• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Application Privilege Configuration
2
3Application privileges are high-level capabilities of an application, for example, restricting an application from being uninstalled or restricting application data from being deleted.
4
5OpenHarmony provides both general and device-specific application privileges. The latter can be configured by device vendors for applications on different devices. The privileges configured in the **install_list_capability.json** file take precedence over the privileges configured in the signature certificate.
6
7> **NOTE**
8> - To avoid user dissatisfaction or even infringement, do not abuse application privileges.
9> - The method of changing the application's APL in its profile applies only to the applications or services in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market.
10
11## General Application Privileges
12
13### Introduction
14
15General application privileges are privileges available to applications on all types of devices. The general application privileges include the following:
16
17| Privilege| Description                                                      |
18| ---------------- | ------------------------------------------------------------ |
19| AllowAppDataNotCleared | Allows application data not to be deleted.|
20| AllowAppDesktopIconHide | Allows the application icon to be hidden from the home screen.|
21| AllowAbilityPriorityQueried | Allows an ability to configure and query the priority.   |
22| AllowAbilityExcludeFromMissions | Allows an ability to be hidden in the mission stack.|
23| AllowAppShareLibrary | Allows an application to provide the inter-application HSP capability for other applications.|
24| AllowMissionNotCleared | Allows an ability not to be cleared from the task list.|
25
26### How to Configure
27
281. Add the **app-privilege-capabilities** field to the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to configure general privilege capabilities as required.
292. Use the hapsigner tool to sign the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to generate a .p7b file.
303. Use the .p7b file to sign the HAP.
31
32Reference: [hapsigner](https://gitee.com/openharmony/developtools_hapsigner#README.md)
33
34### Example
35
36```json
37{
38    "version-name": "1.0.0",
39    ...
40    "bundle-info": {
41        "developer-id": "OpenHarmony",
42        ...
43    },
44    "issuer": "pki_internal",
45    "app-privilege-capabilities": ["AllowAppDataNotCleared", "AllowAppDesktopIconHide"] // The application data cannot be deleted, and the application icon can be hidden on the home screen.
46}
47```
48
49## Device-specific Application Privileges
50
51### Introduction
52
53In addition to general application privileges, device vendors can define device-specific privileges for an application. The table below describes the device-specific privileges.
54
55| Privilege                 | Type    | Default Value| Description                                             |
56| --------------------- | -------- | ------ | ------------------------------------------------- |
57| removable             | bool     | true   | Allows an application to be uninstalled. This privilege takes effect only for preset applications.              |
58| keepAlive             | bool     | false  | Allows an application to keep running in the background.                                |
59| singleton             | bool     | false  | Allows an application to be installed for a single user (User 0).                  |
60| allowCommonEvent      | string[] | -      | Allows an application to be started by a static broadcast.                            |
61| associatedWakeUp      | bool     | false  | Allows an application in the FA model to be woken up by an associated application.                    |
62| runningResourcesApply | bool     | false  | Allows an application to request running resources, such as the CPU, event notifications, and Bluetooth.|
63| allowAppDataNotCleared | bool | false|Allows application data not to be deleted.|
64| allowAppMultiProcess | bool | false| Allows an application to run on multiple processes.|
65| allowAppDesktopIconHide | bool | false| Allows the application icon to be hidden from the home screen.|
66| allowAbilityPriorityQueried | bool | false| Allows an ability to configure and query the priority.   |
67| allowAbilityExcludeFromMissions | bool | false| Allows an ability to be hidden in the mission stack.|
68| allowAppUsePrivilegeExtension | bool | false|Allows an application to use ServiceExtension and DataExtension abilities.|
69| allowFormVisibleNotify | bool | false| Allows a widget to be visible on the home screen.|
70| allowAppShareLibrary | bool | false | Allows an application to provide the inter-application HSP capability for other applications.|
71| allowMissionNotCleared | bool | false | Allows an ability not to be cleared from the task list.|
72
73### How to Configure
74
75Configure the required privileges in the [configuration file](https://gitee.com/openharmony/vendor_hihope/tree/master/rk3568/preinstall-config).
76
77### Example
78
79#### Configuration in install_list_capability.json
80
81```json
82{
83    "install_list": [
84        {
85            "bundleName": "com.example.kikakeyboard",
86            "singleton": true, // The application is installed for a single user.
87            "keepAlive": true, // The application can be running in the background.
88            "runningResourcesApply": true, // The application can apply for running resources such as the CPU, event notifications, and Bluetooth.
89            "associatedWakeUp": true, // The application in the FA model can be woken up by an associated application.
