• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Application Privilege Configuration Guide
2
3Application privileges are high-level capabilities of an application, for example, restricting an application from being uninstalled or restricting application data from being deleted.
4
5OpenHarmony provides both general and device-specific application privileges. The latter can be configured by device vendors for applications on different devices.
6
7Note: To avoid user dissatisfaction or even infringement, do not abuse application privileges.
8
9## General Application Privileges
10
11### Introduction
12
13General application privileges are privileges available to applications on all types of devices. The general application privileges include the following:
14
15| Privilege| Description                                                      |
16| ---------------- | ------------------------------------------------------------ |
17| AllowAppDataNotCleared | Allows application data not to be deleted.|
18| AllowAppMultiProcess | Allows the application to run on multiple processes.|
19| AllowAppDesktopIconHide | Allows the application icon to be hidden from the home screen.|
20| AllowAbilityPriorityQueried | Allows an ability to configure and query the priority.    |
21| AllowAbilityExcludeFromMissions | Allows an ability to be hidden in the mission stack.|
22| AllowAppUsePrivilegeExtension | Allows the application to use Service Extension and Data Extension abilities.|
23| AllowFormVisibleNotify | Allows a widget to be visible on the home screen.|
24
25### Configuration
26
271. In the [HarmonyAppProvision file](../../application-dev/security/app-provision-structure.md), configure the general privileges in the **app-privilege-capabilities** field.
282. Use the signing tool hapsigner to sign the HarmonyAppProvision file and generate a **.p7b** file.
293. Use the **.p7b** file to sign the HAP.
30
31Reference: [hapsigner](https://gitee.com/openharmony/developtools_hapsigner#README.md)
32
33### Example
34
35```
36{
37    "version-name": "1.0.0",
38    ...
39    "bundle-info": {
40        "developer-id": "OpenHarmony",
41        ...
42    },
43    "issuer": "pki_internal",
44    "app-privilege-capabilities": ["AllowAppDataNotCleared", "AllowAppDesktopIconHide"] // The application data cannot be deleted, and icons can be hidden on the home screen.
45}
46```
47
48
49
50## Device-specific Application Privileges
51
52### Introduction
53
54In addition to general application privileges, device vendors can define device-specific privileges for an application. The table below describes the device-specific privileges.
55
56| Privilege                 | Type    | Default Value| Description                                             |
57| --------------------- | -------- | ------ | ------------------------------------------------- |
58| removable             | bool     | true   | Allows the application to be uninstalled. This privilege takes effect only for preset applications.               |
59| keepAlive             | bool     | false  | Allows the application to keep running in the background.                                 |
60| singleton             | bool     | false  | Allows the application to be installed for a single user (U0).                   |
61| allowCommonEvent      | string[] | -      | Allows the application to be started by a static broadcast.                             |
62| associatedWakeUp      | bool     | false  | Allows the application in the FA model to be woken up by an associated application.                     |
63| runningResourcesApply | bool     | false  | Allows the application to request running resources, such as the CPU, event notifications, and Bluetooth.|
64
65### Configuration
66
67Configure the required privileges in [configuration files](https://gitee.com/openharmony/vendor_hihope/tree/master/rk3568/preinstall-config).
68
69### Example
70
71#### Configuration in **install_list_capability.json**
72
73```
74{
75    "install_list": [
76        {
77            "bundleName": "com.example.kikakeyboard",
78            "singleton": true, // The application is installed for a single user.
79            "keepAlive": true, // The application is running in the background.
80            "runningResourcesApply": true, // The application can apply for running resources such as the CPU, event notifications, and Bluetooth.
81            "associatedWakeUp": true, // The application in the FA model can be woken up by an associated application.
82            "app_signature": ["8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC"], // The settings take effect only when the configured certificate fingerprint is the same as the HAP certificate fingerprint.
83            "allowCommonEvent": ["usual.event.SCREEN_ON", "usual.event.THERMAL_LEVEL_CHANGED"]
84        },
85}
86```
87
88**Obtaining the Certificate Fingerprint**
89
901. Create the **profile.cer** file, and copy the certificate content under the **distribution-certificate** field of the HarmonyAppProvision file to the **profile.cer** file.
91
92   Example:
93
94   ```
95   {
96       ...
97       "bundle-info": {
98           "distribution-certificate": "-----BEGIN CERTIFICATE----\nMIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMk..." / Certificate content.
99           ...
100       }
101       ...
102   }
103   ```
104
105
106
1072. Apply line breaks in the **profile.cer** content and remove the newline characters.
108
109   Example:
110
111   ```
112   -----BEGIN CERTIFICATE-----
113   MIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMGMxCzAJBgNVBAYTAkNO
114   MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh
115   bTEjMCEGA1UEAxMaT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gQ0EwHhcNMjEwMjAy
116   MTIxOTMxWhcNNDkxMjMxMTIxOTMxWjBoMQswCQYDVQQGEwJDTjEUMBIGA1UEChML
117   T3Blbkhhcm1vbnkxGTAXBgNVBAsTEE9wZW5IYXJtb255IFRlYW0xKDAmBgNVBAMT
118   H09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTATBgcqhkjOPQIBBggq
119   hkjOPQMBBwNCAATbYOCQQpW5fdkYHN45v0X3AHax12jPBdEDosFRIZ1eXmxOYzSG
120   JwMfsHhUU90E8lI0TXYZnNmgM1sovubeQqATo1IwUDAfBgNVHSMEGDAWgBTbhrci
121   FtULoUu33SV7ufEFfaItRzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFPtxruhl
122   cRBQsJdwcZqLu9oNUVgaMAwGCCqGSM49BAMDBQADaAAwZQIxAJta0PQ2p4DIu/ps
123   LMdLCDgQ5UH1l0B4PGhBlMgdi2zf8nk9spazEQI/0XNwpft8QAIwHSuA2WelVi/o
124   zAlF08DnbJrOOtOnQq5wHOPlDYB4OtUzOYJk9scotrEnJxJzGsh/
125   -----END CERTIFICATE-----
126   ```
127
128
129
1303. Use keytool to print the certificate fingerprint.
131
132   Example:
133
134   ```
135   keytool -printcert -file profile.cer
136   result:
137   Issued To: CN=OpenHarmony Application Release, OU=OpenHarmony Team, O=OpenHarmony, C=CN
138   Issued By: CN=OpenHarmony Application CA, OU=OpenHarmony Team, O=OpenHarmony, C=CN
139   SN: 68e0bfcc
140   Valid From: Tue Feb 02 20:19:31 CST 2021, Valid To: Fri Dec 31 20:19:31 CST 2049
141   Fingerprints:
142            SHA1 fingerprint: E3:E8:7C:65:B8:1D:02:52:24:6A:06:A4:3C:4A:02:39:19:92:D1:F5
143            SHA256 fingerprint: 8E:93:86:3F:C3:2E:E2:38:06:0B:F6:9A:9B:37:E2:60:8F:FF:B2:1F:93:C8:62:DD:51:1C:BA:C9:F3:00:24:B5 // After the colons are removed, the fingerprint is 8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5.
144   ...
145   ```
146
147
148
149#### Configuration in **install_list.json**
150
151```
152{
153     "install_list" : [
154        {
155            "app_dir" : "/system/app/com.ohos.launcher",
156            "removable": true // The application can be uninstalled.
157        }
158     ]
159}
160```
161