1# DLP Service Development 2 3The Data Loss Prevention (DLP) service is a system solution provided to prevent leakage of sensitive data. It provides a file format called DLP. A DLP file consists of the original file in ciphertext and the authorization credential, and ".dlp" is added to the end of the original file name (including the file name extension), for example, **test.docx.dlp**. 4 5A DLP file can be accessed only after a device-cloud authentication (network connection required) is successful. The permissions for accessing a DLP file include the following: 6 7- Read-only: The user can only view the file. 8- Edit: The user can read and write the file, but cannot change the permission on the file. 9- Full control: The user can read and write the file, change the permission on the file, and restore the plaintext of the file. 10 11When an application accesses a DLP file, the system automatically installs a DLP sandbox application for the application. As a twin application of the application, the sandbox application inherits data and configuration from the application, but is isolated from the application. The twin application is running in a DLP sandbox, which is restricted from external access to prevent data leakage. Each time a DLP file is opened, a sandbox application is generated. The sandbox applications are also isolated from each other. When an application is closed, its sandbox application will be automatically uninstalled and the temporary data generated in the sandbox directory will be cleared. 12 13Normally, the application is unaware of the sandbox and accesses the file in plaintext, like accessing a common file. However, the DLP sandbox restricts the application from accessing external resources (such as the network, clipboard, screenshot capturing, screen recording, and Bluetooth). For better user experience, you need to make adaptation for your application. For example, for a read-only file, you'd better hide the **Save** button and disable automatic network connection. 14 15## Sandbox Restrictions 16 17For an application in the DLP sandbox state, the permissions granted to the application are restricted based on the permission on the DLP file. 18 19| Application Permission| Description| Read-Only| Edit/Full Control| 20| -------- | -------- | -------- | -------- | 21| ohos.permission.USE_BLUETOOTH | Allows an application to use Bluetooth.| Unavailable| Unavailable| 22| ohos.permission.INTERNET |Allows an application to access the Internet.| Unavailable| Unavailable| 23| ohos.permission.DISTRIBUTED_DATASYNC | Allows an application to exchange user data (such as images, music, videos, and application data) with another device.| Unavailable| Unavailable| 24| ohos.permission.WRITE_MEDIA | Allows an application to read and write media files, such as images, videos, and audio clips.| Unavailable| Available| 25| ohos.permission.NFC_TAG | Allows an application to use NFC.| Unavailable| Available| 26 27## Available APIs 28 29| API| Description| 30| -------- | -------- | 31| isDLPFile(fd: number): Promise<boolean> <br> isDLPFile(fd: number, callback: AsyncCallback<boolean>): void| Checks whether a file is a DLP file.| 32| getDLPPermissionInfo(): Promise<DLPPermissionInfo> <br>getDLPPermissionInfo(callback: AsyncCallback<DLPPermissionInfo>): void | Obtains the DLP permission information of this sandbox application.| 33| getOriginalFileName(fileName: string): string | Obtains the original name of a DLP file.| 34| getDLPSuffix(): string | Obtains the file name extension of this DLP file.| 35| on(type: 'openDLPFile', listener: Callback<AccessedDLPFileInfo>): void | Subscribes to the file open event of DLP files. The application will be notified when a DLP file is opened.| 36| off(type: 'openDLPFile', listener?: Callback<AccessedDLPFileInfo>): void | Unsubscribes from the file open event of DLP files.| 37| isInSandbox(): Promise<boolean> <br>isInSandbox(callback: AsyncCallback<boolean>): void | Checks whether this application is running in a sandbox.| 38| getDLPSupportedFileTypes(): Promise<Array<string>><br>getDLPSupportedFileTypes(callback: AsyncCallback<Array<string>>): void | Obtains the file name extension types that can be appended with .dlp.| 39| setRetentionState(docUris: Array<string>): Promise<void> <br> setRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Sets the sandbox application retention state. If the retention state is set for a DLP file, the sandbox application will not be automatically uninstalled when the DLP file is closed.| 40| cancelRetentionState(docUris: Array<string>): Promise<void><br> cancelRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Cancels the sandbox application retention state.| 41| getRetentionSandboxList(bundleName?: string): Promise<Array<RetentionSandboxInfo>> <br> getRetentionSandboxList(bundleName: string, callback: AsyncCallback<Array<RetentionSandboxInfo>>): void <br> getRetentionSandboxList(callback: AsyncCallback<Array<RetentionSandboxInfo>>): void| Obtains the sandbox applications in the retention state.