Runtime Environment
Applications run in a restricted environment by default, including an independent runtime user, an independent file system view, and restricted network access permissions.
Runtime User
After the application is installed, the system creates an independent runtime user (non-root privileges) for the application. All processes of the application will run under this user.
Data Directories
When the application is installed, the system automatically creates the following subdirectories with read-write permissions for the application user in the application installation directory:
data: Application data directory (also the application's working directory)log: Application log directorycache: Application cache data directory
It is recommended that the application save runtime data, logs, and cache files in these respective directories. The absolute paths of these directories can be obtained through environment variables (see Environment Variables). These directories will be deleted when the application is uninstalled.
Environment Variables
The system sets the following environment variables when the application runs:
UGAPP_INSTALL_DIR: Application installation directoryUGAPP_DATA_DIR: Application data directoryUGAPP_CACHE_DIR: Application cache data directoryUGAPP_LOG_DIR: Application log directoryUGAPP_SHARED_DIR: User-authorized accessible directories
In addition to system-set environment variables, custom configuration items declared by the application (see Application Configuration) are also passed to the application through environment variables. The environment variable name is consistent with the key field in the custom configuration declaration.
For example, if you define two configuration items for login account (ACCOUNT) and password (PASSWORD), the following environment variables will be set:
ACCOUNT='admin'
PASSWORD='admin123'System-set environment variables all have the UGAPP_ prefix. Please avoid using this prefix for application custom configuration environment variables.
Application Permissions
To ensure the security of the system and user data, applications run in a restricted environment by default. Applications need to declare the required permissions, and the system decides whether to grant the application the corresponding permissions based on the permission declarations.
Declare the required permissions by configuring the permissions field in project.yaml. Currently supported permissions include:
SYSTEM.EXEC_SYSTEM_COMMAND: Execute system commands, can execute built-in commands in the system's /usr/bin, /usr/sbin directoriesNETWORK.ACCESS_INTERNET: Access network, can create network connections to communicate with external internet services
File Access
Applications have an independent file system view and can only access files in the application installation directory and some system directories.
Accessible system directories (read-only):
/lib/sys/dev
If the application has declared the system command execution permission (SYSTEM.EXEC_SYSTEM_COMMAND), it can additionally access and execute commands in the following system directories:
/usr/bin/usr/sbin/bin/sbin
Application installation directory and subdirectory permissions:
/var/packages/{appid}: Read-only/var/packages/{appid}/data: Read-write/var/packages/{appid}/log: Read-write/var/packages/{appid}/cache: Read-write/var/packages/{appid}/shared: Read-write
By default, applications do not have permission to access Personal Folder and Shared Folder. By setting the allow_add_access_path field to true in project.yaml, users can proactively authorize folders that the application can access on the application settings page.
Authorized folders will also be symbolically linked to the shared directory under the application installation directory. The absolute path can be obtained through the UGAPP_SHARED_DIR environment variable. For example, if the user authorizes the application to access the documents folder in Personal Folder (/home/user/documents), there will be a symbolic link documents in the shared directory pointing to /home/user/documents.
Log Collection
By default, content output to standard output and standard error during application runtime will be automatically redirected by the system to the {appid}.log file in the application's log directory.
Log files generated by the application itself also need to be saved in the log directory. When users generate system diagnostic information in "Support", the system will automatically collect all log files in the application's log directory to help troubleshoot user-reported issues.
Note
Applications need to manage the size and quantity of log files themselves to avoid log files accumulating and occupying too much disk space.