@@ -39,7 +39,7 @@ For the complete list of APIs and example code, see [Network Connection Manageme
...
@@ -39,7 +39,7 @@ For the complete list of APIs and example code, see [Network Connection Manageme
| ---- | ---- | ---- |
| ---- | ---- | ---- |
| ohos.net.connection | function getDefaultNet(callback: AsyncCallback\<NetHandle>): void; |Creates a **NetHandle** object that contains the **netId** of the default network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getDefaultNet(callback: AsyncCallback\<NetHandle>): void; |Creates a **NetHandle** object that contains the **netId** of the default network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getGlobalHttpProxy<sup>10+</sup>(callback: AsyncCallback\<HttpProxy>): void;| Obtains the global HTTP proxy for the network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getGlobalHttpProxy<sup>10+</sup>(callback: AsyncCallback\<HttpProxy>): void;| Obtains the global HTTP proxy for the network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function setGlobalHttpProxy<sup>10+</sup>(httpProxy: HttpProxy, callback: AsyncCallback<void>): void;| Sets the global HTTP proxy for the network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function setGlobalHttpProxy<sup>10+</sup>(httpProxy: HttpProxy, callback: AsyncCallback\<void>): void;| Sets the global HTTP proxy for the network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getAppNet<sup>9+</sup>(callback: AsyncCallback\<NetHandle>): void;| Obtains a **NetHandle** object that contains the **netId** of the network bound to the application. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getAppNet<sup>9+</sup>(callback: AsyncCallback\<NetHandle>): void;| Obtains a **NetHandle** object that contains the **netId** of the network bound to the application. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function setAppNet<sup>9+</sup>(netHandle: NetHandle, callback: AsyncCallback\<void>): void;| Binds an application to the specified network. The application can access the external network only through this network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function setAppNet<sup>9+</sup>(netHandle: NetHandle, callback: AsyncCallback\<void>): void;| Binds an application to the specified network. The application can access the external network only through this network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getDefaultNetSync<sup>9+</sup>(): NetHandle; |Obtains the default active data network in synchronous mode. You can use **getNetCapabilities** to obtain information such as the network type and capabilities.|
| ohos.net.connection | function getDefaultNetSync<sup>9+</sup>(): NetHandle; |Obtains the default active data network in synchronous mode. You can use **getNetCapabilities** to obtain information such as the network type and capabilities.|
...
@@ -47,7 +47,7 @@ For the complete list of APIs and example code, see [Network Connection Manageme
...
@@ -47,7 +47,7 @@ For the complete list of APIs and example code, see [Network Connection Manageme
| ohos.net.connection | function getAllNets(callback: AsyncCallback\<Array\<NetHandle>>): void;| Obtains the list of **NetHandle** objects of the connected network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getAllNets(callback: AsyncCallback\<Array\<NetHandle>>): void;| Obtains the list of **NetHandle** objects of the connected network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getConnectionProperties(netHandle: NetHandle, callback: AsyncCallback\<ConnectionProperties>): void; |Obtains link information of the default network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getConnectionProperties(netHandle: NetHandle, callback: AsyncCallback\<ConnectionProperties>): void; |Obtains link information of the default network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getNetCapabilities(netHandle: NetHandle, callback: AsyncCallback\<NetCapabilities>): void; |Obtains the capability set of the default network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getNetCapabilities(netHandle: NetHandle, callback: AsyncCallback\<NetCapabilities>): void; |Obtains the capability set of the default network. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function isDefaultNetMetered<sup>9+</sup>(callback: AsyncCallback<boolean>): void; |Checks whether the data traffic usage on the current network is metered. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function isDefaultNetMetered<sup>9+</sup>(callback: AsyncCallback\<boolean>): void; |Checks whether the data traffic usage on the current network is metered. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function reportNetConnected(netHandle: NetHandle, callback: AsyncCallback\<void>): void;| Reports a **netAavailable** event to NetManager. If this API is called, the application considers that its network status (ohos.net.connection.NetCap.NET_CAPABILITY_VAILDATED) is inconsistent with that of NetManager. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function reportNetConnected(netHandle: NetHandle, callback: AsyncCallback\<void>): void;| Reports a **netAavailable** event to NetManager. If this API is called, the application considers that its network status (ohos.net.connection.NetCap.NET_CAPABILITY_VAILDATED) is inconsistent with that of NetManager. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function reportNetDisconnected(netHandle: NetHandle, callback: AsyncCallback\<void>): void;| Reports a **netAavailable** event to NetManager. If this API is called, the application considers that its network status (ohos.net.connection.NetCap.NET_CAPABILITY_VAILDATED) is inconsistent with that of NetManager. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function reportNetDisconnected(netHandle: NetHandle, callback: AsyncCallback\<void>): void;| Reports a **netAavailable** event to NetManager. If this API is called, the application considers that its network status (ohos.net.connection.NetCap.NET_CAPABILITY_VAILDATED) is inconsistent with that of NetManager. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getAddressesByName(host: string, callback: AsyncCallback\<Array\<NetAddress>>): void; |Obtains all IP addresses of the specified network by resolving the domain name. This API uses an asynchronous callback to return the result.|
| ohos.net.connection | function getAddressesByName(host: string, callback: AsyncCallback\<Array\<NetAddress>>): void; |Obtains all IP addresses of the specified network by resolving the domain name. This API uses an asynchronous callback to return the result.|
-[HTTP data request](http-request.md): initiates a data request through HTTP.
-[HTTP data request](http-request.md): initiates a data request through HTTP.
-[WebSocket connection](websocket-connection.md): establishes a bidirectional connection between the server and client through WebSocket.
-[WebSocket connection](websocket-connection.md): establishes a bidirectional connection between the server and client through WebSocket.
-[Socket connection](socket-connection.md): transmits data through Socket.
-[Socket connection](socket-connection.md): transmits data through Socket.
-[Network policy management](net-policy-management.md): restricts network capabilities by setting network policies, including cellular network policy, sleep/power-saving mode policy, and background network policy, and resets network policies as needed.
-[Network sharing](net-sharing.md): shares a device's Internet connection with other connected devices by means of Wi-Fi hotspot, Bluetooth, and USB sharing, and queries the network sharing state and shared mobile data volume.
-[Network sharing](net-sharing.md): shares a device's Internet connection with other connected devices by means of Wi-Fi hotspot, Bluetooth, and USB sharing, and queries the network sharing state and shared mobile data volume.
