Android 11 package visibility changes break microg

[nickrbogdanov]

Normally my workflow is:

1. Build custom AOSP ROM with framework patches and minimal changes otherwise
2. Sideload F-Droid
3. Install Barcode Scanner from F-Droid
4. Scan QR code to add microg F-Droid repository
5. Install microg components via F-Droid (as normal non-system apps)
6. Sideload other random apps or restore them from backup

When trying to run Google Camera under Android 11 I encountered this new crash:

--------- beginning of crash
02-28 03:40:31.161  6374  6374 E AndroidRuntime: FATAL EXCEPTION: main
02-28 03:40:31.161  6374  6374 E AndroidRuntime: Process: com.google.android.GoogleCamera, PID: 6374
02-28 03:40:31.161  6374  6374 E AndroidRuntime: java.lang.RuntimeException: Unable to create application com.google.vr.vrcore.base.api.util.Application: java.lang.SecurityException: Failed to find provider com.google.android.gsf.gservices for user 0; expected to find a valid ContentProvider for this authority
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6720)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.app.ActivityThread.access$1300(ActivityThread.java:237)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1913)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:106)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:223)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.app.ActivityThread.main(ActivityThread.java:7660)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: Caused by: java.lang.SecurityException: Failed to find provider com.google.android.gsf.gservices for user 0; expected to find a valid ContentProvider for this authority
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Parcel.createExceptionOrNull(Parcel.java:2373)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Parcel.createException(Parcel.java:2357)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Parcel.readException(Parcel.java:2340)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Parcel.readException(Parcel.java:2282)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.content.IContentService$Stub$Proxy.registerContentObserver(IContentService.java:1229)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.content.ContentResolver.registerContentObserver(ContentResolver.java:2627)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.content.ContentResolver.registerContentObserver(ContentResolver.java:2615)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at msa.g(PG:3)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at msa.c(PG:1)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at msa.a(PG:1)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at com.google.android.apps.camera.legacy.app.app.CameraApp.onCreate(PG:10)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1192)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6715)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	... 8 more
02-28 03:40:31.161  6374  6374 E AndroidRuntime: Caused by: android.os.RemoteException: Remote stack trace:
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at com.android.server.content.ContentService.registerContentObserver(ContentService.java:355)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.content.IContentService$Stub.onTransact(IContentService.java:482)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Binder.execTransactInternal(Binder.java:1154)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 	at android.os.Binder.execTransact(Binder.java:1123)
02-28 03:40:31.161  6374  6374 E AndroidRuntime: 
02-28 03:40:31.163  1481  1783 W ActivityTaskManager:   Force finishing activity com.google.android.GoogleCamera/com.android.camera.CameraLauncher

After I uninstalled microg GmsCore and then sideloaded the APK using --force-queryable, that fixed the error. I confirmed with dumpsys package queries that Android 11 no longer makes microg's GmsCore visible to all apps. Perhaps we should introduce a new framework patch to work around this quirk? This worked for me but I'm not sure if I should be listing other microg packages too:

diff --git a/services/core/java/com/android/server/pm/AppsFilter.java b/services/core/java/com/android/server/pm/AppsFilter.java
index 10f77144e022..718fcb1b0f4c 100644
--- a/services/core/java/com/android/server/pm/AppsFilter.java
+++ b/services/core/java/com/android/server/pm/AppsFilter.java
@@ -567,6 +567,7 @@ public class AppsFilter {
         final boolean newIsForceQueryable =
                 mForceQueryable.contains(newPkgSetting.appId)
                         /* shared user that is already force queryable */
+                        || newPkg.getPackageName().equals("com.google.android.gms")
                         || newPkgSetting.forceQueryableOverride /* adb override */
                         || (newPkgSetting.isSystem() && (mSystemAppsQueryable
                         || newPkg.isForceQueryable()

[chris42]

I have a similar setup, using Arnovas GCam Beta. (However I bake microg right into the ROM and do not do a later sideload)

I searched my log and could not find the error in my logs. Did you use a specific feature of the googlecamera? If this is an issue, it probably helps if we can replicate it.

[nickrbogdanov]

For me, GCam 8.1.101.345618084 crashes immediately on startup without the ROM patch.

