-
-
Notifications
You must be signed in to change notification settings - Fork 212
Supplementary Security Domains
Supplementary security domains can be created with -domain. Add additional privileges with -privs and installation parameters with -params. The default package and application ID can be changed with -pkg and -app.
To specify extradition right for the newly created SSD, use -allow-to to be able to extradite apps to the SSD and -allow-from to be able to extradite applications from the SSD. If you need to add additional installation parameters to the SSD, also construct the necessary privileges block within the parameters block manually.
To extradite an application to a different security domain during installation, specify the SSD with -to:
gp -install <applet.cap> -to <AID>
The SSD must accept the extradition, so be sure to create it with --allow-to
gp -move <AID> -to <AID>
Both security domains must allow the extradition or the operation will fail.
A new tree is one which has itself as root. Create it with
gp -move <AID> -to <AID>
DAP requires CAP files to be signed. Use capfile for that. Create the SSD with DAPVerification privilege and load the public key to the SSD with -put-key. Keep in mind that removing a SSD with MandatedDAPVerification is usually not possible, nor is updating the DAP key.