-[Ethernet connection](net-ethernet.md): provides wired network capabilities, which allow you to set the IP address, subnet mask, gateway, and Domain Name System (DNS) server of a wired network.
-[Ethernet connection](net-ethernet.md): provides wired network capabilities, which allow you to set the IP address, subnet mask, gateway, and Domain Name System (DNS) server of a wired network.
-[Network connection management](net-connection-manager.md): provides basic network management capabilities, including management of Wi-Fi/cellular/Ethernet connection priorities, network quality evaluation, subscription to network connection status changes, query of network connection information, and DNS resolution.
-[Network connection management](net-connection-manager.md): provides basic network management capabilities, including management of Wi-Fi/cellular/Ethernet connection priorities, network quality evaluation, subscription to network connection status changes, query of network connection information, and DNS resolution.
In Host mode, you can obtain the list of connected USB devices, enable or disable the devices, manage device access permissions, and perform data transfer or control transfer.
In Host mode, you can obtain the list of connected USB devices, enable or disable the devices, manage device access permissions, and perform data transfer or control transfer.
## APIs
## Available APIs
The USB service provides the following functions: query of USB device list, bulk data transfer, control transfer, and access permission management.
The USB service provides the following functions: query of USB device list, bulk data transfer, control transfer, and access permission management.
The following table lists the USB APIs currently available. For details, see the [API Reference](../reference/apis/js-apis-usbManager.md).
The following table lists the USB APIs currently available. For details, see the [API Reference](../reference/apis/js-apis-usbManager.md).
| hasRight(deviceName: string): boolean | Checks whether the user has the device access permissions. |
| hasRight(deviceName: string): boolean | Checks whether the user has the device access permissions.|
| requestRight(deviceName: string): Promise\<boolean> | Requests the temporary permission for a given application to access the USB device. This API uses a promise to return the result. |
| requestRight(deviceName: string): Promise<boolean> | Requests the device access permissions for the application. This API uses a promise to return the result. |
| connectDevice(device: USBDevice): Readonly\<USBDevicePipe> | Connects to the USB device based on the device list returned by `getDevices()`. |
| removeRight(deviceName: string): boolean | Revokes the device access permissions of the application.|
| getDevices(): Array<Readonly\<USBDevice>> | Obtains the list of USB devices connected to the USB host. If no USB device is connected, an empty list is returned. |
| connectDevice(device: USBDevice): Readonly<USBDevicePipe> | Connects to the USB device based on the device information returned by `getDevices()`. |
| setConfiguration(pipe: USBDevicePipe, config: USBConfiguration): number | Sets the USB device configuration. |
| getDevices(): Array<Readonly<USBDevice>> | Obtains the list of USB devices connected to the host. If no device is connected, an empty list is returned. |
| setInterface(pipe: USBDevicePipe, iface: USBInterface): number | Sets a USB interface. |
| setConfiguration(pipe: USBDevicePipe, config: USBConfiguration): number | Sets the USB device configuration. |
| claimInterface(pipe: USBDevicePipe, iface: USBInterface, force ?: boolean): number | Claims a USB interface. |
| setInterface(pipe: USBDevicePipe, iface: USBInterface): number | Sets a USB interface. |
Alternatively, use your own locale and formatting parameters to create a **DateTimeFormat** object. Formatting parameters are optional. For a full list of formatting parameters, see [DateTimeOptions](../reference/apis/js-apis-intl.md#datetimeoptions9).
Alternatively, use your own locale and formatting parameters to create a **DateTimeFormat** object. Formatting parameters are optional. For a full list of formatting parameters, see [DateTimeOptions](../reference/apis/js-apis-intl.md#datetimeoptions6).
Alternatively, use your own locale and formatting parameters to create a **NumberFormat** object. Formatting parameters are optional. For a full list of formatting parameters, see [NumberOptions](../reference/apis/js-apis-intl.md#numberoptions9).
Alternatively, use your own locale and formatting parameters to create a **NumberFormat** object. Formatting parameters are optional. For a full list of formatting parameters, see [NumberOptions](../reference/apis/js-apis-intl.md#numberoptions6).
@@ -240,7 +240,7 @@ Users in different regions have different requirements for string sorting. [Coll
...
@@ -240,7 +240,7 @@ Users in different regions have different requirements for string sorting. [Coll
letcollator=newIntl.Collator();
letcollator=newIntl.Collator();
```
```
Alternatively, use your own locale and formatting parameters to create a **Collator** object. For a full list of parameters, see [CollatorOptions](../reference/apis/js-apis-intl.md#collatoroptions9).
Alternatively, use your own locale and formatting parameters to create a **Collator** object. For a full list of parameters, see [CollatorOptions](../reference/apis/js-apis-intl.md#collatoroptions8).
The **sensitivity** parameter is used to specify the levels of differences that will be used for string comparison. The value **base** indicates that only characters are compared, but not the accent and capitalization. For example, 'a' != 'b', 'a' == '', 'a'=='A'. The value **accent** indicates that the accent is considered, but not the capitalization. For example, 'a' != 'b', 'a' == '', 'a'=='A'. The value **case** indicates that the capitalization is considered, but the accent. For example, 'a' != 'b', 'a' == '', 'a'=='A'. The value **variant** indicates that the accent and capitalization are considered. For example, 'a' != 'b', 'a' == '', 'a'=='A'.
The **sensitivity** parameter is used to specify the levels of differences that will be used for string comparison. The value **base** indicates that only characters are compared, but not the accent and capitalization. For example, 'a' != 'b', 'a' == '', 'a'=='A'. The value **accent** indicates that the accent is considered, but not the capitalization. For example, 'a' != 'b', 'a' == '', 'a'=='A'. The value **case** indicates that the capitalization is considered, but the accent. For example, 'a' != 'b', 'a' == '', 'a'=='A'. The value **variant** indicates that the accent and capitalization are considered. For example, 'a' != 'b', 'a' == '', 'a'=='A'.
```js
```js
...
@@ -301,7 +301,7 @@ According to grammars in certain languages, the singular or plural form of a nou
...
@@ -301,7 +301,7 @@ According to grammars in certain languages, the singular or plural form of a nou
letpluralRules=newIntl.PluralRules();
letpluralRules=newIntl.PluralRules();
```
```
Alternatively, use your own locale and formatting parameters to create a **PluralRules** object. For a full list of parameters, see [PluralRulesOptions](../reference/apis/js-apis-intl.md#pluralrulesoptions9).
