1# Application Privilege Configuration 2 3Application privileges are high-level capabilities of an application, for example, restricting an application from being uninstalled or restricting application data from being deleted. 4 5OpenHarmony provides both general and device-specific application privileges. The latter can be configured by device vendors for applications on different devices. The privileges configured in the **install_list_capability.json** file take precedence over the privileges configured in the signing certificate. 6 7> **NOTE** 8> - To avoid user dissatisfaction or even infringement, do not abuse application privileges. 9> - Modifying the application privileges in its profile applies only to the applications or services in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market. 10 11## General Application Privileges 12 13### Introduction 14 15General application privileges are privileges available to applications on all types of devices. The following table lists the general application privileges. 16 17| Privilege| Description | 18| ---------------- | ------------------------------------------------------------ | 19| AllowAppDataNotCleared | Prevents deletion of application data.| 20| AllowAppDesktopIconHide | Allows the application icon to be hidden from the home screen.| 21| AllowAbilityPriorityQueried | Allows the ability priority to be queried. | 22| AllowAbilityExcludeFromMissions | Allows an ability to be hidden in the mission stack.| 23| AllowAppShareLibrary | Allows an ability to provide the HSP capability for other applications.| 24| AllowMissionNotCleared | Prevents the mission from being cleared.| 25 26### How to Configure 27 281. In the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md), set the general application privileges in the **app-privilege-capabilities** field. 292. Use the hapsigner tool to sign the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to generate a .p7b file. 303. Use the .p7b file to sign the HAP. 31 32Reference: [hapsigner](https://gitee.com/openharmony/developtools_hapsigner#README.md) 33 34### Example 35 36```json 37{ 38 "version-name": "1.0.0", 39 ... 40 "bundle-info": { 41 "developer-id": "OpenHarmony", 42 ... 43 }, 44 "issuer": "pki_internal", 45 "app-privilege-capabilities": ["AllowAppDataNotCleared", "AllowAppDesktopIconHide"] // The application data cannot be deleted, and the application icon can be hidden on the home screen. 46} 47``` 48 49## Device-specific Application Privileges 50 51### Introduction 52 53In addition to general application privileges, device vendors can define device-specific privileges for an application, as described in the table below. 54 55| Privilege | Type | Default Value| Description | 56| --------------------- | -------- | ------ | ------------------------------------------------- | 57| removable | bool | true | Allows an application to be uninstalled. This privilege takes effect only for preset applications. | 58| keepAlive | bool | false | Allows an application to keep running in the background. | 59| singleton | bool | false | Allows an application to be installed for a single user (user 0). | 60| allowCommonEvent | string[] | - | Allows an application to be started by a static broadcast. | 61| associatedWakeUp | bool | false | Allows an application in the FA model to be woken up by an associated application. | 62| runningResourcesApply | bool | false | Allows an application to request running resources, such as the CPU, event notifications, and Bluetooth.| 63| allowAppDataNotCleared | bool | false|Prevents deletion of application data.| 64| allowAppMultiProcess | bool | false| Allows multiple instances for an application.| 65| allowAppDesktopIconHide | bool | false| Allows the application icon to be hidden from the home screen.| 66| allowAbilityPriorityQueried | bool | false| Allows the ability priority to be queried. | 67| allowAbilityExcludeFromMissions | bool | false| Allows an ability to be hidden in the mission stack.| 68| allowAppUsePrivilegeExtension | bool | false|Allows an application to use ServiceExtension and DataExtension abilities.| 69| allowFormVisibleNotify | bool | false| Allows a widget to be visible on the home screen.| 70| allowAppShareLibrary | bool | false | Allows an ability to provide the HSP capability for other applications.| 71| allowMissionNotCleared | bool | false | Prevents the mission from being cleared.| 72 73### How to Configure 74 75Configure the required privileges in the [configuration file](https://gitee.com/openharmony/vendor_hihope/tree/master/rk3568/preinstall-config). 