1# DLP Service Development 2 3The Data Loss Prevention (DLP) service is a system solution provided to prevent leakage of sensitive data. It provides a file format called DLP. A DLP file consists of the original file in ciphertext and the authorization credential, and ".dlp" is added to the end of the original file name (including the file name extension), for example, **test.docx.dlp**. 4 5A DLP file can be accessed only after successful device-cloud authentication (network connection required). The permissions for accessing a DLP file include the following: 6 7- Read-only: The user can only view the file. 8- Edit: The user can read and write the file, but cannot change the permission on the file. 9- Full control: The user can read and write the file, change the permission on the file, and restore the plaintext of the file. 10 11When an application accesses a DLP file, the system automatically installs a dual application, a copy based on the current application. Both can run at the same time without affecting each other. The dual application is running in a sandbox, which is restricted from external access to prevent data leakage. For simplicity, the dual application running in a sandbox is referred to as a sandbox application hereinafter. Each time a DLP file is opened, a sandbox application is generated. The sandbox applications are also isolated from each other. When an application is closed, its sandbox application will be automatically uninstalled and the temporary data generated in the sandbox directory will be cleared. 12 13Normally, the application is unaware of the sandbox and accesses the file in plaintext, like accessing a common file. However, the DLP sandbox restricts the application from accessing external resources (such as the network, clipboard, screenshot capturing, screen recording, and Bluetooth). For better user experience, you need to adapt your application based on service requirements. For example, for a read-only file, you'd better hide the **Save** button and disable automatic Internet access. 14 15## Sandbox Restrictions 16 17For an application in the DLP sandbox state, the permissions granted to the application are restricted based on the permission on the DLP file. 18 19| Application Permission| Description| Read-Only| Edit/Full Control| 20| -------- | -------- | -------- | -------- | 21| ohos.permission.USE_BLUETOOTH | Allows an application to use Bluetooth.| Unavailable| Unavailable| 22| ohos.permission.INTERNET |Allows an application to access the Internet.| Unavailable| Unavailable| 23| ohos.permission.DISTRIBUTED_DATASYNC | Allows an application to exchange user data (such as images, music, videos, and application data) with another device.| Unavailable| Unavailable| 24| ohos.permission.WRITE_MEDIA | Allows an application to read and write media files, such as images, videos, and audio clips.| Unavailable| Available| 25| ohos.permission.NFC_TAG | Allows an application to use NFC.| Unavailable| Available| 26 27## Available APIs 28 29| API| Description| 30| -------- | -------- | 31| isDLPFile(fd: number): Promise<boolean> <br> isDLPFile(fd: number, callback: AsyncCallback<boolean>): void| Checks whether a file is a DLP file.| 32| getDLPPermissionInfo(): Promise<DLPPermissionInfo> <br>getDLPPermissionInfo(callback: AsyncCallback<DLPPermissionInfo>): void | Obtains the DLP permission information of this sandbox application.| 33| getOriginalFileName(fileName: string): string | Obtains the original name of a DLP file.| 34| getDLPSuffix(): string | Obtains the file name extension of this DLP file.| 35| on(type: 'openDLPFile', listener: Callback<AccessedDLPFileInfo>): void | Subscribes to the file open event of DLP files. The application will be notified when a DLP file is opened.| 36| off(type: 'openDLPFile', listener?: Callback<AccessedDLPFileInfo>): void | Unsubscribes from the file open event of DLP files.| 37| isInSandbox(): Promise<boolean> <br>isInSandbox(callback: AsyncCallback<boolean>): void | Checks whether this application is running in a sandbox.| 38| getDLPSupportedFileTypes(): Promise<Array<string>><br>getDLPSupportedFileTypes(callback: AsyncCallback<Array<string>>): void | Obtains the file name extension types that can be appended with .dlp.