Alternatively, use your own locale and formatting parameters to create a **PluralRules** object. For a full list of parameters, see [PluralRulesOptions](../reference/apis/js-apis-intl.md#pluralrulesoptions8).
Alternatively, use your own locale and formatting parameters to create a **RelativeTimeFormat** object. Formatting parameters are optional. For a full list of formatting parameters, see [RelativeTimeFormatInputOptions](../reference/apis/js-apis-intl.md#relativetimeformatinputoptions9).
Alternatively, use your own locale and formatting parameters to create a **RelativeTimeFormat** object. Formatting parameters are optional. For a full list of formatting parameters, see [RelativeTimeFormatInputOptions](../reference/apis/js-apis-intl.md#relativetimeformatinputoptions8).
| type | string | Yes | Audio device change. This field has a fixed value of **audioDeviceChange**.|
| callback | Callback<[AudioDeviceInfo](#audiodeviceinfo10)> | No | Callback used to return the result. If this parameter is not set, no subscription cancellation result will be received. |
**Error codes**
For details about the following error codes, see [Telephony Error Codes](../../reference/errorcodes/errorcode-telephony.md).
| state | [VoNRState](#vonrstate10) | Yes | Status of the VoNR switch. |
| callback | AsyncCallback<boolean> | Yes | Callback used to return the result. Callback used to return the result. The value **true** indicates that the operation is successful, and value **false** indicates the opposite.|
**Error codes**
For details about the following error codes, see [Telephony Error Codes](../../reference/errorcodes/errorcode-telephony.md).
| callback | AsyncCallback<boolean> | Yes | Callback used to return the result. Callback used to return the result. The value **true** indicates that the call forwarding time can be set, and the value **false** indicates the opposite.|
**Error codes**
For details about the following error codes, see [Telephony Error Codes](../../reference/errorcodes/errorcode-telephony.md).
> - The APIs of this module are no longer maintained since API version 7. You are advised to use [`@ohos.telephony.observer`](js-apis-observer.md).
>
> - The initial APIs of this module are supported since API version 3. Newly added APIs will be marked with a superscript to indicate their earliest API version.
> - The initial APIs of this module are supported since API version 3. Newly added APIs will be marked with a superscript to indicate their earliest API version.
@@ -6,7 +6,7 @@ By default, an application can run for a period of 6 to 12 seconds after it swit
...
@@ -6,7 +6,7 @@ By default, an application can run for a period of 6 to 12 seconds after it swit
You are advised not to call the [requestSuspendDelay()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagerrequestsuspenddelay) method to apply for delayed suspension after the application is running in the background. Instead, you need to call this interface to declare the execution time of the extended application to the system before performing any time-consuming operation. It is recommended that an application calls [requestSuspendDelay()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagerrequestsuspenddelay) when it is running in the foreground, so as not to affect the transient task quota of the application.
You are advised not to call the [requestSuspendDelay()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagerrequestsuspenddelay) method to apply for delayed suspension after the application is running in the background. Instead, you need to call this interface to declare the execution time of the extended application to the system before performing any time-consuming operation. It is recommended that an application calls [requestSuspendDelay()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagerrequestsuspenddelay) when it is running in the foreground, so as not to affect the transient task quota of the application.
An application can obtain the remaining duration before being suspended by calling [getRemainingDelayTime()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagergetremainingdelaytimecallback). Each application has a daily time quota for transient tasks. Therefore, after the time-consuming task finishes execution, the application should call [cancelSuspendDelay()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagercancelsuspenddelay) to cancel the transient task in a timely manner.
An application can obtain the remaining duration before being suspended by calling [getRemainingDelayTime()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagergetremainingdelaytime). Each application has a daily time quota for transient tasks. Therefore, after the time-consuming task finishes execution, the application should call [cancelSuspendDelay()](../reference/apis/js-apis-resourceschedule-backgroundTaskManager.md#backgroundtaskmanagercancelsuspenddelay) to cancel the transient task in a timely manner.
Typical time-consuming tasks include saving status data to the local database, opening and processing a large file, and synchronizing data to the cloud server.
Typical time-consuming tasks include saving status data to the local database, opening and processing a large file, and synchronizing data to the cloud server.
| createMessage(pdu: Array<number>, specification: string, callback: AsyncCallback<ShortMessage>): void | Creates an SMS message instance based on the PDU and the specified SMS protocol.|
| createMessage(pdu: Array<number>, specification: string, callback: AsyncCallback\<ShortMessage>): void | Creates an SMS message instance based on the PDU and the specified SMS protocol.|
| sendMessage(options: SendMessageOptions): void | Sends text or data SMS messages. |
| sendMessage(options: SendMessageOptions): void | Sends text or data SMS messages. |
| getDefaultSmsSlotId(callback: AsyncCallback<number>): void | Obtains the ID of the default SIM card used to send SMS messages. |
| getDefaultSmsSlotId(callback: AsyncCallback\<number>): void | Obtains the ID of the default SIM card used to send SMS messages. |
| setSmscAddr(slotId: number, smscAddr: string, callback: AsyncCallback<void>): void | Sets the SMSC address based on the specified slot ID. |
| setSmscAddr(slotId: number, smscAddr: string, callback: AsyncCallback\<void>): void | Sets the SMSC address based on the specified slot ID. |
| getSmscAddr(slotId: number, callback: AsyncCallback<string>): void | Obtains the SMSC address based on the specified slot ID. |
| getSmscAddr(slotId: number, callback: AsyncCallback\<string>): void | Obtains the SMSC address based on the specified slot ID. |
Secure computing mode (Seccomp) is a security mechanism provided by the Linux kernel. In the Linux system, a large number of system calls can be opened to user-mode programs without any restrictions. However, not all of these system calls are necessarily needed for user-mode programs. In this case, abuse of system calls can lead to system threats. For example, if a process has a security vulnerability, an attacker can run a shellcode segment to trigger system calls that are not triggered during normal execution, resulting in privilege escalation or private information leakage. To prevent such security risks, Seccomp limits the scope of system calls that can be used by programs, so as to reduce system exposure and improve security.
