platform_frameworks_base icon indicating copy to clipboard operation
platform_frameworks_base copied to clipboard
verified publisher icon GrapheneOS

add automatic installation of play apps into work profile

Open mkg20001 opened this issue 9 months ago • 3 comments

Currently when creating a work profile with a DPC app that requires play services, the DPC app expects play services to also exist on the work profile

Since play services aren't global on GOS, this patch automatically installs them into the work profile

Whether an app requires play services is automatically detected

Because this needs to happen before the DPC app is triggered in any way in the work profile, this needs to be part of the profile creation itself.

mkg20001 avatar Mar 21 '25 14:03 mkg20001

New, simpler approach. No custom permissions, no custom apis

In InstallStart when installing apps it checks if play store is genuine google play store and the user is a work profile and skips the DISALLOW_UNKNOWN_SOURCES restriction

DevicePolicyGmsHooks runs after device policy manager creates the profile and installs store + services and gives the store permission to install packages (REQUEST_INSTALL_PACKAGES) (only if the managing app requires play services)

mkg20001 avatar Mar 21 '25 15:03 mkg20001

I remember last time I was told the play store installation shouldn't happen in DevicePolicyManagerService as it has too many permissions

I need the installation to happen just before the device policy app is installed and gets any intent, as it may crash due to lack of play services.

I'm none the wiser on how to do that securely and I'd appreciate some guidence if possible

mkg20001 avatar Mar 24 '25 19:03 mkg20001

Absolute legend mate, thank you so much for continuing to develop and push this!

xxxsskxxx avatar Mar 24 '25 20:03 xxxsskxxx

New, simpler approach. No custom permissions, no custom apis

In InstallStart when installing apps it checks if play store is genuine google play store and the user is a work profile and skips the DISALLOW_UNKNOWN_SOURCES restriction

DevicePolicyGmsHooks runs after device policy manager creates the profile and installs store + services and gives the store permission to install packages (REQUEST_INSTALL_PACKAGES) (only if the managing app requires play services)

How do we know the managing app requires play services? For example, Microsoft Company Portal requires it to set up the work profile. Will this change support that use case?

loligans avatar May 02 '25 06:05 loligans

New, simpler approach. No custom permissions, no custom apis In InstallStart when installing apps it checks if play store is genuine google play store and the user is a work profile and skips the DISALLOW_UNKNOWN_SOURCES restriction DevicePolicyGmsHooks runs after device policy manager creates the profile and installs store + services and gives the store permission to install packages (REQUEST_INSTALL_PACKAGES) (only if the managing app requires play services)

How do we know the managing app requires play services? For example, Microsoft Company Portal requires it to set up the work profile. Will this change support that use case?

See https://github.com/GrapheneOS/platform_frameworks_base/pull/147/commits/437b272c16176aae96b1bc68675d5df4633c93b7#diff-d0c4fee5a9bb21d19df9696c4428b8053d7842e0e3fde3356fd4bdc335666548R33

mkg20001 avatar May 02 '25 06:05 mkg20001

Stopped working on android 16, need to find a fix

06-28 01:12:31.831  1339  1888 D ConnectivityService: NetReassign [no changes] [c 1] [a 0] [i 1]
06-28 01:12:31.843   838 11158 I resolv  : GetAddrInfoHandler::run: {101 262245 101 327781 10008 0}
06-28 01:12:31.843   838 11159 I resolv  : res_nmkquery: (QUERY, IN, AAAA)
06-28 01:12:31.843   838 11159 I resolv  : resolv_cache_lookup: FOUND IN CACHE entry=0xb400d0216dc8ae00
06-28 01:12:31.843   838 11159 I resolv  : doQuery: rcode=0, ancount=1, return value=118
06-28 01:12:31.844   838 11160 I resolv  : res_nmkquery: (QUERY, IN, A)
06-28 01:12:31.844   838 11160 I resolv  : resolv_cache_lookup: FOUND IN CACHE entry=0xb400d03f2d464000
06-28 01:12:31.844   838 11160 I resolv  : doQuery: rcode=0, ancount=11, return value=228
06-28 01:12:31.848  6295  6314 I Auth    : [BroadcastManager] [BroadcastManager] Broadcasting bad device management=DeviceManagementRequired [CONTEXT service_id=343 ]
06-28 01:12:31.848  6295  6314 W Auth    : [BroadcastManager] [BroadcastManager] No device or profile owner found for bad device management broadcast. [CONTEXT service_id=343 ]
06-28 01:12:31.849  6295  6314 I Auth    : [AccountStatusChecker]  Canceling DM notification because of DM suppression [CONTEXT service_id=343 ]
06-28 01:12:31.850  6295  6314 W Auth    : [GetToken] GetToken failed with status code: DeviceManagementRequired  [CONTEXT service_id=343 ]
06-28 01:12:31.854  6295  6314 W GLSActivity: [GmsAccountAuthenticatorImpl] error status while fetching token:DeviceManagementRequired
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Error refreshing OAuth token
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: java.io.IOException: Error creating OAuth access token for gRPC calls
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:39)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at tsb.call(PG:139)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.FutureTask.run(FutureTask.java:317)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx.a(PG:36)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$b.d(PG:178)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$c.a(PG:49)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwr.a(PG:46)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nbs.a(PG:47)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuy$c.a(PG:35)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xun.a(PG:28)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuv.run(PG:7)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xxw.run(PG:12)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.lang.Thread.run(Thread.java:1119)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Caused by: hpz
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at got.e(PG:275)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hpt.b(PG:20)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:21)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   ... 14 more
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Error refreshing OAuth token
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: java.io.IOException: Error creating OAuth access token for gRPC calls
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:39)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at tsb.call(PG:139)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.FutureTask.run(FutureTask.java:317)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx.a(PG:36)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$b.d(PG:178)

06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$c.a(PG:49)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwr.a(PG:46)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nbs.a(PG:47)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuy$c.a(PG:35)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xun.a(PG:28)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuv.run(PG:7)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xxw.run(PG:12)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.lang.Thread.run(Thread.java:1119)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Caused by: hpz
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at got.e(PG:275)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hpt.b(PG:20)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:21)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   ... 14 more
06-28 01:12:31.860 10485 11107 W AuthRetryClientIntercep: Failed to re-auth on retry.
06-28 01:12:31.860 10485 11107 W AuthRetryClientIntercep: Failed to re-auth on retry.
06-28 01:12:31.861 10485 10586 E GoogleOneUtils: PromoApi caused exception: xsd: UNAUTHENTICATED
06-28 01:12:31.861 10485 10586 E GoogleOneUtils: PromoApi caused exception: xsd: UNAUTHENTICATED

mkg20001 avatar Jun 27 '25 23:06 mkg20001

new issue, play store is not being copied.

mkg20001 avatar Jul 01 '25 15:07 mkg20001

This would fix a lot of issues lol

cameronaaron avatar Sep 14 '25 07:09 cameronaaron

Hi just checking, are there plans to merge this yet? Thanks

xxxsskxxx avatar Oct 24 '25 13:10 xxxsskxxx

This is currently broken and i have no resources to update and fix

mkg20001 avatar Oct 24 '25 13:10 mkg20001

This is currently broken and i have no resources to update and fix

What?! Please noo. :'(

cyberpunked1985 avatar Oct 25 '25 03:10 cyberpunked1985