1# DLP Service Development 2 3The Data Loss Prevention (DLP) service is a system solution provided to prevent leakage of sensitive data. It provides a file format called DLP. A DLP file consists of the original file in ciphertext and the authorization credential, and ".dlp" is added to the end of the original file name (including the file name extension), for example, **test.docx.dlp**. 4 5A DLP file can be accessed only after successful device-cloud authentication (network connection required). The permissions for accessing a DLP file include the following: 6 7- Read-only: The user can only view the file. 8- Edit: The user can read and write the file, but cannot change the permission on the file. 9- Full control: The user can read and write the file, change the permission on the file, and restore the plaintext of the file. 10 11When an application accesses a DLP file, the system automatically installs a dual application, a copy based on the current application. Both can run at the same time without affecting each other. The dual application is running in a sandbox, which is restricted from external access to prevent data leakage. For simplicity, the dual application running in a sandbox is referred to as a sandbox application hereinafter. Each time a DLP file is opened, a sandbox application is generated. The sandbox applications are also isolated from each other. When an application is closed, its sandbox application will be automatically uninstalled and the temporary data generated in the sandbox directory will be cleared. 12 13Normally, the application is unaware of the sandbox and accesses the file in plaintext, like accessing a common file. However, the DLP sandbox restricts the application from accessing external resources (such as the network, clipboard, screenshot capturing, screen recording, and Bluetooth). For better user experience, you need to adapt your application based on service requirements. For example, for a read-only file, you'd better hide the **Save** button and disable automatic Internet access. 14 15## Sandbox Restrictions 16 17For an application in the DLP sandbox state, the permissions granted to the application are restricted based on the permission on the DLP file. 18 19| Application Permission| Description| Read-Only| Edit/Full Control| 20| -------- | -------- | -------- | -------- | 21| ohos.permission.USE_BLUETOOTH | Allows an application to use Bluetooth.| Unavailable| Unavailable| 22| ohos.permission.INTERNET |Allows an application to access the Internet.| Unavailable| Unavailable| 23| ohos.permission.DISTRIBUTED_DATASYNC | Allows an application to exchange user data (such as images, music, videos, and application data) with another device.| Unavailable| Unavailable| 24| ohos.permission.WRITE_MEDIA | Allows an application to read and write media files, such as images, videos, and audio clips.| Unavailable| Available| 25| ohos.permission.NFC_TAG | Allows an application to use NFC.| Unavailable| Available| 26 27## Available APIs 28 29| API| Description| 30| -------- | -------- | 31| isDLPFile(fd: number): Promise<boolean> <br> isDLPFile(fd: number, callback: AsyncCallback<boolean>): void| Checks whether a file is a DLP file.| 32| getDLPPermissionInfo(): Promise<DLPPermissionInfo> <br>getDLPPermissionInfo(callback: AsyncCallback<DLPPermissionInfo>): void | Obtains the DLP permission information of this sandbox application.| 33| getOriginalFileName(fileName: string): string | Obtains the original name of a DLP file.| 34| getDLPSuffix(): string | Obtains the file name extension of this DLP file.| 35| on(type: 'openDLPFile', listener: Callback<AccessedDLPFileInfo>): void | Subscribes to the file open event of DLP files. The application will be notified when a DLP file is opened.| 36| off(type: 'openDLPFile', listener?: Callback<AccessedDLPFileInfo>): void | Unsubscribes from the file open event of DLP files.| 37| isInSandbox(): Promise<boolean> <br>isInSandbox(callback: AsyncCallback<boolean>): void | Checks whether this application is running in a sandbox.