Secure computing mode (Seccomp) is a security mechanism provided by the Linux kernel. In the Linux system, a large number of system calls can be opened to user-mode programs without any restrictions. However, not all of these system calls are necessarily needed for user-mode programs. In this case, abuse of system calls can lead to system threats. For example, if a process has a security vulnerability, an attacker can run a shellcode segment to trigger system calls that are not triggered during normal execution, resulting in privilege escalation or private information leakage. To prevent such security risks, Seccomp limits the scope of system calls that can be used by programs, so as to reduce system exposure and improve security.
### Operating Mechanism
### Operating Mechanism
1. Basic mechanism
- Basic mechanism
Seccomp policies exist in the form of policy files. During compilation and building, a policy file is parsed to generate a source file that contains the BPF instruction policies, and then the source file is compiled into a dynamic policy library. During startup of a user-mode process, Seccomp system calls are invoked to load the BPF instruction policies into the kernel through the dynamic policy library.
Seccomp policies exist in the form of policy files. During compilation and building, a policy file is parsed to generate a source file that contains the BPF instruction policies, and then the source file is compiled into a dynamic policy library. During startup of a user-mode process, Seccomp system calls are invoked to load the BPF instruction policies into the kernel through the dynamic policy library.
- Basic features
- A child process inherits the Seccomp policies of its parent process.
2. Basic features
- After a Seccomp policy is loaded to the kernel during process running, the policy exists in the memory as a singly linked list and cannot be modified.
- A child process inherits the Seccomp policies of its parent process.
- Seccomp policies can be set for a process for multiple times. When a process executes a system call, the kernel traverses the policies specified for the nodes in the singly linked list, and then compares the policies to obtain the policy with the highest priority.
- After a Seccomp policy is loaded to the kernel during process running, the policy exists in the memory as a singly linked list and cannot be modified.
- Seccomp policies can be set for a process for multiple times. When a process executes a system call, the kernel traverses the policies specified for the nodes in the singly linked list, and then compares the policies to obtain the policy with the highest priority.
### Constraints
### Constraints
- System restrictions<br>The system used must be a standard system, and the options listed below must be enabled in the kernel. You can find the kernel option configuration file of the product in **//kernel/linux/config/{linux_version}/arch/{target_cpu}/configs/**.
- System restrictions
The system used must be a standard system, and the options listed below must be enabled in the kernel. You can find the kernel option configuration file of the product in **//kernel/linux/config/{linux_version}/arch/{target_cpu}/configs/**.
```shell
```shell
CONFIG_HAVE_ARCH_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
...
@@ -32,7 +24,6 @@ Secure computing mode (Seccomp) is a security mechanism provided by the Linux ke
...
@@ -32,7 +24,6 @@ Secure computing mode (Seccomp) is a security mechanism provided by the Linux ke
```
```
- Feature restrictions
- Feature restrictions
- The Seccomp policy for non-privileged processes complies with the baseline blocklist mechanism.
- The Seccomp policy for non-privileged processes complies with the baseline blocklist mechanism.
- If a process needs to use system calls in the baseline blocklist, the system calls must be declared in the privileged process policy file.
- If a process needs to use system calls in the baseline blocklist, the system calls must be declared in the privileged process policy file.
- The same Seccomp policy is enabled for all application processes.
- The same Seccomp policy is enabled for all application processes.
...
@@ -40,13 +31,9 @@ Secure computing mode (Seccomp) is a security mechanism provided by the Linux ke
...
@@ -40,13 +31,9 @@ Secure computing mode (Seccomp) is a security mechanism provided by the Linux ke
- Personalized Seccomp policies can be enabled for the native service processes incubated by the init process.
- Personalized Seccomp policies can be enabled for the native service processes incubated by the init process.
## Enabling Seccomp
## Enabling Seccomp
### When to Use
### When to Use
To meet product security requirements, you can enable Seccomp to limit the scope of system calls that can be invoked by processes. The development procedure below describes how to enable the basic functions and policies of Seccomp. Note that the basic functions must meet the feature restrictions described in [Constraints](#constraints). For details about the basic policy file, see [Policy File Overview](#policy-file-overview).
To meet product security requirements, you can enable Seccomp to limit the scope of system calls that can be invoked by processes. The development procedure below describes how to enable the basic functions and policies of Seccomp. Note that the basic functions must meet the feature restrictions described in [Constraints](#constraints). For details about the basic policy file, see [Policy File Overview](#policy-file-overview).
### How to Develop
### How to Develop
1. Add the following field to **vendor/Product vendor/Product name/config.json**:
1. Add the following field to **vendor/Product vendor/Product name/config.json**:
```c
```c
"build_seccomp":true
"build_seccomp":true
...
@@ -74,18 +61,14 @@ To meet product security requirements, you can enable Seccomp to limit the scope
...
@@ -74,18 +61,14 @@ To meet product security requirements, you can enable Seccomp to limit the scope
]
]
}
}
```
```
2. Perform a full build on the product code to generate an image.
2. Perform a full build on the product code to generate an image.
Check whether Seccomp is enabled for application processes and system service processes.
Check whether Seccomp is enabled for application processes and system service processes.
1. Run the shell command to obtain the process ID (that is, **target pid**) of the target process.
1. Run the shell command to obtain the process ID (that is, **target pid**) of the target process.
```
```
ps -ef | grep xxx
ps -ef | grep xxx
...
@@ -108,34 +91,30 @@ Check whether Seccomp is enabled for application processes and system service pr
...
@@ -108,34 +91,30 @@ Check whether Seccomp is enabled for application processes and system service pr
**Table 1** Description of the Seccomp status
**Table 1** Description of the Seccomp status
| Parameter | Description |
| Parameter | Description |
| --- | --- |
| --- | --- |
| Seccomp | Whether Seccomp is enabled.<br>- **0**: disabled.<br>- **1**: enabled with the strict mode. Only the read, write, exit, and sigreturn system calls are allowed.<br>- **2**: enabled with the filter mode. The customized policies can be enabled by loading BPF instruction sets. |
| Seccomp | - **0**: disabled.<br>- **1**: enabled with the strict mode. Only the read, write, exit, and sigreturn system calls are allowed.<br>- **2**: enabled with the filter mode. The customized policies can be enabled by loading BPF instruction sets. |
| Seccomp_filters | Number of Seccomp policies set for a process. |
| Seccomp_filters | Number of Seccomp policies set for a process. |
## Customizing Seccomp Policies for a Process
## Customizing Seccomp Policies for a Process
### When to Use
### When to Use
If the basic Seccomp policy has been enabled for a product, you can customize Seccomp policies for native service processes incubated by the init process to adapt to diversified security requirements. In this case, the Seccomp policies of other native service processes remain unchanged.
