1. Background

In the current OpenHarmony system, part of the interface provided to the application layer is the system interface . The so-called system interface is an interface that only allows system applications to call, and does not allow third-party applications to call.
So this only allows system application calls . How is this restriction implemented in the system?
How to define or distinguish system applications and third-party applications?

Two, explore

1. Only system applications are allowed to call

By reading the source code, we found that BundleMgrthere is a method CheckIsSystemAppByUidthat can be used to determine whether the application is a system application. The usage is as follows:
- First, we need to obtain BundleMgrthe instance , as follows:

static sptr<IBundleMgr> GetBundleMgr()
{
    
    
    auto sam = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
    if (sam == nullptr) {
    
    
        USB_HILOGW(MODULE_USB_SERVICE, "GetSystemAbilityManager return nullptr");
        return nullptr;
    }
    auto bundleMgrSa = sam->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
    if (bundleMgrSa == nullptr) {
    
    
        USB_HILOGW(MODULE_USB_SERVICE, "GetSystemAbility return nullptr");
        return nullptr;
    }
    auto bundleMgr = iface_cast<IBundleMgr>(bundleMgrSa);
    if (bundleMgr == nullptr) {
    
    
        USB_HILOGW(MODULE_USB_SERVICE, "iface_cast return nullptr");
    }
    return bundleMgr;
}

Then we get the application that calls the current system interfaceuid , and uidpass it CheckIsSystemAppByUidto determine whether it is a system application.

bool UsbRightManager::IsSystemHap()
{
    
    
    pid_t uid = IPCSkeleton::GetCallingUid();
    auto bundleMgr = GetBundleMgr();
    if (bundleMgr == nullptr) {
    
    
        USB_HILOGW(MODULE_USB_SERVICE, "BundleMgr is nullptr, return false");
        return false;
    }
    return bundleMgr->CheckIsSystemAppByUid(uid);
}

In this way, we can know whether the application calling our interface is a system application or not. If it is not for the system application to directly return the corresponding error and not follow the normal business logic, we can achieve our goal.

2. Make a common application

Currently, the applications compiled and automatically signed by the deveco tool are system applications by default, so we can automatically sign according to the official tutorial to get ordinary applications.

3. Make a system application

First of all, it needs to be explained that system applications and ordinary applications on OpenHarmony are distinguished by signatures. The above automatic signatures are ordinary applications, so we need to manually sign if we want to get system applications. The official signing tutorial is here .
Here I write a simple version of the tutorial (linux version):
- First check the environment configuration:
  - Script files such as one-key signature are developed based on Python language, and the environment python3.x needs to be configured for use
  - java -versionIf it is not installed, please install it yourself.
  - gradle -vIf it is not installed, you can use the following command to install it:
```
mkdir /opt/gradle
cd /opt/gradle
wget -c https://services.gradle.org/distributions/gradle-7.1-bin.zip
unzip gradle-7.1-bin.zip
```
  - Add the bin path of gadle to the environment variableexport PATH=$PATH:/opt/gradle/gradle-7.1/bin
- Then download the signing tool and download this warehouse developtools_hapsigner
- Then compile hap-sign-tool.jar, as follows (selected from the official tutorial):
```
1、该工具基于Gradle 7.1编译构建，请确认环境已安装配置Gradle环境，并且版本正确
gradle -v
2、命令行打开文件目录至developtools_hapsigner/hapsigntool，执行命令进行编译打包
gradle build 或者 gradle jar
3、编译后得到二进制文件，目录为: ./hap_sign_tool/build/libs/hap-sign-tool.jar
```
- Modify the value autosign/UnsgnedReleasedProfileTemplate.jsonin the file . The value is the package name of your own application. Some interfaces have higher requirements for apl. If necessary, you can change the value to the followingapp-featureohos_system_appbundle-nameaplsystem_core
```
 "apl": "system_core",
"app-feature": "ohos_system_app"`
```
- Name the application to be signed and app1-unsigned.happut it autosign/in the directory.
- Then execute create_appcert_sign_profile.shand sign_hap.shscript respectively, and developtools_hapsigner-master/autosign/resulta app1-signed.hapsigned normal application named will be generated in the directory.
When signing for the second time, an error may be reported. In this case, the modification of the git checkout autosign/result/OpenHarmony.p12rollback OpenHarmony.p12file needs to be performed. Then execute create_appcert_sign_profile.shand again sign_hap.sh. Subsequent signatures only need to be executed sign_hap.sh.

3. Summary

The bottom layer is provided by BundleMgr to determine whether it is a third-party application.
Whether the upper layer is a system application depends on the fields in the signature app-feature. If it is, hos_normal_appit is a normal application, and if it is, ohos_system_appit is a system application.

4. References

1. Deveco official download: https://developer.harmonyos.com/cn/develop/deveco-studio
2. OpenHarmony package signing tool: https://gitee.com/openharmony/developtools_hapsigner
3. Gradle installation and use: https: https://gradle.org/install/#manually

[OpenHarmony] System application authority control and signature