| 39| setRetentionState(docUris: Array<string>): Promise<void> <br> setRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Sets the sandbox application retention state. If the retention state is set for a DLP file, the sandbox application will not be automatically uninstalled when the DLP file is closed.| 40| cancelRetentionState(docUris: Array<string>): Promise<void><br> cancelRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Cancels the sandbox application retention state.| 41| getRetentionSandboxList(bundleName?: string): Promise<Array<RetentionSandboxInfo>> <br> getRetentionSandboxList(bundleName: string, callback: AsyncCallback<Array<RetentionSandboxInfo>>): void <br> getRetentionSandboxList(callback: AsyncCallback<Array<RetentionSandboxInfo>>): void| Obtains the sandbox applications in the retention state.| 42| getDLPFileAccessRecords(): Promise<Array<AccessedDLPFileInfo>> <br> getDLPFileAccessRecords(callback: AsyncCallback<Array<AccessedDLPFileInfo>>): void | Obtains the DLP files that are accessed recently.| 43|setSandboxAppConfig(configInfo: string): Promise<void>|Set sandbox application configuration.| 44|getSandboxAppConfig(): Promise<string>|Obtain the sandbox application configuration.| 45|cleanSandboxAppConfig(): Promise<void>|Clear the sandbox application configuration.| 46| startDLPManagerForResult(context: common.UIAbilityContext, want: Want): Promise<DLPManagerResult> <br>| Starts the DLP manager application on the current UIAbility page in borderless mode (available only for the stage model).| 47 48## How to Develop 49 50This document provides API sample code. For details about how to create a project, see [Creating a Project](https://developer.huawei.com/consumer/en/doc/harmonyos-guides/ide-project). 51 521. Import the [dlpPermission](../../reference/apis-data-protection-kit/js-apis-dlppermission.md) module. 53 54 ```ts 55 import { dlpPermission } from '@kit.DataProtectionKit'; 56 ``` 57 582. Open a DLP file. The system automatically installs a DLP sandbox application for your application. <br>Add the following code to your application: 59 60 ```ts 61 import { common, Want } from '@kit.AbilityKit'; 62 import { BusinessError } from '@kit.BasicServicesKit'; 63 import { UIContext } from '@kit.ArkUI'; 64 65 function OpenDlpFile(dlpUri: string, fileName: string, fd: number) { 66 let want: Want = { 67 "action": "ohos.want.action.viewData", 68 "bundleName": "com.example.example_bundle_name", 69 "abilityName": "exampleAbility", 70 "uri": dlpUri, 71 "parameters": { 72 "fileName": { 73 "name": fileName 74 }, 75 "keyFd": { 76 "type": "FD", 77 "value": fd 78 } 79 } 80 } 81 82 let context = new UIContext().getHostContext() as common.UIAbilityContext; // Obtain the current UIAbilityContext. 83 84 try { 85 console.log('openDLPFile:' + JSON.stringify(want)); 86 console.log('openDLPFile: delegator:' + JSON.stringify(context)); 87 context.startAbility(want); 88 } catch (err) { 89 console.error('openDLPFile startAbility failed', (err as BusinessError).code, (err as BusinessError).message); 90 return; 91 } 92 } 93 ``` 94 95 Add **ohos.want.action.viewData** to the **module.json5** file. 96 97 ```json 98 "skills":[ 99 { 100 "entities":[ 101 // ... 102 ], 103 "actions":[ 104 // ... 105 "ohos.want.action.viewData" 106 ] 107 } 108 ] 109 ``` 110 1113. Generate a .dlp file. 112 113 [You need to set up the cloud module for this feature](../DataProtectionKit/dlp-overview.md) and configure a domain account environment. 114 115 Currently, the DLP feature supports the following file types: ".doc", ".docm", ".docx", ".dot", ".dotm", ".dotx", ".odp", ".odt", ".pdf", ".pot", ".potm", ".potx", ".ppa", ".ppam", ".pps", ".ppsm", ".ppsx", ".ppt", ".pptm", ".pptx", ".rtf", ".txt", ".wps", ".xla", ".xlam", ".xls", ".xlsb", ".xlsm", ".xlsx", ".xlt", ".xltm", ".xltx", ".xlw", ".xml", ".xps" 116 117 A file of the supported type that can be accessed by the application is available. For example, a file in the **Files** directory. 