|
|
|
|
|
## 9.4\. Alternate Execution Environments
|
|
|
|
|
|
|
|
|
|
|
|
Device implementations MUST keep consistency of the Android security and
|
|
|
|
|
|
permission model, even if they include runtime environments that execute
|
|
|
|
|
|
applications using some other software or technology than the Dalvik Executable
|
|
|
|
|
|
Format or native code. In other words:
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-1] Alternate runtimes MUST themselves be Android applications,
|
|
|
|
|
|
and abide by the standard Android security model, as described elsewhere
|
|
|
|
|
|
in [section 9](#9_security_model_compatibility).
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-2] Alternate runtimes MUST NOT be granted access to resources
|
|
|
|
|
|
protected by permissions not requested in the runtime’s `AndroidManifest.xml`
|
|
|
|
|
|
file via the <`uses-permission`> mechanism.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-3] Alternate runtimes MUST NOT permit applications to make use of
|
|
|
|
|
|
features protected by Android permissions restricted to system applications.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-4] Alternate runtimes MUST abide by the Android sandbox model
|
|
|
|
|
|
and installed applications using an alternate runtime MUST NOT
|
|
|
|
|
|
reuse the sandbox of any other app installed on the device, except through
|
|
|
|
|
|
the standard Android mechanisms of shared user ID and signing certificate.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-5] Alternate runtimes MUST NOT launch with, grant, or be granted
|
|
|
|
|
|
access to the sandboxes corresponding to other Android applications.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-6] Alternate runtimes MUST NOT be launched with, be granted, or grant
|
|
|
|
|
|
to other applications any privileges of the superuser (root), or of any other
|
|
|
|
|
|
user ID.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-7] When the `.apk` files of alternate runtimes are included in the
|
|
|
|
|
|
system image of device implementations, it MUST be signed with a key distinct
|
|
|
|
|
|
from the key used to sign other applications included with the device
|
|
|
|
|
|
implementations.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-8] When installing applications, alternate runtimes MUST obtain
|
|
|
|
|
|
user consent for the Android permissions used by the application.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-9] When an application needs to make use of a device resource for
|
|
|
|
|
|
which there is a corresponding Android permission (such as Camera, GPS, etc.),
|
|
|
|
|
|
the alternate runtime MUST inform the user that the application will be able to
|
|
|
|
|
|
access that resource.
|
|
|
|
|
|
|
|
|
|
|
|
* [C-0-10] When the runtime environment does not record application
|
|
|
|
|
|
capabilities in this manner, the runtime environment MUST list all permissions
|
|
|
|
|
|
held by the runtime itself when installing any application using that runtime.
|
|
|
|
|
|
|
|
|
|
|
|
* Alternate runtimes SHOULD install apps via the `PackageManager` into
|
|
|
|
|
|
separate Android sandboxes (Linux user IDs, etc.).
|
|
|
|
|
|
|
|
|
|
|
|
* Alternate runtimes MAY provide a single Android sandbox shared by all
|
|
|
|
|
|
applications using the alternate runtime.
|
