1# DLP Development 2 3Data loss prevention (DLP) is a system solution provided by OpenHarmony to prevent data disclosure. It provides a file format called DLP. The DLP file name consists of the original file name including the file name extension and **.dlp**, for example, **test.docx.dlp**. The DLP file consists of the authorization credential and the original file in ciphertext. 4 5The DLP file can be accessed only after a device-cloud synergy authentication (network connection required) is successful. The authorized user can have any of the following permissions on the file: 6- Read-only: The user can read the file only. 7- Edit: The user can read and write the file content, but cannot modify the permissions on the file. 8- Full control: The user can read and write the file, modify the permissions on the file, and restore the plaintext of the file. 9 10When an application needs to access a DLP file, the system automatically installs a DLP sandbox twin application for the application. The twin application is a completely independent application. It inherits data and configuration from the application, but is isolated from the application. The twin application is running in a DLP sandbox environment. External access permissions are restricted to prevent data leakage. Each time a new DLP file is opened, an application twin is generated. The sandbox applications are also isolated from each other. When an application is closed, the application twin is automatically uninstalled and the temporary data generated during the sandbox is cleared. 11 12Normally, the application is unaware of the sandbox and accesses the file in plaintext, like accessing a common file. The DLP sandbox restricts access permissions (such as network access, clipboard, and Bluetooth). Your application needs to be adapted for better user experience. For example, hide the **Save** button and disable automatic network connection if a file is read-only. 13 14 15## Sandbox Restrictions 16 17When an application is in the DLP sandbox state, the available permissions are restricted based on the permission on the DLP file. 18 19| Permission| Description| Read Only| Edit/Full Control| 20| -------- | -------- | -------- | -------- | 21| ohos.permission.USE_BLUETOOTH | Allows an application to use Bluetooth.| Forbidden| Forbidden| 22| ohos.permission.INTERNET |Allows an application to access the Internet.| Forbidden| Forbidden| 23| ohos.permission.DISTRIBUTED_DATASYNC | Allows an application to exchange user data (such as images, music, videos, and application data) with another device.| Forbidden| Forbidden| 24| ohos.permission.WRITE_MEDIA | Allows an application to read and write media files, such as video and audio clips and images.| Forbidden| Allowed| 25| ohos.permission.CAPTURE_SCREEN | Allows an application to take screenshots.| Forbidden| Allowed| 26| ohos.permission.NFC_TAG | Allows an application to use NFC.| Forbidden| Allowed| 27 28 29## Available APIs 30 31| API| Description| 32| -------- | -------- | 33| isDLPFile(fd: number): Promise<boolean> <br> isDLPFile(fd: number, callback: AsyncCallback<boolean>): void| Checks whether a file is a DLP file.| 34| getDLPPermissionInfo(): Promise<DLPPermissionInfo> <br>getDLPPermissionInfo(callback: AsyncCallback<DLPPermissionInfo>): void | Obtains the permission type of this sandbox application.| 35| getOriginalFileName(fileName: string): string | Obtains the original name of a DLP file.| 36| getDLPSuffix(): string | Obtains the file name extension of a DLP file.| 37| on(type: 'openDLPFile', listener: Callback<AccessedDLPFileInfo>): void | Subscribes to a file open event of a DLP file. The application will be notified when the DLP file is opened.| 38| off(type: 'openDLPFile', listener?: Callback<AccessedDLPFileInfo>): void | Unsubscribes from the file open event of a DLP file.| 39| isInSandbox(): Promise<boolean> <br>isInSandbox(callback: AsyncCallback<boolean>): void | Checks whether this application is running in a sandbox.| 40| getDLPSupportedFileTypes(): Promise<Array<string>><br>getDLPSupportedFileTypes(callback: AsyncCallback<Array<string>>): void | Obtains the file name extension types that can be added with the .dlp.