diff --git a/en/device-dev/subsystems/subsys-app-privilege-config-guide.md b/en/device-dev/subsystems/subsys-app-privilege-config-guide.md index 665652b23e1832716680e14d5552c66aec744062..124e0e884e9b0436a936e7930911cae16e98dcd0 100644 --- a/en/device-dev/subsystems/subsys-app-privilege-config-guide.md +++ b/en/device-dev/subsystems/subsys-app-privilege-config-guide.md @@ -4,7 +4,9 @@ Application privileges are high-level capabilities of an application, for exampl OpenHarmony provides both general and device-specific application privileges. The latter can be configured by device vendors for applications on different devices. -Note: To avoid user dissatisfaction or even infringement, do not abuse application privileges. +> **NOTE** +> - To avoid user dissatisfaction or even infringement, do not abuse application privileges. +> - The method of changing the application's APL in its profile applies only to the applications or services in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market. ## General Application Privileges @@ -15,18 +17,18 @@ General application privileges are privileges available to applications on all t | Privilege| Description | | ---------------- | ------------------------------------------------------------ | | AllowAppDataNotCleared | Allows application data not to be deleted.| -| AllowAppMultiProcess | Allows the application to run on multiple processes.| +| AllowAppMultiProcess | Allows an application to run on multiple processes.| | AllowAppDesktopIconHide | Allows the application icon to be hidden from the home screen.| | AllowAbilityPriorityQueried | Allows an ability to configure and query the priority. | | AllowAbilityExcludeFromMissions | Allows an ability to be hidden in the mission stack.| -| AllowAppUsePrivilegeExtension | Allows the application to use Service Extension and Data Extension abilities.| +| AllowAppUsePrivilegeExtension | Allows an application to use ServiceExtensionAbilities and DataExtensionAbilities.| | AllowFormVisibleNotify | Allows a widget to be visible on the home screen.| -### Configuration +### How to Configure -1. In the [HarmonyAppProvision file](../../application-dev/security/app-provision-structure.md), configure the general privileges in the **app-privilege-capabilities** field. -2. Use the signing tool hapsigner to sign the HarmonyAppProvision file and generate a **.p7b** file. -3. Use the **.p7b** file to sign the HAP. +1. Add the **app-privilege-capabilities** field to the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to configure general privilege capabilities as required. +2. Use the hapsigner tool to sign the **HarmonyAppProvision** file and generate a .p7b file. +3. Use the .p7b file to sign the HAP. Reference: [hapsigner](https://gitee.com/openharmony/developtools_hapsigner#README.md) @@ -41,7 +43,7 @@ Reference: [hapsigner](https://gitee.com/openharmony/developtools_hapsigner#READ ... }, "issuer": "pki_internal", - "app-privilege-capabilities": ["AllowAppDataNotCleared", "AllowAppDesktopIconHide"] // The application data cannot be deleted, and icons can be hidden on the home screen. + "app-privilege-capabilities": ["AllowAppDataNotCleared", "AllowAppDesktopIconHide"] // The application data cannot be deleted, and the application icon can be hidden on the home screen. } ``` @@ -55,20 +57,20 @@ In addition to general application privileges, device vendors can define device- | Privilege | Type | Default Value| Description | | --------------------- | -------- | ------ | ------------------------------------------------- | -| removable | bool | true | Allows the application to be uninstalled. This privilege takes effect only for preset applications. | -| keepAlive | bool | false | Allows the application to keep running in the background. | -| singleton | bool | false | Allows the application to be installed for a single user (U0). | -| allowCommonEvent | string[] | - | Allows the application to be started by a static broadcast. | -| associatedWakeUp | bool | false | Allows the application in the FA model to be woken up by an associated application. | -| runningResourcesApply | bool | false | Allows the application to request running resources, such as the CPU, event notifications, and Bluetooth.| +| removable | bool | true | Allows an application to be uninstalled. This privilege takes effect only for preset applications. | +| keepAlive | bool | false | Allows an application to keep running in the background. | +| singleton | bool | false | Allows an application to be installed for a single user (User 0). | +| allowCommonEvent | string[] | - | Allows an application to be started by a static broadcast. | +| associatedWakeUp | bool | false | Allows an application in the FA model to be woken up by an associated application. | +| runningResourcesApply | bool | false | Allows an application to request running resources, such as the CPU, event notifications, and Bluetooth.