| 38| getDLPSupportedFileTypes(): Promise<Array<string>><br>getDLPSupportedFileTypes(callback: AsyncCallback<Array<string>>): void | Obtains the file name extension types that can be appended with .dlp.| 39| setRetentionState(docUris: Array<string>): Promise<void> <br> setRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Sets the sandbox application retention state. If the retention state is set for a DLP file, the sandbox application will not be automatically uninstalled when the DLP file is closed.| 40| cancelRetentionState(docUris: Array<string>): Promise<void><br> cancelRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Cancels the sandbox application retention state.| 41| getRetentionSandboxList(bundleName?: string): Promise<Array<RetentionSandboxInfo>> <br> getRetentionSandboxList(bundleName: string, callback: AsyncCallback<Array<RetentionSandboxInfo>>): void <br> getRetentionSandboxList(callback: AsyncCallback<Array<RetentionSandboxInfo>>): void| Obtains the sandbox applications in the retention state.| 42| getDLPFileAccessRecords(): Promise<Array<AccessedDLPFileInfo>> <br> getDLPFileAccessRecords(callback: AsyncCallback<Array<AccessedDLPFileInfo>>): void | Obtains the DLP files that are accessed recently.| 43|setSandboxAppConfig(configInfo: string): Promise<void>|Sets sandbox application configuration.| 44|getSandboxAppConfig(): Promise<string>|Obtains the sandbox application configuration.| 45|cleanSandboxAppConfig(): Promise<void>|Clears the sandbox application configuration.| 46| startDLPManagerForResult(context: common.UIAbilityContext, want: Want): Promise<DLPManagerResult> <br>| Starts the DLP manager application on the current UIAbility page in borderless mode (available only for the stage model).| 47 48## How to Develop 49 501. Import the [dlpPermission](../../reference/apis-data-protection-kit/js-apis-dlppermission.md) module. 51 52 ```ts 53 import { dlpPermission } from '@kit.DataProtectionKit'; 54 ``` 55 562. Open a DLP file. The system automatically installs a DLP sandbox application for your application. <br>Add the following code to your application: 57 58 ```ts 59 import { common, Want } from '@kit.AbilityKit'; 60 import { BusinessError } from '@kit.BasicServicesKit'; 61 62 function OpenDlpFile(dlpUri: string, fileName: string, fd: number) { 63 let want:Want = { 64 "action": "ohos.want.action.viewData", 65 "bundleName": "com.example.example_bundle_name", 66 "abilityName": "exampleAbility", 67 "uri": dlpUri, 68 "parameters": { 69 "fileName": { 70 "name": fileName 71 }, 72 "keyFd": { 73 "type": "FD", 74 "value": fd 75 } 76 } 77 } 78 79 let context = getContext () as common.UIAbilityContext; // Obtain the UIAbility context. 80 81 try { 82 console.log('openDLPFile:' + JSON.stringify(want)); 83 console.log('openDLPFile: delegator:' + JSON.stringify(context)); 84 context.startAbility(want); 85 } catch (err) { 86 console.error('openDLPFile startAbility failed', (err as BusinessError).code, (err as BusinessError).message); 87 return; 88 } 89 } 90 ``` 91 92 Add **ohos.want.action.viewData** to the **module.json5** file. 93 94 ```json 95 "skills":[ 96 { 97 "entities":[ 98 ... 99 ], 100 "actions":[ 101 ... 102 "ohos.want.action.viewData" 103 ] 104 } 105 ] 106 ``` 107 1083. Generate a .dlp file. 109 110 Currently, the DLP feature supports the following file types: 111 112 ".doc", ".docm", ".docx", ".dot", ".dotm", ".dotx", ".odp", ".odt", ".pdf", ".pot", ".potm", ".potx", ".ppa", ".ppam", ".pps", ".ppsm", ".ppsx", ".ppt", ".pptm", ".pptx", ".rtf", ".txt", ".wps", ".xla", ".xlam", ".xls", ".xlsb", ".xlsm", ".xlsx", ".xlt", ".xltm", ".xltx", ".xlw", ".xml", ".xps" 113 114 Before you start, ensure that a file of the supported type that can be accessed by the application is available. For example, a file in the **Files** directory. 115 116 Start the DLP manager application in borderless mode. This API can be called only in the UIAbility context and supports only the stage model. Run the following code to open the permission settings page of the DLP manager application, enter the account information, and tap **Save**. On the page started by file Picker, select the directory to save the DLP file. [You need to implement the cloud module yourself](../DataProtectionKit/dlp-overview.md). 