OpenSync on Android
General
OpenSync core has been repackaged into an Android APK. This architecture is a crucial foundation for enabling OpenSync's functionalities within the Android ecosystem, where, the primary focus is on relaying the settings to a proxy service and converting them into standard Android APIs. This step avoids modification to low-layers thereby ensuring compatibility with the standard Android framework and avoiding an Android certification. The Android application APK will be an installable package easily.
The design consists of two main components:
Existing OpenSync managers that are written in C language and operate as native Linux processes.
The new OpenSync Android Application that serves as an API proxy service, exclusively responding to requests from OpenSync native managers.
This approach minimizes interference with the core functionalities of Android source code(AOSP), ensuring compliance with Android TV or phone certification requirements.
Q: Why OpenSync native managers could not talk to the Android OS directly?
A: In Android, C programs cannot directly access system-level services using JNI (Java Native Interface). Instead, to interact with these services, an Android application needs to be written, which acts as an intermediary layer. JNI facilitates communication and interaction between Java code and native code, such as C or C++. However, system-level services in Android are typically exposed through Java APIs, not native code. Therefore, the Android application acts as a bridge, allowing indirect access to system-level services.
In summary, to access system-level services in Android, developers generally need to create an Android application that serves as an intermediary. JNI enables the integration of C code into the Android application, allowing developers to access system-level services through Java in the application.
Northbound API
We will introduce new Northbound APIs based on future Android-specific features with the cloud.
Southbound API
Building OpenSync core and dependences using NDK and support Gradle.
Packing OpenSync core and dependences into APK.
Bootstraping OpenSync DM and OVSDB using OpenSync APP.
W^X
Violation
Since Android6, Google W^X restrictions
disallow system APP data files to be executed:
https://android-review.googlesource.com/c/platform/external/sepolicy/+/155505
10-21 00:13:33.608 4892 4892 W Thread-3: type=1400 audit(0.0:460): avc: denied { execute } for name="ovsdb-server" dev="mmcblk0p23" ino=459791 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
10-21 00:13:33.616 4851 4889 W System.err: java.io.IOException: Cannot run program "/data/user/0/com.opensync.app/files/bin/ovsdb-server": error=13, Permission denied
10-21 00:13:33.617 4851 4889 W System.err: at com.opensync.app.OpenSyncBootStrap$1.run(OpenSyncBootStrap.java:189)
10-21 00:13:33.612 4893 4893 W Thread-2: type=1400 audit(0.0:461): avc: denied { execute } for name="dm" dev="mmcblk0p23" ino=459829 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
10-21 00:13:33.622 4851 4888 W System.err: java.io.IOException: Cannot run program "/data/user/0/com.opensync.app/files/opensync/bin/dm": error=13, Permission denied
10-21 00:13:33.622 4851 4888 W System.err: at com.opensync.app.OpenSyncBootStrap$1.run(OpenSyncBootStrap.java:189)
OpenSync intends as a system APP because it needs to access more advanced APIs, but OpenSync APK design needs to bootstrap OpenSync native managers, this way stuck in Android APK data file W^X
Violation.
Hence, there is a need for a separate set of Android SELinux rules for the OpenSync app. These rules must be based on the same foundation as the System App, with additional specific rules incorporated. Please refer to patches where in the OpenSync and apply the to your Android sepolicy.
The sepolicy may vary for different Android versions. The patches include changes for API levels 28 to 33. You should refer to these modifications and subsequently port them to your sepolicy directory based on your Android version.
Requirements
Android OS Version >= 9.0.
Patching OpenSync SEAndroid dedicated rules where in the
opensync-sdk-android/sepolicy
.