76 77### Example 78 79#### Configuration in install_list_capability.json 80 81```json 82{ 83 "install_list": [ 84 { 85 "bundleName": "com.example.kikakeyboard", 86 "singleton": true, // The application is installed for a single user. 87 "keepAlive": true, // The application can keep running in the background. 88 "runningResourcesApply": true, // The application can apply for running resources such as the CPU, event notifications, and Bluetooth. 89 "associatedWakeUp": true, // The application in the FA model can be woken up by an associated application. 90 "app_signature": ["****"], // The setting takes effect only when the configured certificate fingerprint is the same as the HAP certificate fingerprint. 91 "allowCommonEvent": ["usual.event.SCREEN_ON", "usual.event.THERMAL_LEVEL_CHANGED"] 92 "allowAppDataNotCleared": true, // The application data cannot be deleted. 93 "allowAppMultiProcess": true, // Allow multiple instances for the application. 94 "allowAppDesktopIconHide": true, // The application icon can be hidden from the home screen. 95 "allowAbilityPriorityQueried": true, // The ability priority can be queried. 96 "allowAbilityExcludeFromMissions": true,// Allow the ability to be excluded from the mission stack. 97 "allowAppUsePrivilegeExtension": true, // The application can use ServiceExtension and DataExtension abilities. 98 "allowFormVisibleNotify": true // The widget is visible on the home screen. 99 "allowAppShareLibrary": true // Allow the application to provide the inter-application HSP capability. 100 "allowMissionNotCleared": true // The mission cannot be cleared. 101 }, 102} 103``` 104 105**Obtaining the Certificate Fingerprint** 106 1071. Create the **profile.cer** file, and copy the certificate content under the **distribution-certificate** field of the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to the **profile.cer** file. 108 109 ```json 110 { 111 ... 112 "bundle-info": { 113 "distribution-certificate": "-----BEGIN CERTIFICATE----\nMIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMk..." / Certificate content. 114 ... 115 } 116 ... 117 } 118 ``` 119 1202. Apply line breaks in the **profile.cer** content and remove the newline characters. 121 ``` 122 -----BEGIN CERTIFICATE----- 123 MIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMGMxCzAJBgNVBAYTAkNO 124 MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh 125 bTEjMCEGA1UEAxMaT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gQ0EwHhcNMjEwMjAy 126 MTIxOTMxWhcNNDkxMjMxMTIxOTMxWjBoMQswCQYDVQQGEwJDTjEUMBIGA1UEChML 127 T3Blbkhhcm1vbnkxGTAXBgNVBAsTEE9wZW5IYXJtb255IFRlYW0xKDAmBgNVBAMT 128 H09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTATBgcqhkjOPQIBBggq 129 hkjOPQMBBwNCAATbYOCQQpW5fdkYHN45v0X3AHax12jPBdEDosFRIZ1eXmxOYzSG 130 JwMfsHhUU90E8lI0TXYZnNmgM1sovubeQqATo1IwUDAfBgNVHSMEGDAWgBTbhrci 131 FtULoUu33SV7ufEFfaItRzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFPtxruhl 132 cRBQsJdwcZqLu9oNUVgaMAwGCCqGSM49BAMDBQADaAAwZQIxAJta0PQ2p4DIu/ps 133 LMdLCDgQ5UH1l0B4PGhBlMgdi2zf8nk9spazEQI/0XNwpft8QAIwHSuA2WelVi/o 134 zAlF08DnbJrOOtOnQq5wHOPlDYB4OtUzOYJk9scotrEnJxJzGsh/ 135 -----END CERTIFICATE----- 136 ``` 137 1383. Use keytool to run the following command to obtain the certificate fingerprint. 139 140 > **NOTE**<br>You can obtain the keytool from the **\tools\openjdk\bin** directory after DevEco Studio is installed. 141 142 ```shell 143 keytool -printcert -file profile.cer 144 145 # Example 146 # result: 147 # Issued To: CN=OpenHarmony Application Release, OU=OpenHarmony Team, O=OpenHarmony, C=CN 148 # Issued By: CN=OpenHarmony Application CA, OU=OpenHarmony Team, O=OpenHarmony, C=CN 149 # SN: 68e0bfcc 150 # Valid From: Tue Feb 02 20:19:31 CST 2021, Valid To: Fri Dec 31 20:19:31 CST 2049 151 # Fingerprints: 152 # SHA1 fingerprint: E3:E8:7C:65:B8:1D:02:52:24:6A:06:A4:3C:4A:02:39:19:92:D1:F5 153 # SHA256: 8E:93:86:3F:C3:2E:E2:38:06:0B:F6:9A:9B:37:E2:60:8F:FF:B2:1F:93:C8:62:DD:51:1C:BA:C9:F3:00:24:B5 154 # // The certificate fingerprint with the colons (:) removed is 8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5. 155 # ... 156 ``` 157 1584. Remove the colons (:) from the SHA256 certificate fingerprint and fill the fingerprint in the **app_signature** field in the **install_list_capability.json** file. 159 160 ```json 161 { 162 "install_list": [ 163 { 164 ... 165 "app_signature": ["8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5"], 166 ... 167 } 168 ] 169 } 170 ``` 171 172#### Configuration in install_list.json 173 174```json 175{ 176 "install_list" : [ 177 { 178 "app_dir" : "/system/app/com.ohos.launcher", 179 "removable": true // The application can be uninstalled. 180 } 181 ] 182} 183``` 184