118 119 Start the DLP manager application in borderless mode. This API can be called only in the UIAbility context and supports only the stage model. Run the following code to open the permission settings page of the DLP manager application, enter the account information, and tap **Save**. On the page started by file Picker, select the directory to save the DLP file. 120 121 ```ts 122 import { dlpPermission } from '@kit.DataProtectionKit'; 123 import { common, Want } from '@kit.AbilityKit'; 124 import { BusinessError } from '@kit.BasicServicesKit'; 125 import { UIContext } from '@kit.ArkUI'; 126 127 try { 128 let fileUri: string = "file://docs/storage/Users/currentUser/test.txt"; 129 let fileName: string = "test.txt"; 130 let context = new UIContext().getHostContext() as common.UIAbilityContext; // Obtain the current UIAbilityContext. 131 let want: Want = { 132 'uri': fileUri, 133 'parameters': { 134 'displayName': fileName 135 } 136 }; // Request parameters. 137 dlpPermission.startDLPManagerForResult(context, want).then((res: dlpPermission.DLPManagerResult) => { 138 console.info('startDLPManagerForResult res.resultCode:' + res.resultCode); 139 console.info('startDLPManagerForResult res.want:' + JSON.stringify(res.want)); 140 }); // Start the DLP permission manager application to set permissions. 141 } catch (err) { 142 console.error('startDLPManagerForResult error:' + (err as BusinessError).code + (err as BusinessError).message); 143 } 144 ``` 145 1464. Check whether the application is running in a sandbox. 147 148 ```ts 149 import { dlpPermission } from '@kit.DataProtectionKit'; 150 import { BusinessError } from '@kit.BasicServicesKit'; 151 152 dlpPermission.isInSandbox().then((data)=> { 153 console.log('isInSandbox, result: ' + JSON.stringify(data)); 154 }).catch((err:BusinessError) => { 155 console.log('isInSandbox: ' + JSON.stringify(err)); 156 }); 157 ``` 158 1595. Obtain the permissions on the file. The permissions of the DLP sandbox application vary with the user's permission on the file. For more information, see [Sandbox Restrictions](#sandbox-restrictions). 160 161 ```ts 162 import { dlpPermission } from '@kit.DataProtectionKit'; 163 import { BusinessError } from '@kit.BasicServicesKit'; 164 165 dlpPermission.getDLPPermissionInfo().then((data)=> { 166 console.log('getDLPPermissionInfo, result: ' + JSON.stringify(data)); 167 }).catch((err:BusinessError) => { 168 console.log('getDLPPermissionInfo: ' + JSON.stringify(err)); 169 }); 170 ``` 171 1726. Obtain information about the file name extension types that support the DLP solution. Based on the information obtained, you can learn what types of files can be used to generate DLP files. 173 174 ```ts 175 import { dlpPermission } from '@kit.DataProtectionKit'; 176 177 dlpPermission.getDLPSupportedFileTypes((err, result) => { 178 console.log('getDLPSupportedFileTypes: ' + JSON.stringify(err)); 179 console.log('getDLPSupportedFileTypes: ' + JSON.stringify(result)); 180 }); 181 ``` 182 1837. Check whether the opened file is a DLP file. 184 185 ```ts 186 import { dlpPermission } from '@kit.DataProtectionKit'; 187 import { fileIo } from '@kit.CoreFileKit'; 188 import { BusinessError } from '@kit.BasicServicesKit'; 189 190 let uri = "file://docs/storage/Users/currentUser/Desktop/test.txt.dlp"; 191 let file = fileIo.openSync(uri); 192 try { 193 let res = dlpPermission.isDLPFile(file.fd); // Check whether the file is a DLP file. 194 console.info('res', res); 195 } catch (err) { 196 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 197 } 198 fileIo.closeSync(file); 199 ``` 200 2018. Subscribe to or unsubscribe from the DLP file open event. 202 203 ```ts 204 import { dlpPermission } from '@kit.DataProtectionKit'; 205 import { BusinessError } from '@kit.BasicServicesKit'; 206 207 class SubscribeExample { 208 event(info: dlpPermission.AccessedDLPFileInfo) { 209 console.info('openDlpFile event', info.uri, info.lastOpenTime) 210 } 211 unSubscribe() { 212 try { 213 dlpPermission.off('openDLPFile', this.event); // Unsubscribe from the file open event. 214 } catch (err) { 215 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 216 } 217 } 218 subscribe() { 219 try { 220 dlpPermission.on ('openDLPFile' , this.event); // Subscribe to the DLP file open event. 