If the basic Seccomp policy has been enabled for a product, you can customize Seccomp policies for native service processes incubated by the init process to adapt to diversified security requirements. In this case, the Seccomp policies of other native service processes remain unchanged.
### How to Develop
### How to Develop
1. Collect statistics on the system calls required by the 32-bit and 64-bit systems by using the static analysis and Strace statistics methods described in [System Call Statistic Methods](#system-call-statistic-methods). In this way, you will obtain the initial Seccomp policy.
1. Collect statistics on the system calls required by the 32-bit and 64-bit systems by using the static analysis and Strace statistics methods described in [System Call Statistic Methods](#system-call-statistic-methods). In this way, you will obtain the initial Seccomp policy.
2. Write a policy file. For details, see [How to Write a Common Policy File](#how-to-write-a-common-policy-file).
2. Write a policy file. For details, see [How to Write a Common Policy File](#how-to-write-a-common-policy-file).
3. Write and build the **BUILD.gn** file.
3. Write and build the **BUILD.gn** file.
1. Store the policy file in the code repository of the service subsystem and create a **BUILD.gn** file. For example, create the **seccomp_policy** folder in the service code repository, and create the policy file and **BUILD.gn** file in the folder.
1. Store the policy file in the code repository of the service subsystem and create a **BUILD.gn** file. For example, create the **seccomp_policy** folder in the service code repository, and create the policy file and **BUILD.gn** file in the folder.
```shell
```shell
//path/to/code/seccomp_policy
//path/to/code/seccomp_policy
├── BUILD.gn
├── BUILD.gn
└── example.seccomp.policy
└── example.seccomp.policy
```
```
2. To parse the policy file and build the policy dynamic library, use the **ohos_prebuilt_seccomp** template to declare the Seccomp policy file path of the process in the **BUILD.gn** file. The **ohos_prebuilt_seccomp** template is defined in the **//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni** file. The following table describes the parameters in the template.
2. To parse the policy file and build the policy dynamic library, use the **ohos_prebuilt_seccomp** template to declare the Seccomp policy file path of the process in the **BUILD.gn** file. The **ohos_prebuilt_seccomp** template is defined in the **//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni** file. The following table describes the parameters in the template.
**Table 2** Parameters in the ohos_prebuilt_seccomp template
**Table 2** Parameters in the ohos_prebuilt_seccomp template
| Parameter | Description |
| Parameter | Description |
| --- | --- |
| --- | --- |
| sources | Path of the policy configuration file, mandatory.|
| sources | Path of the policy configuration file, mandatory.|
| filtername | Filter name, mandatory. The value must be the same as the value of **Services name** in the [boot configuration file](subsys-boot-init-cfg.md) of the process. Otherwise, the attempt to enable Seccomp will fail. This parameter determines the name of the dynamic policy library generated after the build. For example, if **filtername** is set to **xxx**, the name of the dynamic policy library is **libxxx_filter.z.so**. |
| filtername | Filter name, mandatory. The value must be the same as the value of **Services name** in the [boot configuration file](subsys-boot-init-cfg.md) of the process. Otherwise, the attempt to enable Seccomp will fail. This parameter determines the name of the dynamic policy library generated after the build. For example, if **filtername** is set to **xxx**, the name of the dynamic policy library is **libxxx_filter.z.so**. |
| process_type | Process type, mandatory. If the process is one incubated by the init process, set this parameter to **system**; if the process is an application process, set this parameter to **app**.|
| process_type | Process type, mandatory. If the process is one incubated by the init process, set this parameter to **system**; if the process is an application process, set this parameter to **app**.|
| part_name | Part name, mandatory. |
| part_name | Part name, mandatory. |
...
@@ -143,7 +122,7 @@ If the basic Seccomp policy has been enabled for a product, you can customize Se
...
@@ -143,7 +122,7 @@ If the basic Seccomp policy has been enabled for a product, you can customize Se
| install_enable | Option specifying whether to install the policy file to the image, mandatory. Set the value to **true**. |
| install_enable | Option specifying whether to install the policy file to the image, mandatory. Set the value to **true**. |
| install_images | Installation location in the image, mandatory. |
| install_images | Installation location in the image, mandatory. |
If an error message that contains the following information is reported, the process needs to use the system calls in the baseline blocklist. In such a case, you need to declare the corresponding system call in **privileged_process.seccomp.policy**. For details, see [How to Write a Privileged Process Policy File](#how-to-write-a-privileged-policy-file). After the declaration is done, try again until the build is successful.
If an error message that contains the following information is reported, the process needs to use the system calls in the baseline blocklist. In such a case, you need to declare the corresponding system call in **privileged_process.seccomp.policy**. For details, see [How to Write a Privileged Process Policy File](#how-to-write-a-privileged-process-policy-file). After the declaration is done, try again until the build is successful.
```shell
```shell
xx of allow list is in block list
xx of allow list is in block list
```
```
5. Use the hdc tool to push the dynamic policy library to the device and restart the device.
5. Use the hdc tool to push the dynamic policy library to the device and restart the device.
```shell
```shell
# Push an appropriate library path based on the installation location in the image. For example, if the image is **system** and the system architecture is 32-bit, the path of the dynamic policy library is **/system/lib/seccomp/**.
# Push an appropriate library path based on the installation location in the image. For example, if the image is **system** and the system architecture is 32-bit, the path of the dynamic policy library is **/system/lib/seccomp/**.
...
@@ -187,19 +163,15 @@ If the basic Seccomp policy has been enabled for a product, you can customize Se
...
@@ -187,19 +163,15 @@ If the basic Seccomp policy has been enabled for a product, you can customize Se
6. Use the [audit statistics](#audit-statistics) method to check and supplement the Seccomp policies. Repeat steps 4 to 6 until the process can run properly.
6. Use the [audit statistics](#audit-statistics) method to check and supplement the Seccomp policies. Repeat steps 4 to 6 until the process can run properly.
### Debugging and Verification
### Debugging and Verification
1. If Seccomp is not enabled for the target process, [check the Seccomp status](#commissioning-and-verification) of the target process.
1. If Seccomp is not enabled for the target process, [check the Seccomp status](#debugging-and-verification) of the target process.
