MeeGo 1.2 Harmattan Security Tokens
Article Metadata
Contents |
MeeGo 1.2 Harmattan APIs/Qt Quick Modules that require security credentials
This section lists all MeeGo 1.2 Harmattan and Platform APIs and Qt Declarative modules that require security credentials. Please do not add any unnecessary tokens to your application's Aegis Manifest file .
APIs that require security tokens
UPDATE (12th Dec 2011): Tokens with strikethrough are not available and methods requiring them to work will be removed from official harmattan documentation soon
| API | Required token |
|---|---|
| Accounts Framework |
|
| Associate Content with Actions |
|
| Location Extras |
|
| Location Picker |
|
| QmSystem |
|
| QtMobility Contacts |
|
| QtMobility Gallery |
|
| QtMobility Location |
|
| QtMobility Messaging |
|
| QtMobility Multimedia |
|
| QtMobility Organizer |
|
| QtMobility Systeminfo |
|
| QtSparql RDF Tracker |
|
| Relevance Search |
|
| Share UI Extension API |
|
| Single Sign On |
|
| Web Upload Services |
|
Description of posix tokens can be found here.
Qt Declarative modules that require security credentials
| Qt Declarative module | Required token |
|---|---|
| MapsPlugin |
|
| QSparql |
|
| QtMobility.contacts |
|
|
QtMobility.gallery |
|
| QtMobility.location |
|
| QtMobility.messaging |
|
| QtMobility.organizer |
|
| QtMobility.systeminfo |
|
| QtMultimediaKit |
|
(Courtesy of the MeeGo 1.2 Harmattan documentation team)
Almost complete list of tokens available
As Harmattan developer, you have maybe noticed that some applications work correctly only if launched by Qt Creator or via SSH and that they don't work when launched from the phone application menu or by terminal.
In fact, when we run an application as developer or inside develsh, it gets the following security tokens by default: /home/developer $ accli -I Current mode: normal Credentials:
UID::user
GID::developer
CAP::chown
CAP::dac_read_search
CAP::fowner
CAP::fsetid
CAP::kill
CAP::linux_immutable
CAP::net_bind_service
CAP::net_broadcast
CAP::net_admin
CAP::net_raw
CAP::ipc_lock
CAP::ipc_owner
CAP::sys_chroot
CAP::sys_ptrace
CAP::sys_pacct
CAP::sys_boot
CAP::sys_nice
CAP::sys_resource
CAP::sys_time
CAP::sys_tty_config
CAP::lease
CAP::audit_write
CAP::audit_control
CAP::setfcap
GRP::root
GRP::dialout
GRP::video
GRP::pulse-access
GRP::users
GRP::metadata-users
GRP::calendar
AID::.develsh.
Cellular
TrackerReadAccess
TrackerWriteAccess
Location
FacebookSocial
tracker::tracker-extract-access
tracker::tracker-miner-fs-access
libaccounts-noa::accesssvt
package-manager::packagemanager_limited
package-manager::packagemanager_private
icd2::icd2-plugin
develsh::develsh
But, when the same app is launched by the application menu or by the teminal, it takes only these capabilities. /home/user $ accli -I Current mode: normal Credentials:
UID::user
GID::users
SRC::com.nokia.maemo
AID::com.nokia.maemo.meegotouchhome-nokia.
meegotouchhome-nokia::meegotouchhome-nokia
As you can see here, the capabilities granted to applications which run as user are really few. For this reason on harmattan we have Manifest files. A Developer can write only one manifest file for Debian package. Each manifest file can request additional capabilities to one or more applications installed by the package.
What tokens this APIneed?
Here is the list of functions which I don't know what capabilities need to work correctly
- Bluetooth Mobility API: 'QL2capServer::listen'' fails for low ports. (eg: 0x20). It works fine without requiring tokens for higher ports (eg: 0x1001) or 0x0. It runs fine in develsh without needs of tokens.
Contents
Marcoweaver -
非常棒,帮大忙了marcoweaver 19:00, 24 August 2011 (EEST)
Hamishwillee - Removed from "Draft"
I've removed from Draft category and added to correct Harmattan category.
This looks very useful - shouldn't it be part of the core documentation in the Harmattan: namespace. Possibly not, because we're happy for others to edit it, but I would hope it would be linked to from the Harmattan documentation.
regards
Hamishhamishwillee 08:54, 25 August 2011 (EEST)
Gnuton - How this page can help you to find the missing AEGIS token.
Hi, This page is really really helpful. If your app prints out an error message like the one below, the solution you are looking for is in this page! In my case you can see my app cannot send "req_tklock_mode_change" messages to MCE. If you browse the available tokens you can see quickly that mce::TKLockControl is the capability that my app needs.
runtime: "org.freedesktop.DBus.Error.AccessDenied" "Rejected send message, 3 matched rules; type="method_call", sender=":1.1574" (uid=29999 pid=4957 comm="/opt/carvcr/bin/CarVCR ") interface="com.nokia.mce.request" member="req_tklock_mode_change" error name="(unset)" requested_reply=0 destination="com.nokia.mce" (uid=0 pid=532 comm="/sbin/mce --force-syslog "))"gnuton 11:07, 25 October 2011 (EEST)
'UPDATE': mce::TKLockControl is not grant to 3rd party developers.
A.A.M. -
I've checked on Nokia N950 with PR 1.1 (v2.2011.39-5) and from 17 described tokens: 2 "credential is not defined" & 7 are "denied".
A.A.M. 18:40, 28 November 2011 (EET)