117 118 ```ts 119 import { dlpPermission } from '@kit.DataProtectionKit'; 120 import { common, Want } from '@kit.AbilityKit'; 121 import { BusinessError } from '@kit.BasicServicesKit'; 122 123 try { 124 let fileUri: string = "file://docs/storage/Users/currentUser/test.txt"; 125 let fileName: string = "test.txt"; 126 let context = getContext () as common.UIAbilityContext; // Obtain the UIAbility context. 127 let want: Want = { 128 'uri': fileUri, 129 'parameters': { 130 'displayName': fileName 131 } 132 }; // Request parameters. 133 dlpPermission.startDLPManagerForResult(context, want).then((res: dlpPermission.DLPManagerResult) => { 134 console.info('startDLPManagerForResult res.resultCode:' + res.resultCode); 135 console.info('startDLPManagerForResult res.want:' + JSON.stringify(res.want)); 136 }); // Start the DLP permission manager application to set permissions. 137 } catch (err) { 138 console.error('startDLPManagerForResult error:' + (err as BusinessError).code + (err as BusinessError).message); 139 } 140 ``` 141 1424. Check whether the application is running in a sandbox. 143 144 ```ts 145 import { dlpPermission } from '@kit.DataProtectionKit'; 146 import { BusinessError } from '@kit.BasicServicesKit'; 147 148 dlpPermission.isInSandbox().then((data)=> { 149 console.log('isInSandbox, result: ' + JSON.stringify(data)); 150 }).catch((err:BusinessError) => { 151 console.log('isInSandbox: ' + JSON.stringify(err)); 152 }); 153 ``` 154 1555. Obtain the permissions on the file. The permissions of the DLP sandbox application vary with the user's permission on the file. For more information, see [Sandbox Restrictions](#sandbox-restrictions). 156 157 ```ts 158 import { dlpPermission } from '@kit.DataProtectionKit'; 159 import { BusinessError } from '@kit.BasicServicesKit'; 160 161 dlpPermission.getDLPPermissionInfo().then((data)=> { 162 console.log('getDLPPermissionInfo, result: ' + JSON.stringify(data)); 163 }).catch((err:BusinessError) => { 164 console.log('getDLPPermissionInfo: ' + JSON.stringify(err)); 165 }); 166 ``` 167 1686. Obtain information about the file name extension types that support the DLP solution. Based on the information obtained, you can learn what types of files can be used to generate DLP files. 169 170 ```ts 171 import { dlpPermission } from '@kit.DataProtectionKit'; 172 dlpPermission.getDLPSupportedFileTypes((err, result) => { 173 console.log('getDLPSupportedFileTypes: ' + JSON.stringify(err)); 174 console.log('getDLPSupportedFileTypes: ' + JSON.stringify(result)); 175 }); 176 ``` 177 1787. Check whether the opened file is a DLP file. 179 180 ```ts 181 import { dlpPermission } from '@kit.DataProtectionKit'; 182 import { fileIo } from '@kit.CoreFileKit'; 183 import { BusinessError } from '@kit.BasicServicesKit'; 184 185 let uri = "file://docs/storage/Users/currentUser/Desktop/test.txt.dlp"; 186 let file = fileIo.openSync(uri); 187 try { 188 let res = dlpPermission.isDLPFile(file.fd); // Check whether the file is a DLP file. 189 console.info('res', res); 190 } catch (err) { 191 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 192 } 193 fileIo.closeSync(file); 194 ``` 195 1968. Subscribe to or unsubscribe from the DLP file open event. 197 198 ```ts 199 import { dlpPermission } from '@kit.DataProtectionKit'; 200 import { BusinessError } from '@kit.BasicServicesKit'; 201 class SubscribeExample { 202 event(info: dlpPermission.AccessedDLPFileInfo) { 203 console.info('openDlpFile event', info.uri, info.lastOpenTime) 204 } 205 unSubscribe() { 206 try { 207 dlpPermission.off('openDLPFile', this.event); // Unsubscribe from the file open event. 208 } catch (err) { 209 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 210 } 211 } 212 subscribe() { 213 try { 214 dlpPermission.on ('openDLPFile' , this.event); // Subscribe to the DLP file open event. 