2. If the process is terminated and audit log information is present in the kernel logs, the Seccomp policy is enabled but the policy list is incomplete. You can find an example audit log in [Audit Statistics](#audit-statistics).
2. If the process is terminated and audit log information is present in the kernel logs, the Seccomp policy is enabled but the policy list is incomplete. You can find an example audit log in [Audit Statistics](#audit-statistics).
3. If the process is not terminated, comment out the system calls (for example, **setuid**) related to the specified uid in the Seccomp policy file. Rebuild the dynamic policy library, push the library to the image, and restart the process. Then, check whether the process is terminated by Seccomp. If the process is terminated, Seccomp has been enabled.
3. If the process is not terminated, comment out the system calls (for example, **setuid**) related to the specified uid in the Seccomp policy file. Rebuild the dynamic policy library, push the library to the image, and restart the process. Then, check whether the process is terminated by Seccomp. If the process is terminated, Seccomp has been enabled.
## FAQs
## FAQs
### How do I determine whether a process termination is caused by Seccomp?
### How do I determine whether a process termination is caused by Seccomp?
**Symptom**
**Symptom**
If a process is terminated under certain conditions, how do I determine whether the issue is caused by Seccomp?
If a process is terminated under certain conditions, how do I determine whether the issue is caused by Seccomp?
...
@@ -235,9 +207,7 @@ Use either of the following methods:
...
@@ -235,9 +207,7 @@ Use either of the following methods:
| privileged_process.seccomp.policy | Privileged process policy file. If certain processes need to use the system calls on the baseline blocklist, you need to declare the corresponding process identifiers and baseline blocklists in this file.|
| privileged_process.seccomp.policy | Privileged process policy file. If certain processes need to use the system calls on the baseline blocklist, you need to declare the corresponding process identifiers and baseline blocklists in this file.|
### How to Write a Common Policy File
### How to Write a Common Policy File
- To declare a configuration item, write **@** followed by the configuration item, for example, **@returnValue**.
- To declare a configuration item, write **@** followed by the configuration item, for example, **@returnValue**.
- Add the content of a configuration item from the next line of this configuration item to the beginning of the next configuration item.
- Add the content of a configuration item from the next line of this configuration item to the beginning of the next configuration item.
- To comment out a line, add a pound sign (#) at the beginning of this line.
- To comment out a line, add a pound sign (#) at the beginning of this line.
...
@@ -333,7 +298,6 @@ swapon;all
...
@@ -333,7 +298,6 @@ swapon;all
```
```
### How to Write a Privileged Process Policy File
### How to Write a Privileged Process Policy File
- To declare a configuration item, write **@** followed by the configuration item, for example, **@allowBlockList**.
- To declare a configuration item, write **@** followed by the configuration item, for example, **@allowBlockList**.
- Add the content of a configuration item from the next line of this configuration item to the beginning of the next configuration item.
- Add the content of a configuration item from the next line of this configuration item to the beginning of the next configuration item.
- To comment out a line, add a pound sign (#) at the beginning of this line.
- To comment out a line, add a pound sign (#) at the beginning of this line.
| <divstyle="width: 50pt">Static analysis | <divstyle="width: 300pt">Analyze the ELF disassembly code to obtain the call relationship, collect statistics on the APIs that call the libc library, and then parse the LibC library to obtain the call relationship between the LibC APIs and the system call numbers. In this way, you will obtain the system call numbers used by the ELF file.| <divstyle="width: 100pt">Statistics collection is supported for system calls in abnormal branches. | <divstyle="width: 100pt">Parsing of call relationship is not supported for pointer functions. |
| <divstyle="width: 50pt">Static analysis | <divstyle="width: 300pt">Analyze the ELF disassembly code to obtain the call relationship, collect statistics on the APIs that call the libc library, and then parse the LibC library to obtain the call relationship between the LibC APIs and the system call numbers. In this way, you will obtain the system call numbers used by the ELF file.| <divstyle="width: 100pt">Statistics collection is supported for system calls in abnormal branches. | <divstyle="width: 100pt">Parsing of call relationship is not supported for pointer functions. |
| Strace statistics | Use Strace to trace service processes or test processes when the device is running. During the trace, the invoked system calls are recorded into logs. Collect the logs after the trace is complete, and use a script to parse the logs and generate a Seccomp policy file.| Easy to use. | System calls can be completely collected only when all code branches are traversed. |
| Strace statistics | Use Strace to trace service processes when the device is running. During the trace, the invoked system calls are recorded into logs. Collect the logs after the trace is complete, and use a script to parse the logs and generate a Seccomp policy file.| Easy to use. | System calls can be completely collected only when all code branches are traversed. |
| Audit statistics | After the Seccomp policy is enabled for a process, Seccomp intercepts invalid system calls and records audit log information containing the system call numbers into kernel logs. Collect the logs after the trace is complete, and use a script to parse the logs and generate a Seccomp policy file.| This method can be used as a supplement to the preceding methods. | Logs may be lost.<br>System calls can be completely collected only when all code branches are traversed. |
| Audit statistics | After the Seccomp policy is enabled for a process, Seccomp intercepts invalid system calls and records audit log information containing the system call numbers into kernel logs. Collect the logs after the trace is complete, and use a script to parse the logs and generate a Seccomp policy file.| This method can be used as a supplement to the preceding methods. | Logs may be lost.<br>System calls can be completely collected only when all code branches are traversed. |
> **Disclaimer: Using Third-Party Software or Websites**
>
> We may recommend software, information, products, or websites owned or operated by third parties. Such recommendations are usually provided via hyperlinks or other methods to help you access third-party resources.<br>
> We strive to direct you to useful and trusted resources, but it is beyond our reach to guarantee the software, information, products, or services provided by or at third-party resources, or to track changes in these resources. Therefore, we are unable to assume the responsibility for the compliance, accuracy, and completeness of the content or results of any third-party resources, nor for any loss or damage caused by the use or failure of products or services provided by third-party resources.
#### Static Analysis
#### Static Analysis
1. Prepare the environment.
1. Prepare the environment.
1. Prepare a Linux environment.
1. Prepare a Linux environment.
2. Download the cross compilers arm-linux-musleabi and aarch64-linux-musl.
2. Download the cross compilers arm-linux-musleabi and aarch64-linux-musl.
```shell
```shell
wget https://musl.cc/arm-linux-musleabi-cross.tgz
wget https://musl.cc/aarch64-linux-musl-cross.tgz
tar-zxvf arm-linux-musleabi-cross.tgz
tar-zxvf aarch64-linux-musl-cross.tgz
# Add the tool execution path to the environment variable.
# Add the tool execution path to the environment variable.
3. Copy the **generate_code_from_policy.py** script file to the tool folder. This script is available at **//base/startup/init/services/modules/seccomp/scripts/**.