| 42| getDLPFileAccessRecords(): Promise<Array<AccessedDLPFileInfo>> <br> getDLPFileAccessRecords(callback: AsyncCallback<Array<AccessedDLPFileInfo>>): void | Obtains the DLP files that are accessed recently.| 43|setSandboxAppConfig(configInfo: string): Promise<void>|Sets sandbox application configuration.| 44|getSandboxAppConfig(): Promise<string>|Obtains the sandbox application configuration.| 45|cleanSandboxAppConfig(): Promise<void>|Clears the sandbox application configuration.| 46| startDLPManagerForResult(context: common.UIAbilityContext, want: Want): Promise<DLPManagerResult> <br>| Starts the DLP manager application on the current UIAbility page in borderless mode (available only for the stage model).| 47 48## How to Develop 49 501. Import the [dlpPermission](../../reference/apis-data-protection-kit/js-apis-dlppermission.md) module. 51 52 ```ts 53 import { dlpPermission } from '@kit.DataProtectionKit'; 54 ``` 55 562. Open a DLP file. 57 58 The system automatically installs a DLP sandbox application for your application. <br>Add the following code to your application: 59 60 ```ts 61 async OpenDlpFile(dlpUri: string, fileName: string, fd: number) { 62 let want:Want = { 63 "action": "ohos.want.action.viewData", 64 "bundleName": "com.example.example_bundle_name", 65 "abilityName": "exampleAbility", 66 "uri": dlpUri, 67 "parameters": { 68 "fileName": { 69 "name": fileName 70 }, 71 "keyFd": { 72 "type": "FD", 73 "value": fd 74 } 75 } 76 } 77 78 try { 79 console.log('openDLPFile:' + JSON.stringify(want)); 80 console.log('openDLPFile: delegator:' + JSON.stringify(this.context)); 81 this.context.startAbility(want); 82 } catch (err) { 83 console.error('openDLPFile startAbility failed', (err as BusinessError).code, (err as BusinessError).message); 84 return; 85 } 86 } 87 ``` 88 89 Add **ohos.want.action.viewData** to the **module.json5** file. 90 91 ```json 92 "skills":[ 93 { 94 "entities":[ 95 ... 96 ], 97 "actions":[ 98 ... 99 "ohos.want.action.viewData" 100 ] 101 } 102 ] 103 ``` 104 1053. Generate a .dlp file. 106 107 Currently, the DLP feature supports the following file types: 108 109 ".doc", ".docm", ".docx", ".dot", ".dotm", ".dotx", ".odp", ".odt", ".pdf", ".pot", ".potm", ".potx", ".ppa", ".ppam", ".pps", ".ppsm", ".ppsx", ".ppt", ".pptm", ".pptx", ".rtf", ".txt", ".wps", ".xla", ".xlam", ".xls", ".xlsb", ".xlsm", ".xlsx", ".xlt", ".xltm", ".xltx", ".xlw", ".xml", ".xps" 110 111 Before you start, ensure that a file of the supported type that can be accessed by the application is available. For example, a file in the **Files** directory. 112 113 Start the DLP manager application in borderless mode. This API can be called only in the UIAbility context and supports only the stage model. Run the following code to open the permission settings page of the DLP manager application, enter the account information, and tap **Save**. On the page started by file Picker, select the directory to save the DLP file. [You need to implement the cloud module yourself](../DataProtectionKit/dlp-overview.md). 114 115 ```ts 116 import { common, Want } from '@kit.AbilityKit'; 117 import { BusinessError } from '@kit.BasicServicesKit'; 118 try { 119 let fileUri: string = "file://docs/storage/Users/currentUser/test.txt"; 120 let fileName: string = "test.txt"; 121 let context = getContext () as common.UIAbilityContext; // Obtain the UIAbility context. 122 let want: Want = { 123 'uri': fileUri, 124 'parameters': { 125 'displayName': fileName 126 } 127 }; // Request parameters. 128 dlpPermission.startDLPManagerForResult(context, want).then((res: dlpPermission.DLPManagerResult) => { 129 console.info('startDLPManagerForResult res.resultCode:' + res.resultCode); 130 console.info('startDLPManagerForResult res.want:' + JSON.stringify(res.want)); 131 }); // Start the DLP permission manager application to set permissions. 132 } catch (err) { 133 console.error('startDLPManagerForResult error:' + (err as BusinessError).code + (err as BusinessError).message); 134 } 135 ``` 136 1374. Check whether the application is running in a sandbox. 138 139 ```ts 140 dlpPermission.isInSandbox().then((data)=> { 141 console.log('isInSandbox, result: ' + JSON.stringify(data)); 142 }).catch((err:BusinessError) => { 143 console.log('isInSandbox: ' + JSON.stringify(err)); 144 }); 145 ``` 146 1475. Obtain the permissions on the file. The permissions of the DLP sandbox application vary with the user's permission on the file. For more information, see [Sandbox Restrictions](#sandbox-restrictions). 148 149 ```ts 150 dlpPermission.getDLPPermissionInfo().then((data)=> { 151 console.log('getDLPPermissionInfo, result: ' + JSON.stringify(data)); 152 }).catch((err:BusinessError) => { 153 console.log('getDLPPermissionInfo: ' + JSON.stringify(err)); 154 }); 155 ``` 156 1576. Obtain information about the file name extension types that support the DLP solution. Based on the information obtained, you can learn what types of files can be used to generate DLP files. 