Help me understand this. Google play services being sandboxed.

AngWay

So when i install google play services is it always like isolated? is that what sandboxed means? like is it different than when it's regular android i guess what i'm asking is if i install google play services does it have access to everything like it would on stock android or is it truly isolated on graphenos? because if other apps need it to work then dont' it have access to the whole phone? how is it isolated.

Also i noticed the menu drop down menu looks the same as the stock android is it basically the same like the layout is it just the same thing except graphenos just has all the privacy parts added?

pxlkng

AngWay

https://grapheneos.org/features#sandboxed-google-play
https://grapheneos.org/usage#sandboxed-google-play

pxlkng

AngWay

Please see the above articles for in-depth information.

The Play Services you can download on the GOS App Store are the official unmodified versions from Google, GrapheneOS wouldn't be allowed to modify them due to licensing.

What it does is restrict them to the regular unprivileged app sandbox, the same and in the same way as it applies to all other apps you install.

The comparability layer "teaches" Play Services to work in this unprivileged environment.

This means that out of the box Play Services has no more access than any other app you install would have. No special privileges or elevated access.

AngWay

pxlkng Oh ok great thanks that makes sense i understand it better now.

Sagebath

pxlkng great summary. All apps have a lot of access and /or data though, don't they?

Anyone know examples of what regular OS Google apps have access to that GOS Google apps don't? Or examples of data GOS apps from Gplay store have access to?

Eumenia

Sagebath All apps have a lot of access and /or data though, don't they?

Normaly Android Apps are very restrictect and need explocit permission do escape the sandbox

W1zardK1ng

Sagebath There is difference between access to data and permissions.

Every apps have their own apps space, where the apps store their data. Other apps cannot access it until those app developers design it to share it other apps, some apps from same organization share data of apps with each other. This is the same case for stock android even a privileged google play store cant access data of other apps in their app space. This is app Sandboxing, in desktop flatpaks tries to achieve the same, but sandboxing on android is better than the desktops and GrapheneOS makes it better than the regular Android sandboxing with its extra hardening.
But apps can find other apps installed in the same profile, and communicate using IPC.

For permission, in GrapheneOS apps including the Google play service and store gets access to what you give to them, Privileged/system apps on the stock os by default comes with all the access granted to them.

userofgos

Eumenia and need explocit permission do escape the sandbox

I believe it is inaccurate to say that disabling exploit protections breaks the app sandbox. Since other AOSP OS's don't have these exploit protections and apps still remain sandboxed

userofgos

Eumenia

Eumenia explocit

ah I see now that I mistook the spelling error to be read as "exploit" instead of "explicit". Thanks for the clarification :)

Eumenia

userofgos I believe it is inaccurate to say that disabling exploit protections breaks the app sandbox. Since other AOSP OS's don't have these exploit protections and apps still remain sandboxed

I didn't refer to disabling exploit protection but to permissions that extend the privileges of the app

pxlkng

@userofgos is correct, you cannot "un-sandbox" apps. Apps are always sandboxed, no matter what.

Eumenia

userofgos ah I see now that I mistook the spelling error to be read as "exploit" instead of "explicit". Thanks for the clarification :)

Thanks, I will fix the error
Edit: Unfortunately I can't edit the message anymore