3. Copy the **generate_code_from_policy.py** script file to the tool folder. This script file is available at **//base/startup/init/services/modules/seccomp/scripts/**.
```shell
```shell
# Go to the root directory of the OpenHarmony source code.
# Go to the root directory of the OpenHarmony source code.
cd /root/to/OpenharmonyCode;
cd /root/to/OpenHarmonyCode;
# Go to the directory where the **generate_code_from_policy.py** script file is located.
# Go to the directory where the **generate_code_from_policy.py** script file is located.
cd base/startup/init/services/modules/seccomp/scripts/;
cd base/startup/init/services/modules/seccomp/scripts/;
# Copy the **generate_code_from_policy.py** script file.
# Copy the **generate_code_from_policy.py** script file.
5. Modify the **collect_elf_syscall.py** script file, and change the paths of the objdump and readelf tools to their absolute paths in the Linux environment. The tools are stored in **//prebuilts**, and more particularly, **//prebuilts/clang/ohos/linux-x86_64/15.0.4/llvm/bin**.
5. If full build has not been performed before and the dependent dynamic libraries for step 4 are not in the **//out** directory, copy the related dynamic libraries to the **//out** directory. The following code is for reference only. If other dynamic libraries are involved, copy them in a similar way.
```shell
# Go to the root directory of the source code.
cd /root/to/OpenHarmonyCode
# Create the **aarch64-linux-ohos** folder in **out/*product name*/lib.unstripped/** to store the dependent dynamic libraries.
6. Modify the **collect_elf_syscall.py** script file, and change the paths of the objdump and readelf tools to their absolute paths in the Linux environment. This script file is available at **base/startup/init/services/modules/seccomp/scripts/tools/**. The **objdump** and **readelf** tools available at **//prebuilts**.
6. Use the **collect_elf_syscall.py** script file to parse and generate the corresponding policy file **xxx.seccomp.policy**.
7. Use the **collect_elf_syscall.py** script file to parse and generate the corresponding policy file **xxx.seccomp.policy**.
The script file is available at **//base/startup/init/services/modules/seccomp/scripts/tools/**.
**Table 7** Parameters in the collect_elf_syscall.py script file
**Table 7** Parameters in the collect_elf_syscall.py script file
| Parameter | Description |
| Parameter | Description |
...
@@ -462,59 +433,10 @@ swapon;all
...
@@ -462,59 +433,10 @@ swapon;all
```
```
#### Strace Statistics
#### Strace Statistics
1. Use the cross compilers arm-linux-musleabi and aarch64-linux-musl to build the Strace tool for the 32-bit and 64-bit architectures, respectively.
1. Use the cross compilers arm-linux-musleabi and aarch64-linux-musl to build the Strace tool for the 32-bit and 64-bit architectures, respectively.
2.[Trace the test process](#tracing-the-test-process) to obtain Strace logs.
2.[Trace the service process](#tracing-the-service-process) to obtain the Strace logs.
3.[Trace the service process](#tracing-the-service-process) to obtain the Strace logs.
3.[Parse Strace logs](#parsing-strace-logs) by using scripts to obtain the Seccomp policy file.
4.[Parse Strace logs](#parsing-strace-logs) by using scripts to obtain the Seccomp policy file.
##### Tracing the Test Process
1. Push the Strace tool to the device.
```shell
hdc shell mount -rw-o remount /
hdc file send /path/to/strace /system/bin/
hdc shell chmod a+x /system/bin/strace
```
2. Modify the local embedded code in the [developer test framework](https://gitee.com/openharmony/testfwk_developer_test) so that Strace is executed in the test suite to trace the test process.
Modify the **_init_gtest** and **_run_gtest** functions in **src/core/driver/drivers.py** as follows. If a line starts with a plus sign (+), the line is added; if a line starts with a hyphen (-), the line is deleted.
```python
--- a/src/core/driver/drivers.py
+++ b/src/core/driver/drivers.py
@@ -500,6 +500,8 @@ class CppTestDriver(IDriver):
"rm -rf %s" % self.config.target_test_path)
self.config.device.execute_shell_command(
"mkdir -p %s" % self.config.target_test_path)
+ self.config.device.execute_shell_command(
+ "mkdir -p /data/strace")
self.config.device.execute_shell_command(
"mount -o rw,remount,rw /")
if "fuzztest" == self.config.testtype[0]:
@@ -539,10 +541,11 @@ class CppTestDriver(IDriver):
1. Modify the embedded code in the init repository. Specifically, add the following content to **//base/startup/init/services/init/init_common_service.c** before executing the **SetSystemseccompPolicy** function to set the Seccomp policy. If the line starts with a plus sign (+), the line is added; if the line starts with a hyphen (-), the line is deleted. **xxxx** must be the same as the value of **Services name** in the [boot configuration file](subsys-boot-init-cfg.md) of the process.
1. Modify the embedded code in the init repository. Specifically, add the following content to **//base/startup/init/services/init/init_common_service.c** before executing the **SetSystemseccompPolicy** function to set the Seccomp policy. If the line starts with a plus sign (+), the line is added; if the line starts with a hyphen (-), the line is deleted. **xxxx** must be the same as the value of **Services name** in the [boot configuration file](subsys-boot-init-cfg.md) of the process.
```c
```c
---a/services/init/init_common_service.c
---a/services/init/init_common_service.c
...
@@ -563,7 +485,6 @@ swapon;all
...
@@ -563,7 +485,6 @@ swapon;all
```
```
##### Parsing Strace Logs
##### Parsing Strace Logs
1. Copy the dependency files to the Strace log folder for later use. The dependency files are those generated in step 2 in [Static Analysis](#static-analysis).