215 } catch (err) { 216 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 217 } 218 } 219 onCreate() { 220 this.subscribe(); 221 } 222 onDestroy() { 223 this.unSubscribe(); 224 } 225 } 226 ``` 227 2289. Obtain information about the DLP files that are recently accessed. 229 230 ```ts 231 import { dlpPermission } from '@kit.DataProtectionKit'; 232 import { BusinessError } from '@kit.BasicServicesKit'; 233 async function getDLPFileAccessRecords() { 234 try { 235 let res:Array<dlpPermission.AccessedDLPFileInfo> = await dlpPermission.getDLPFileAccessRecords(); // Obtain the list of recently accessed DLP files. 236 console.info('res', JSON.stringify(res)) 237 } catch (err) { 238 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 239 } 240 } 241 ``` 242 24310. Obtain information about the DLP sandbox applications in the retention state. 244 245 ```ts 246 import { dlpPermission } from '@kit.DataProtectionKit'; 247 import { BusinessError } from '@kit.BasicServicesKit'; 248 async function getRetentionSandboxList() { 249 try { 250 let res:Array<dlpPermission.RetentionSandboxInfo> = await dlpPermission.getRetentionSandboxList(); // Obtain the sandbox applications in the retention state. 251 console.info('res', JSON.stringify(res)) 252 } catch (err) { 253 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 254 } 255 } 256 ``` 257 25811. Set sandbox application configuration. 259 260 ```ts 261 import { dlpPermission } from '@kit.DataProtectionKit'; 262 import { BusinessError } from '@kit.BasicServicesKit'; 263 async function setSandboxAppConfig() { 264 try { 265 await dlpPermission.setSandboxAppConfig('configInfo'); // Set sandbox application configuration. 266 } catch (err) { 267 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 268 } 269 } 270 ``` 271 27212. Clear the sandbox application configuration. 273 274 ```ts 275 import { dlpPermission } from '@kit.DataProtectionKit'; 276 import { BusinessError } from '@kit.BasicServicesKit'; 277 async function cleanSandboxAppConfig() { 278 try { 279 await dlpPermission.cleanSandboxAppConfig(); // Clear the sandbox application configuration. 280 } catch (err) { 281 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 282 } 283 } 284 ``` 285 28613. Obtain the sandbox application configuration. 287 288 ```ts 289 import { dlpPermission } from '@kit.DataProtectionKit'; 290 import { BusinessError } from '@kit.BasicServicesKit'; 291 async function getSandboxAppConfig() { 292 try { 293 let res:string = await dlpPermission.getSandboxAppConfig(); // Obtain the sandbox application configuration. 294 console.info('res', JSON.stringify(res)) 295 } catch (err) { 296 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 297 } 298 } 299 ``` 300 30114. Start the DLP manager application in borderless mode. This API can be called only in the UIAbility context and supports only the stage model. 302 303 ```ts 304 import { dlpPermission } from '@kit.DataProtectionKit'; 305 import { common, UIAbility, AbilityConstant, Want } from '@kit.AbilityKit'; 306 import { BusinessError } from '@kit.BasicServicesKit'; 307 308 try { 309 let context = getContext () as common.UIAbilityContext; // Obtain the UIAbility context. 310 let want: Want = { 311 "uri": "file://docs/storage/Users/currentUser/Desktop/1.txt", 312 "parameters": { 313 "displayName": "1.txt" 314 } 315 }; // Request parameters. 316 dlpPermission.startDLPManagerForResult(context, want).then((res) => { 317 console.info('res.resultCode', res.resultCode); 318 console.info('res.want', JSON.stringify(res.want)); 319 }); // Start the DLP manager application. 320 } catch (err) { 321 console.error('error', err.code, err.message); // Report an error upon a failure. 322 } 323 ``` 324 32515. Check whether the current system provides the DLP feature. 326 ```ts 327 import { dlpPermission } from '@kit.DataProtectionKit'; 328 import { BusinessError } from '@kit.BasicServicesKit'; 329 330 dlpPermission.isDLPFeatureProvided().then((res) => { 331 console.info('res', JSON.stringify(res)); 332 }).catch((err: BusinessError) => { 333 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 334 }); 335 ``` 336