221 } catch (err) { 222 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 223 } 224 } 225 onCreate() { 226 this.subscribe(); 227 } 228 onDestroy() { 229 this.unSubscribe(); 230 } 231 } 232 ``` 233 2349. Obtain information about the DLP files that are recently accessed. 235 236 ```ts 237 import { dlpPermission } from '@kit.DataProtectionKit'; 238 import { BusinessError } from '@kit.BasicServicesKit'; 239 240 async function getDLPFileAccessRecords() { 241 try { 242 let res:Array<dlpPermission.AccessedDLPFileInfo> = await dlpPermission.getDLPFileAccessRecords(); // Obtain the list of recently accessed DLP files. 243 console.info('res', JSON.stringify(res)) 244 } catch (err) { 245 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 246 } 247 } 248 ``` 249 25010. Obtain information about the DLP sandbox applications in the retention state. 251 252 ```ts 253 import { dlpPermission } from '@kit.DataProtectionKit'; 254 import { BusinessError } from '@kit.BasicServicesKit'; 255 256 async function getRetentionSandboxList() { 257 try { 258 let res:Array<dlpPermission.RetentionSandboxInfo> = await dlpPermission.getRetentionSandboxList(); // Obtain the sandbox apps in the retention state. 259 console.info('res', JSON.stringify(res)) 260 } catch (err) { 261 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 262 } 263 } 264 ``` 265 26611. Set sandbox application configuration. 267 268 ```ts 269 import { dlpPermission } from '@kit.DataProtectionKit'; 270 import { BusinessError } from '@kit.BasicServicesKit'; 271 272 async function setSandboxAppConfig() { 273 try { 274 await dlpPermission.setSandboxAppConfig('configInfo'); // Set sandbox application configuration. 275 } catch (err) { 276 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 277 } 278 } 279 ``` 280 28112. Clear the sandbox application configuration. 282 283 ```ts 284 import { dlpPermission } from '@kit.DataProtectionKit'; 285 import { BusinessError } from '@kit.BasicServicesKit'; 286 287 async function cleanSandboxAppConfig() { 288 try { 289 await dlpPermission.cleanSandboxAppConfig(); // Clear the sandbox application configuration. 290 } catch (err) { 291 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 292 } 293 } 294 ``` 295 29613. Obtain the sandbox application configuration. 297 298 ```ts 299 import { dlpPermission } from '@kit.DataProtectionKit'; 300 import { BusinessError } from '@kit.BasicServicesKit'; 301 302 async function getSandboxAppConfig() { 303 try { 304 let res:string = await dlpPermission.getSandboxAppConfig(); // Obtain the sandbox application configuration. 305 console.info('res', JSON.stringify(res)) 306 } catch (err) { 307 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 308 } 309 } 310 ``` 311 31214. Start the DLP manager application in borderless mode. This API can be called only in the UIAbility context and supports only the stage model. 313 314 ```ts 315 import { dlpPermission } from '@kit.DataProtectionKit'; 316 import { common, Want } from '@kit.AbilityKit'; 317 import { UIContext } from '@kit.ArkUI'; 318 319 try { 320 let context = new UIContext().getHostContext() as common.UIAbilityContext; // Obtain the current UIAbilityContext. 321 let want: Want = { 322 "uri": "file://docs/storage/Users/currentUser/Desktop/1.txt", 323 "parameters": { 324 "displayName": "1.txt" 325 } 326 }; // Request parameters. 327 dlpPermission.startDLPManagerForResult(context, want).then((res) => { 328 console.info('res.resultCode', res.resultCode); 329 console.info('res.want', JSON.stringify(res.want)); 330 }); // Start the DLP manager application. 331 } catch (err) { 332 console.error('error', err.code, err.message); // Report an error upon a failure. 333 } 334 ``` 335 33615. Check whether the current system provides the DLP feature. 337 ```ts 338 import { dlpPermission } from '@kit.DataProtectionKit'; 339 import { BusinessError } from '@kit.BasicServicesKit'; 340 341 dlpPermission.isDLPFeatureProvided().then((res) => { 342 console.info('res', JSON.stringify(res)); 343 }).catch((err: BusinessError) => { 344 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 345 }); 346 ``` 347