1. Copy the dependency files to the Strace log folder for later use. The dependency files are those generated in step 2 in [Static Analysis](#static-analysis).
| sig | Semaphore. The value **31** indicates **SIGSYS**, which is the signal sent to the process when Seccomp interception occurs. |
| sig | Semaphore. The value **31** indicates **SIGSYS**, which is the signal sent to the process when Seccomp interception occurs. |
| arch | Architecture ID. The value **40000028** indicates **arm**, and the value **c00000b7** indicates **arm64**. |
| arch | Architecture ID. The value **40000028** indicates **arm**, and the value **c00000b7** indicates **arm64**. |
| syscall | System call ID. |
| syscall | System call ID. |
| compat | The value **1** indicates the compatibility mode, that is, the arm64 kernel uses arm system calls.|
| compat | The value **1** indicates the compatibility mode, that is, the arm64 kernel uses arm system calls.|
1. Copy the dependency files to the log folder for later use. The dependency files are those generated in step 2 in [Static Analysis](#static-analysis).
1. Copy the dependency files to the log folder for later use. The dependency files are those generated in step 2 in [Static Analysis](#static-analysis).
...
@@ -659,7 +578,7 @@ swapon;all
...
@@ -659,7 +578,7 @@ swapon;all
| Parameter | Description |
| Parameter | Description |
| --- | --- |
| --- | --- |
| --src-path | Folder for storing log files. It must contain **libsyscall_to_nr_arm** and **libsyscall_to_nr_arm64**. The folder name must not end with a slash (/), for example, **./audit**.|
| --src-path | Folder for storing log files. It must contain **libsyscall_to_nr_arm** and **libsyscall_to_nr_arm64**. The folder name must not end with a slash (/), for example, **./audit**.|
| --filter-name | Name of the generated policy file. For example, if the input value is **test**, the generated file name is **test.seccomp.policy**.|
| --filter-name | Name of the generated policy file. For example, if the input value is **test**, the generated file name is **test.seccomp.policy**.|
```shell
```shell
cd base/startup/init/services/modules/seccomp/scripts/tools
cd base/startup/init/services/modules/seccomp/scripts/tools
...
@@ -667,7 +586,6 @@ swapon;all
...
@@ -667,7 +586,6 @@ swapon;all
```
```
### Combining Multiple Policy Files
### Combining Multiple Policy Files
During [colltatistics on system calls](#system-call-statistic-methods), multiple policy files may be generated. In these policy files, system calls may be repeated or disordered. To solve these problems, you can combine policy files to sort system calls by arm64/arm and by system call number in ascending order.
During [colltatistics on system calls](#system-call-statistic-methods), multiple policy files may be generated. In these policy files, system calls may be repeated or disordered. To solve these problems, you can combine policy files to sort system calls by arm64/arm and by system call number in ascending order.
**Table 11** Parameters in the merge_policy.py script file
**Table 11** Parameters in the merge_policy.py script file
...
@@ -675,7 +593,6 @@ During [colltatistics on system calls](#system-call-statistic-methods), multiple
...
@@ -675,7 +593,6 @@ During [colltatistics on system calls](#system-call-statistic-methods), multiple
| --- | --- |
| --- | --- |
| --src-files | Files to be processed, including **libsyscall_to_nr_arm** and **libsyscall_to_nr_arm64**.|
| --src-files | Files to be processed, including **libsyscall_to_nr_arm** and **libsyscall_to_nr_arm64**.|
| --filter-name | Name of the generated policy file. For example, if the input value is **test**, the generated file name is **test.seccomp.policy**. |
| --filter-name | Name of the generated policy file. For example, if the input value is **test**, the generated file name is **test.seccomp.policy**. |
1. Copy the dependency files to the log folder for later use.
1. Copy the dependency files to the log folder for later use.
@@ -23,7 +23,7 @@ Figure 1 Overview of system parameter operation primitives
...
@@ -23,7 +23,7 @@ Figure 1 Overview of system parameter operation primitives
| get | Obtains the value of a system parameter. |
| get | Obtains the value of a system parameter. |
| set | Sets the value of a system parameter. |
| set | Sets the value of a system parameter. |
| wait | Waits for value change of a system parameter synchronously.|
| wait | Waits for value change of a system parameter synchronously.|
| watch | Observes value change of a system parameter asynchronously.|
| watch | Watches for the value change of a system parameter asynchronously.|
#### Parameter Definition
#### Parameter Definition
...
@@ -227,7 +227,7 @@ The parameter management subsystem allows you to manage system parameters by run
...
@@ -227,7 +227,7 @@ The parameter management subsystem allows you to manage system parameters by run
| param get [**key**] | Obtains the system parameter value of the specified key. If no key name is specified, all system parameter values will be returned.|
| param get [**key**] | Obtains the system parameter value of the specified key. If no key name is specified, all system parameter values will be returned.|
| param set **key value** | Sets the specified value for the specified key.|
| param set **key value** | Sets the specified value for the specified key.|
| param wait **key** **value** | Waits for the system parameter value of the specified key to match the specified value. Fuzzy match is supported. For example, * indicates any value, and <strong>val</strong>* indicates matching of only the first three val characters.|
| param wait **key** **value** | Waits for the system parameter value of the specified key to match the specified value. Fuzzy match is supported. For example, * indicates any value, and <strong>val</strong>* indicates matching of only the first three val characters.|
| param watch | Observes value change of a system parameter asynchronously.|
| param watch | Watches for the value change of a system parameter asynchronously.|
- syspara API mode
- syspara API mode
...
@@ -244,7 +244,7 @@ The parameter management subsystem allows you to manage system parameters by run
...
@@ -244,7 +244,7 @@ The parameter management subsystem allows you to manage system parameters by run
| const char\* GetBrand(void) | Obtains the device's brand name.|
| const char\* GetBrand(void) | Obtains the device's brand name.|
| const char\* GetMarketName(void) | Obtains the device's marketing name.|
| const char\* GetMarketName(void) | Obtains the device's marketing name.|
| const char\* GetProductSeries(void) | Obtains the device's product series name.|
| const char\* GetProductSeries(void) | Obtains the device's product series name.|
| const char\* GetProductModel(void) | Obtains the device's authentication model.|
| const char\* GetProductModel(void) | Obtains the device's product model.|
| const char\* GetSoftwareModel(void) | Obtains the device's software model.|
| const char\* GetSoftwareModel(void) | Obtains the device's software model.|
| const char\* GetHardwareModel(void) | Obtains the device's hardware model.|
| const char\* GetHardwareModel(void) | Obtains the device's hardware model.|
| const char\* GetHardwareProfile(void) | Obtains the device's hardware profile.|
| const char\* GetHardwareProfile(void) | Obtains the device's hardware profile.|