| 41| setRetentionState(docUris: Array<string>): Promise<void> <br> setRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Sets the retention state for the twin application.| 42| cancelRetentionState(docUris: Array<string>): Promise<void><br> cancelRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Cancels the retention state for the twin application.| 43| getRetentionSandboxList(bundleName?: string): Promise<Array<RetentionSandboxInfo>> <br> getRetentionSandboxList(bundleName: string, callback: AsyncCallback<Array<RetentionSandboxInfo>>): void <br> getRetentionSandboxList(callback: AsyncCallback<Array<RetentionSandboxInfo>>): void| Obtains the sandbox applications in the retention state.| 44| getDLPFileAccessRecords(): Promise<Array<AccessedDLPFileInfo>> <br> getDLPFileAccessRecords(callback: AsyncCallback<Array<AccessedDLPFileInfo>>): void | Obtains the DLP files that are accessed recently.| 45 46 47## How to Develop 48 49Procedure 50 511. Import the **dlpPermission** module. 52 53 ```ts 54 import dlpPermission from '@ohos.dlpPermission'; 55 ``` 56 572. Check whether the application is running in a sandbox. 58 ```ts 59 dlpPermission.isInSandbox().then((data)=> { 60 console.log('isInSandbox, result: ' + JSON.stringify(data)); 61 }).catch((err) => { 62 console.log("isInSandbox: " + JSON.stringify(err)); 63 }); 64 ``` 65 663. Obtain the permissions on the file. For more information, see [Sandbox Restrictions](#sandbox-restrictions). 67 68 ```ts 69 dlpPermission.getDLPPermissionInfo().then((data)=> { 70 console.log('getDLPPermissionInfo, result: ' + JSON.stringify(data)); 71 }).catch((err) => { 72 console.log("getDLPPermissionInfo: " + JSON.stringify(err)); 73 }); 74 ``` 75 764. Obtain information about the file name extension types that support the DLP solution. Based on the information obtained, you can learn the types of files that be used to generate DLP files. 77 78 ```ts 79 dlpPermission.getDLPSupportedFileTypes((err, result) => { 80 console.log("getDLPSupportedFileTypes: " + JSON.stringify(err)); 81 console.log('getDLPSupportedFileTypes: ' + JSON.stringify(result)); 82 }); 83 ``` 84 855. Check whether the opened file is a DLP file. 86 87 ```ts 88 let file = fs.openSync(uri); 89 try { 90 let res = await dlpPermission.isDLPFile(file.fd); // Check whether the file is a DLP file. 91 console.info('res', res); 92 } catch (err) { 93 console.error('error', err.code, err.message); // Error reported if the operation fails. 94 } 95 fs.closeSync(file); 96 ``` 97 986. Subscribe to and unsubscribe from the file open event for a DLP file. 99 100 ```ts 101 event(info: dlpPermission.VisitedDLPFileInfo) { 102 console.info('openDlpFile event', info.uri, info.recentOpenTime) 103 } 104 unSubscribe() { 105 try { 106 dlpPermission.off('openDLPFile', this.event); // Unsubscribe from the file open event. 107 } catch (err) { 108 console.error('error', err.code, err.message); // Error reported if the operation fails. 109 } 110 } 111 subscribe() { 112 try { 113 dlpPermission.on ('openDLPFile' , this.event); // Subscribe to a file open event. 114 } catch (err) { 115 console.error('error', err.code, err.message); // Error reported if the operation fails. 116 } 117 } 118 async func() { 119 this.subscribe(); 120 this.unSubscribe(); 121 } 122 ``` 123 1247. Obtain information about the DLP files that are recently accessed. 125 126 ```ts 127 async func() { 128 try { 129 let res:Array<dlpPermission.VisitedDLPFileInfo> = await dlpPermission.getDLPFileAccessRecords(); // Obtain the list of recently accessed DLP files. 130 console.info('res', JSON.stringify(res)) 131 } catch (err) { 132 console.error('error', err.code, err.message); // Error reported if the operation fails. 133 } 134 } 135 ``` 136 1378. Obtain information about the DLP sandbox applications in the retention state. 138 139 ```ts 140 async func() { 141 try { 142 let res:Array<dlpPermission.VisitedDLPFileInfo> = await dlpPermission.getRetentionSandboxList(); // Obtain the DLP sandbox applications in the retention state. 143 console.info('res', JSON.stringify(res)) 144 } catch (err) { 145 console.error('error', err.code, err.message); // Error reported if the operation fails. 146 } 147 } 148 ``` 149