90            "app_signature": ["****"], // The setting takes effect only when the configured certificate fingerprint is the same as the HAP certificate fingerprint.
91            "allowCommonEvent": ["usual.event.SCREEN_ON", "usual.event.THERMAL_LEVEL_CHANGED"]
92            "allowAppDataNotCleared": true, // The application data cannot be deleted.
93            "allowAppMultiProcess": true, // Allow the application to run on multiple processes.
94            "allowAppDesktopIconHide": true, // Allow the application icon to be hidden from the home screen.
95            "allowAbilityPriorityQueried": true, // Allow the ability to configure the query priority.
96            "allowAbilityExcludeFromMissions": true, // Allow the ability to be hidden in the mission stack.
97            "allowAppUsePrivilegeExtension": true, // Allow the application to use ServiceExtension and DataExtension abilities.
98            "allowFormVisibleNotify": true // Allow a widget to be visible on the home screen.
99            "allowAppShareLibrary": true // Allow the application to provide the inter-application HSP capability.
100            "allowMissionNotCleared": true // Allow an ability not to be cleared from the task list.
101        },
102}
103```
104
105**Obtaining the Certificate Fingerprint**
106
1071. Create the **profile.cer** file, and copy the certificate content under the **distribution-certificate** field of the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to the **profile.cer** file.
108
109   ```json
110   {
111       ...
112       "bundle-info": {
113           "distribution-certificate": "-----BEGIN CERTIFICATE----\nMIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMk..." / Certificate content.
114           ...
115       }
116       ...
117   }
118   ```
119
1202. Apply line breaks in the **profile.cer** content and remove the newline characters.
121   ```
122   -----BEGIN CERTIFICATE-----
123   MIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMGMxCzAJBgNVBAYTAkNO
124   MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh
125   bTEjMCEGA1UEAxMaT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gQ0EwHhcNMjEwMjAy
126   MTIxOTMxWhcNNDkxMjMxMTIxOTMxWjBoMQswCQYDVQQGEwJDTjEUMBIGA1UEChML
127   T3Blbkhhcm1vbnkxGTAXBgNVBAsTEE9wZW5IYXJtb255IFRlYW0xKDAmBgNVBAMT
128   H09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTATBgcqhkjOPQIBBggq
129   hkjOPQMBBwNCAATbYOCQQpW5fdkYHN45v0X3AHax12jPBdEDosFRIZ1eXmxOYzSG
130   JwMfsHhUU90E8lI0TXYZnNmgM1sovubeQqATo1IwUDAfBgNVHSMEGDAWgBTbhrci
131   FtULoUu33SV7ufEFfaItRzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFPtxruhl
132   cRBQsJdwcZqLu9oNUVgaMAwGCCqGSM49BAMDBQADaAAwZQIxAJta0PQ2p4DIu/ps
133   LMdLCDgQ5UH1l0B4PGhBlMgdi2zf8nk9spazEQI/0XNwpft8QAIwHSuA2WelVi/o
134   zAlF08DnbJrOOtOnQq5wHOPlDYB4OtUzOYJk9scotrEnJxJzGsh/
135   -----END CERTIFICATE-----
136   ```
137
1383. Use keytool to run the following command to obtain the certificate fingerprint.
139
140   > **NOTE**
141   >
142   > You can obtain keytool from the **\tools\openjdk\bin** directory after DevEco Studio is installed.
143   ```shell
144   keytool -printcert -file profile.cer
145
146   # Example
147   # result:
148   # Issued To: CN=OpenHarmony Application Release, OU=OpenHarmony Team, O=OpenHarmony, C=CN
149   # Issued By: CN=OpenHarmony Application CA, OU=OpenHarmony Team, O=OpenHarmony, C=CN
150   # SN: 68e0bfcc
151   # Valid From: Tue Feb 02 20:19:31 CST 2021, Valid To: Fri Dec 31 20:19:31 CST 2049
152   # Fingerprints:
153   #          SHA1 fingerprint: E3:E8:7C:65:B8:1D:02:52:24:6A:06:A4:3C:4A:02:39:19:92:D1:F5
154   #          SHA256 fingerprint: 8E:93:86:3F:C3:2E:E2:38:06:0B:F6:9A:9B:37:E2:60:8F:FF:B2:1F:93:C8:62:DD:51:1C:BA:C9:F3:00:24:B5 // After the colons are removed, the fingerprint is 8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5.
155   # ...
156   ```
157
158#### Configuration in install_list.json
159
160```json
161{
162     "install_list" : [
163        {
164            "app_dir" : "/system/app/com.ohos.launcher",
165            "removable": true // The application can be uninstalled.
166        }
167     ]
168}
169```
170