158 159 ```ts 160 dlpPermission.getDLPSupportedFileTypes((err, result) => { 161 console.log('getDLPSupportedFileTypes: ' + JSON.stringify(err)); 162 console.log('getDLPSupportedFileTypes: ' + JSON.stringify(result)); 163 }); 164 ``` 165 1667. Check whether the opened file is a DLP file. 167 168 ```ts 169 import { dlpPermission } from '@kit.DataProtectionKit'; 170 import { fileIo } from '@kit.CoreFileKit'; 171 import { BusinessError } from '@kit.BasicServicesKit'; 172 173 let uri = "file://docs/storage/Users/currentUser/Desktop/test.txt.dlp"; 174 let file = fileIo.openSync(uri); 175 try { 176 let res = dlpPermission.isDLPFile(file.fd); // Check whether the file is a DLP file. 177 console.info('res', res); 178 } catch (err) { 179 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 180 } 181 fileIo.closeSync(file); 182 ``` 183 1848. Subscribe to or unsubscribe from the DLP file open event. 185 186 ```ts 187 event(info: dlpPermission.AccessedDLPFileInfo) { 188 console.info('openDlpFile event', info.uri, info.lastOpenTime) 189 } 190 unSubscribe() { 191 try { 192 dlpPermission.off('openDLPFile', this.event); // Unsubscribe from the file open event. 193 } catch (err) { 194 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 195 } 196 } 197 subscribe() { 198 try { 199 dlpPermission.on ('openDLPFile' , this.event); // Subscribe to the DLP file open event. 200 } catch (err) { 201 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 202 } 203 } 204 onCreate() { 205 this.subscribe(); 206 } 207 onDestroy() { 208 this.unSubscribe(); 209 } 210 ``` 211 2129. Obtain information about the DLP files that are recently accessed. 213 214 ```ts 215 async getDLPFileAccessRecords() { 216 try { 217 let res:Array<dlpPermission.AccessedDLPFileInfo> = await dlpPermission.getDLPFileAccessRecords(); // Obtain the list of recently accessed DLP files. 218 console.info('res', JSON.stringify(res)) 219 } catch (err) { 220 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 221 } 222 } 223 ``` 224 22510. Obtain information about the DLP sandbox applications in the retention state. 226 227 ```ts 228 async getRetentionSandboxList() { 229 try { 230 let res:Array<dlpPermission.RetentionSandboxInfo> = await dlpPermission.getRetentionSandboxList(); // Obtain the sandbox applications in the retention state. 231 console.info('res', JSON.stringify(res)) 232 } catch (err) { 233 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 234 } 235 } 236 ``` 237 23811. Set sandbox application configuration. 239 240 ```ts 241 async setSandboxAppConfig() { 242 try { 243 await dlpPermission.setSandboxAppConfig('configInfo'); // Set sandbox application configuration. 244 } catch (err) { 245 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 246 } 247 } 248 ``` 249 25012. Clear the sandbox application configuration. 251 252 ```ts 253 async cleanSandboxAppConfig() { 254 try { 255 await dlpPermission.cleanSandboxAppConfig(); // Clear the sandbox application configuration. 256 } catch (err) { 257 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 258 } 259 } 260 ``` 261 26213. Obtain the sandbox application configuration. 263 264 ```ts 265 async getSandboxAppConfig() { 266 try { 267 let res:string = await dlpPermission.getSandboxAppConfig(); // Obtain the sandbox application configuration. 268 console.info('res', JSON.stringify(res)) 269 } catch (err) { 270 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 271 } 272 } 273 ``` 274 27514. Start the DLP manager application in borderless mode. This API can be called only in the UIAbility context and supports only the stage model. 276 277 ```ts 278 import { dlpPermission } from '@kit.DataProtectionKit'; 279 import { common, UIAbility, AbilityConstant, Want } from '@kit.AbilityKit'; 280 import { BusinessError } from '@kit.BasicServicesKit'; 281 282 try { 283 let context = getContext () as common.UIAbilityContext; // Obtain the UIAbility context. 284 let want: Want = { 285 "uri": "file://docs/storage/Users/currentUser/Desktop/1.txt", 286 "parameters": { 287 "displayName": "1.txt" 288 } 289 }; // Request parameters. 290 dlpPermission.startDLPManagerForResult(context, want).then((res) => { 291 console.info('res.resultCode', res.resultCode); 292 console.info('res.want', JSON.stringify(res.want)); 293 }); // Start the DLP manager application. 294 } catch (err) { 295 console.error('error', err.code, err.message); // Report an error upon a failure. 296 } 297 ``` 298 29915. Check whether the current system provides the DLP feature. 300 ```ts 301 import { dlpPermission } from '@kit.DataProtectionKit'; 302 import { BusinessError } from '@kit.BasicServicesKit'; 303 304 dlpPermission.isDLPFeatureProvided().then((res) => { 305 console.info('res', JSON.stringify(res)); 306 }).catch((err: BusinessError) => { 307 console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 308 }); 309 ``` 310