contents of the notification, merely the app name and what profile it's from.
Not ending a profile session will allow all processes to continue running in that profile, draining battery. Ending the session will flush the encryption key of the profile therefore preventing anything from running till you unlock the profile again.

I personally only have 3 profiles, the owner, a work profile (through Shelter) and another user profile. The work profile has my apps that I want to access easily but isolate from everything else. This would be my banking and school apps. My second user profile contains my Google apps that I need for work and school. This is the only profile I am signed into my Google account.

GrapheneOS

jroddev Every app is individually sandboxed. Apps can't ever access each other's data and require user consent to access profile data. Profiles don't provide any additional sandboxing. Profiles provide separate workspaces with separate instances of apps, app data and profile data. Apps can't communicate or share data across user profiles other than via the network (mostly true for work profiles too) and apps can't see apps in other user profiles (but can see them to an extent across user/work profile boundary).

Artn

jroddev Any other recommendations or thoughts?
jroddev I may be forced to merge the Owner, Personal, and Personal Secure profiles to some degree. I was hoping to keep the actual Password Vault + App separate and only move individual credentials when I need them. Merging it all together is no different than I have now though.

You may benefit from considering separating profiles based on the restrictions GrapheneOS provides, this is regarding the phone/SMS and app installation permissions that you can grant to profiles individually.

For example, your personal and Google Anonymous Profiles don't seems to need SMS/Phone permission. It will prevent accidentally giving the phone permission to any app there (https://discuss.grapheneos.org/d/14967-information-on-phone-permission).

Just wondering how you are going to install the apps in profiles without 3rd party app managers.
You can install apks but you have to manage the updates yourself which will be a very time consuming practice.

panopticon

As far as I know you cannot share the clipboard between profiles. That would defeat the purpose of seperate profiles. Same with files. I am using session to share files between profiles but its not ideal. Im curious to hear what others use to share files between profiles.

user539

panopticon Im curious to hear what others use to share files between profiles

I use signal for sharing between profiles

lcalamar

jarell I was shooting for your exact setup. I use shelter for a work profile for easier app access. Wanted to keep owner 100% free of a Google signing but Google Fi forced me into setting it up on my owner profile

jroddev

This is all very helpful. Thank you everyone.

I may be forced to merge the Owner, Personal, and Personal Secure profiles to some degree. I was hoping to keep the actual Password Vault + App separate and only move individual credentials when I need them. Merging it all together is no different than I have now though.

lcalamar + jarell are you using Shelter on top of the GrapheneOS profile sandbox? If so what is the added benefits?

unwat

I recall reading there is a restriction on how many user profiles can be active at one time: 3. So if you want notifications to be sent in from other profiles, that's something to keep in mind.

[deleted]

GrapheneOS Does that also mean if google play services are enabled then the apps in that user profile cannot "talk" to each other?

GrapheneOS

[deleted] Every app is sandboxed whether or not you use Google Play services. Apps can communicate with mutual consent within a profile and can't do that across profiles without using the network. Sandboxed Google Play compatibility layer enables using Google Play as regular apps in the full standard app sandbox. There's no special app sandbox for Google Play. It's the same full app sandbox as every other app you install. GrapheneOS provides our sandboxed Google Play compatibility layer to make it work that way, not a special sandbox for it.

jroddev

@"GrapheneOS"
Could you provide more information around 'mutual consent' to help with my understanding? I saw this used in the docs and I'm not sure what it means in practice. Does this mutual consent involve user approval? Or do the apps themselves provide the consent? What are the mechanism/s?

It has been a few years since I've done any Android dev but at the time we were communicating with intents and app-links. I'm also aware you can communicate using storage shared folders, or via the network.

Welteam

jroddev what the doc calls "mutual consent" and "interprocess communication"/IPC is intents. Intents require mutual consent as the dev of the calling app obviously agreed to interact with the app they are calling and the dev of the receiving app wrote in their manifest which app can trigger which intent. At least, that's my understanding.

MetropleX

Based on the response from @GrapheneOS I have semantically corrected the thread title and rephrased the OP to change references to 'sandbox' to user profiles or users.

Larz

Hi, how has your work set-up been running?
I am using a very similar applications and profiles set-up to yours.
I have not been able to get the Pagerduty app to run. Pagerduty reports a "Security Threat REF: 143:248C". I suspect they think my GrapheneOS is a rooted Android phone.
Is yours running OK? If so, do you have any suggestions for configuring the profile?
Many Thanks

anoa

Larz I figured out that you can make PagerDuty happy by doing the following:

Long-press on the PagerDuty application and select "App Info"
Under Exploit Protection -> Disable "Hardened memory allocator"

The app will no longer report a security issue upon launch, and will function normally.