| -### Configuration +### How to Configure -Configure the required privileges in [configuration files](https://gitee.com/openharmony/vendor_hihope/tree/master/rk3568/preinstall-config). +Configure the required privileges in the [configuration file](https://gitee.com/openharmony/vendor_hihope/tree/master/rk3568/preinstall-config). ### Example -#### Configuration in **install_list_capability.json** +#### Configuration in install_list_capability.json ``` { @@ -79,7 +81,7 @@ Configure the required privileges in [configuration files](https://gitee.com/ope "keepAlive": true, // The application is running in the background. "runningResourcesApply": true, // The application can apply for running resources such as the CPU, event notifications, and Bluetooth. "associatedWakeUp": true, // The application in the FA model can be woken up by an associated application. - "app_signature": ["8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC"], // The settings take effect only when the configured certificate fingerprint is the same as the HAP certificate fingerprint. + "app_signature": ["8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC"], // The setting takes effect only when the configured certificate fingerprint is the same as the HAP certificate fingerprint. "allowCommonEvent": ["usual.event.SCREEN_ON", "usual.event.THERMAL_LEVEL_CHANGED"] }, } @@ -87,66 +89,62 @@ Configure the required privileges in [configuration files](https://gitee.com/ope **Obtaining the Certificate Fingerprint** -1. Create the **profile.cer** file, and copy the certificate content under the **distribution-certificate** field of the HarmonyAppProvision file to the **profile.cer** file. +1. Create the **profile.cer** file, and copy the certificate content under the **distribution-certificate** field of the **HarmonyAppProvision** file to the **profile.cer** file. Example: - ``` - { - ... - "bundle-info": { - "distribution-certificate": "-----BEGIN CERTIFICATE----\nMIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMk..." / Certificate content. - ... - } - ... - } - ``` - - +``` +{ + ... + "bundle-info": { + "distribution-certificate": "-----BEGIN CERTIFICATE----\nMIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMk..." / Certificate content. + ... + } + ... +} +``` 2. Apply line breaks in the **profile.cer** content and remove the newline characters. Example: - ``` - -----BEGIN CERTIFICATE----- - MIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMGMxCzAJBgNVBAYTAkNO - MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh - bTEjMCEGA1UEAxMaT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gQ0EwHhcNMjEwMjAy - MTIxOTMxWhcNNDkxMjMxMTIxOTMxWjBoMQswCQYDVQQGEwJDTjEUMBIGA1UEChML - T3Blbkhhcm1vbnkxGTAXBgNVBAsTEE9wZW5IYXJtb255IFRlYW0xKDAmBgNVBAMT - H09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTATBgcqhkjOPQIBBggq - hkjOPQMBBwNCAATbYOCQQpW5fdkYHN45v0X3AHax12jPBdEDosFRIZ1eXmxOYzSG - JwMfsHhUU90E8lI0TXYZnNmgM1sovubeQqATo1IwUDAfBgNVHSMEGDAWgBTbhrci - FtULoUu33SV7ufEFfaItRzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFPtxruhl - cRBQsJdwcZqLu9oNUVgaMAwGCCqGSM49BAMDBQADaAAwZQIxAJta0PQ2p4DIu/ps - LMdLCDgQ5UH1l0B4PGhBlMgdi2zf8nk9spazEQI/0XNwpft8QAIwHSuA2WelVi/o - zAlF08DnbJrOOtOnQq5wHOPlDYB4OtUzOYJk9scotrEnJxJzGsh/ - -----END CERTIFICATE----- - ``` - - - -3. Use keytool to print the certificate fingerprint. +``` +-----BEGIN CERTIFICATE----- +MIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMGMxCzAJBgNVBAYTAkNO +MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh +bTEjMCEGA1UEAxMaT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gQ0EwHhcNMjEwMjAy +MTIxOTMxWhcNNDkxMjMxMTIxOTMxWjBoMQswCQYDVQQGEwJDTjEUMBIGA1UEChML +T3Blbkhhcm1vbnkxGTAXBgNVBAsTEE9wZW5IYXJtb255IFRlYW0xKDAmBgNVBAMT +H09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAATbYOCQQpW5fdkYHN45v0X3AHax12jPBdEDosFRIZ1eXmxOYzSG +JwMfsHhUU90E8lI0TXYZnNmgM1sovubeQqATo1IwUDAfBgNVHSMEGDAWgBTbhrci +FtULoUu33SV7ufEFfaItRzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFPtxruhl +cRBQsJdwcZqLu9oNUVgaMAwGCCqGSM49BAMDBQADaAAwZQIxAJta0PQ2p4DIu/ps +LMdLCDgQ5UH1l0B4PGhBlMgdi2zf8nk9spazEQI/0XNwpft8QAIwHSuA2WelVi/o +zAlF08DnbJrOOtOnQq5wHOPlDYB4OtUzOYJk9scotrEnJxJzGsh/ +-----END CERTIFICATE----- +``` + +3. Use keytool to obtain the certificate fingerprint. Example: - ``` - keytool -printcert -file profile.cer - result: - Issued To: CN=OpenHarmony Application Release, OU=OpenHarmony Team, O=OpenHarmony, C=CN - Issued By: CN=OpenHarmony Application CA, OU=OpenHarmony Team, O=OpenHarmony, C=CN - SN: 68e0bfcc - Valid From: Tue Feb 02 20:19:31 CST 2021, Valid To: Fri Dec 31 20:19:31 CST 2049 - Fingerprints: - SHA1 fingerprint: E3:E8:7C:65:B8:1D:02:52:24:6A:06:A4:3C:4A:02:39:19:92:D1:F5 - SHA256 fingerprint: 8E:93:86:3F:C3:2E:E2:38:06:0B:F6:9A:9B:37:E2:60:8F:FF:B2:1F:93:C8:62:DD:51:1C:BA:C9:F3:00:24:B5 // After the colons are removed, the fingerprint is 8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5. - ... - ``` - - - -#### Configuration in **install_list.json** +``` +keytool -printcert -file profile.cer +result: +Issued To: CN=OpenHarmony Application Release, OU=OpenHarmony Team, O=OpenHarmony, C=CN +Issued By: CN=OpenHarmony Application CA, OU=OpenHarmony Team, O=OpenHarmony, C=CN +SN: 68e0bfcc +Valid From: Tue Feb 02 20:19:31 CST 2021, **Valid To**: Fri Dec 31 20:19:31 CST 2049 +Fingerprints: + SHA1 fingerprint: E3:E8:7C:65:B8:1D:02:52:24:6A:06:A4:3C:4A:02:39:19:92:D1:F5 + SHA256 fingerprint: 8E:93:86:3F:C3:2E:E2:38:06:0B:F6:9A:9B:37:E2:60:8F:FF:B2:1F:93:C8:62:DD:51:1C:BA:C9:F3:00:24:B5 // After the colons are removed, the fingerprint is 8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5. +... +``` + + + +#### Configuration in install_list.json ``` {