I believe the key is that in dumpsys package queries, you want com.google.android.gms to show up under the forceQueryable heading. Installing via F-Droid doesn't do this (unless my new framework patch is in the ROM). Sideloading microg with adb install --force-queryable does.

I suspect that baking microg into your ROM will also work, because microg has the appropriate flag set in its manifest. Maybe this is a better long-term solution, although when I tried to add the "big 5" microg packages into priv-app, there was something wrong with the permissions that caused a bootloop (which I didn't investigate):

02-23 21:51:28.967  4535  4535 E System  : java.lang.IllegalStateException: Signature|privileged permissions not in privapp-permissions whitelist: {org.microg.nlp (/system/priv-app/UnifiedNlp): android.permission.INSTALL_LOCATION_PROVIDER, com.google.android.gms (/system/priv-app/GmsCore): android.permission.UPDATE_APP_OPS_STATS, com.google.android.gms (/system/priv-app/GmsCore): android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST, com.google.android.gms (/system/priv-app/GmsCore): android.permission.INSTALL_LOCATION_PROVIDER}

If the proposed solution is to ask people to just bake microg into their ROMs, it would be helpful to do the following:

1. Provide step by step instructions, i.e. which files to patch, what Android.mk to use, etc. Having a canonical way to do this would be helpful.
2. Offer direct download links that serve up the latest APKs, so that your build script can do something like curl https://microg.org/fdroid/repo/com.google.android.gms-LATEST.apk instead of hardcoding a version number or having to parse the F-Droid package index JSON.

[chris42]

Ok, for me gcam is working and I am taking pictures with it. So it will depend on your install method, which I can't reproduce that easy.

So probably the signature spoofing patch should be reviewed by @mar-v-in if your extension is needed. A lot of people do add microg later on, but of course need the signature spoofing patch as a base.

If you are interested in the "baking microg into the ROM", check https://github.com/chris42/android_prebuilts_prebuiltapks
Normally that setup will set all permissions , so you get an all green checkmarks microg on a new ROM. Of course signature spoofing patch is needed as well.

[GeographicCone]

I ran into a related issue having upgraded to Android 11 (LOS 18.1) on one device: apps were complaining about the lack of Google Play services even though the latest version of MicroG (2.18) appeared to be set up correctly.

The issue wasn't app-specific but can be nicely illustrated with the Matrix Element client (im.vector.app), which has a notification troubleshooting mode:

The logcat output was:
E GoogleApiAvailability: Google Play services is invalid. Cannot recover.

Turns out the solution was to "reinstall" both MicroG and FakeStore (com.android.vending) as user apps:

adb shell pm install -r /system/priv-app/FakeStore/FakeStore.apk
adb shell pm install -r /system/priv-app/GmsCore/GmsCore.apk

For the record, it was a clean install (starting with an empty /data), with everything going directly into /system (not via Magisk), and all the required permissions and exceptions being granted in /system/etc/{[default-]permissions,sysconfig}/*. So I think this issue is not limited to dirty flashes and/or interoperability with Magisk.

There must obviously be a more elegant way to accomplish the same but in the meantime sharing this workaround hopefully helps someone.

[marado]

I suspect that baking microg into your ROM will also work, because microg has the appropriate flag set in its manifest. Maybe this is a better long-term solution, although when I tried to add the "big 5" microg packages into priv-app, there was something wrong with the permissions that caused a bootloop (which I didn't investigate):

02-23 21:51:28.967  4535  4535 E System  : java.lang.IllegalStateException: Signature|privileged permissions not in privapp-permissions whitelist: {org.microg.nlp (/system/priv-app/UnifiedNlp): android.permission.INSTALL_LOCATION_PROVIDER, com.google.android.gms (/system/priv-app/GmsCore): android.permission.UPDATE_APP_OPS_STATS, com.google.android.gms (/system/priv-app/GmsCore): android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST, com.google.android.gms (/system/priv-app/GmsCore): android.permission.INSTALL_LOCATION_PROVIDER}

You will need an xml with the permissions for those apps. For eg., for GmsCore:

    <privapp-permissions package="com.google.android.gms">
        <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/>
        <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
        <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
    </privapp-permissions>

[ale5000-git]

The latest version of microG GmsCore and FakeStore already have the right flag (you need to update both of them) so this is already fixed.
If you have any other problem, please open a new ticket.