1e41f4b71Sopenharmony_ci# DLP Service Development 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ciThe Data Loss Prevention (DLP) service is a system solution provided to prevent leakage of sensitive data. It provides a file format called DLP. A DLP file consists of the original file in ciphertext and the authorization credential, and ".dlp" is added to the end of the original file name (including the file name extension), for example, **test.docx.dlp**. 4e41f4b71Sopenharmony_ci 5e41f4b71Sopenharmony_ciA DLP file can be accessed only after a device-cloud authentication (network connection required) is successful. The permissions for accessing a DLP file include the following: 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ci- Read-only: The user can only view the file. 8e41f4b71Sopenharmony_ci- Edit: The user can read and write the file, but cannot change the permission on the file. 9e41f4b71Sopenharmony_ci- Full control: The user can read and write the file, change the permission on the file, and restore the plaintext of the file. 10e41f4b71Sopenharmony_ci 11e41f4b71Sopenharmony_ciWhen an app accesses a DLP file, the system automatically installs a DLP sandbox app for the app. As a twin app of the app, the sandbox app inherits data and configuration from the app, but is isolated from the app. The twin app is running in a DLP sandbox, which is restricted from external access to prevent data leakage. Each time a DLP file is opened, a sandbox app is generated. The sandbox apps are also isolated from each other. When an app is closed, its sandbox app will be automatically uninstalled and the temporary data generated in the sandbox directory will be cleared. 12e41f4b71Sopenharmony_ci 13e41f4b71Sopenharmony_ciNormally, the app is unaware of the sandbox and accesses the file in plaintext, like accessing a common file. However, the DLP sandbox restricts the app from accessing external resources (such as the network, clipboard, screenshot capturing, screen recording, and Bluetooth). For better user experience, you need to make adaptation for your app. For example, for a read-only file, you'd better hide the **Save** button and disable automatic network connection. 14e41f4b71Sopenharmony_ci 15e41f4b71Sopenharmony_ci## Sandbox Restrictions 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ciFor an app in the DLP sandbox state, the permissions granted to the app are restricted based on the permission on the DLP file. 18e41f4b71Sopenharmony_ci 19e41f4b71Sopenharmony_ci| App Permission | Description | Read-Only | Edit/Full Control | 20e41f4b71Sopenharmony_ci| -------- | -------- | -------- | -------- | 21e41f4b71Sopenharmony_ci| ohos.permission.USE_BLUETOOTH | Allows an app to use Bluetooth. | Unavailable | Unavailable | 22e41f4b71Sopenharmony_ci| ohos.permission.INTERNET |Allows an app to access the Internet. | Unavailable | Unavailable | 23e41f4b71Sopenharmony_ci| ohos.permission.DISTRIBUTED_DATASYNC | Allows an app to exchange user data (such as images, music, videos, and app data) with another device. | Unavailable | Unavailable | 24e41f4b71Sopenharmony_ci| ohos.permission.WRITE_MEDIA | Allows an app to read and write media files, such as images, videos, and audio clips. | Unavailable | Available | 25e41f4b71Sopenharmony_ci| ohos.permission.NFC_TAG | Allows an app to use NFC. | Unavailable | Available | 26e41f4b71Sopenharmony_ci 27e41f4b71Sopenharmony_ci## Available APIs 28e41f4b71Sopenharmony_ci 29e41f4b71Sopenharmony_ci| API | Description | 30e41f4b71Sopenharmony_ci| -------- | -------- | 31e41f4b71Sopenharmony_ci| isDLPFile(fd: number): Promise<boolean> <br> isDLPFile(fd: number, callback: AsyncCallback<boolean>): void| Checks whether a file is a DLP file. | 32e41f4b71Sopenharmony_ci| getDLPPermissionInfo(): Promise<DLPPermissionInfo> <br>getDLPPermissionInfo(callback: AsyncCallback<DLPPermissionInfo>): void | Obtains the DLP permission information of this sandbox app. | 33e41f4b71Sopenharmony_ci| getOriginalFileName(fileName: string): string | Obtains the original name of a DLP file. | 34e41f4b71Sopenharmony_ci| getDLPSuffix(): string | Obtains the file name extension of this DLP file. | 35e41f4b71Sopenharmony_ci| on(type: 'openDLPFile', listener: Callback<AccessedDLPFileInfo>): void | Subscribes to the file open event of DLP files. The app will be notified when a DLP file is opened. | 36e41f4b71Sopenharmony_ci| off(type: 'openDLPFile', listener?: Callback<AccessedDLPFileInfo>): void | Unsubscribes from the file open event of DLP files. | 37e41f4b71Sopenharmony_ci| isInSandbox(): Promise<boolean> <br>isInSandbox(callback: AsyncCallback<boolean>): void | Checks whether this app is running in a sandbox. | 38e41f4b71Sopenharmony_ci| getDLPSupportedFileTypes(): Promise<Array<string>><br>getDLPSupportedFileTypes(callback: AsyncCallback<Array<string>>): void | Obtains the file name extension types that can be appended with .dlp. | 39e41f4b71Sopenharmony_ci| setRetentionState(docUris: Array<string>): Promise<void> <br> setRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Sets the sandbox app retention state. If the retention state is set for a DLP file, the sandbox app will not be automatically uninstalled when the DLP file is closed. | 40e41f4b71Sopenharmony_ci| cancelRetentionState(docUris: Array<string>): Promise<void><br> cancelRetentionState(docUris: Array<string>, callback: AsyncCallback<void>): void | Cancels the sandbox app retention state. | 41e41f4b71Sopenharmony_ci| getRetentionSandboxList(bundleName?: string): Promise<Array<RetentionSandboxInfo>> <br> getRetentionSandboxList(bundleName: string, callback: AsyncCallback<Array<RetentionSandboxInfo>>): void <br> getRetentionSandboxList(callback: AsyncCallback<Array<RetentionSandboxInfo>>): void| Obtains the sandbox apps in the retention state. | 42e41f4b71Sopenharmony_ci| getDLPFileAccessRecords(): Promise<Array<AccessedDLPFileInfo>> <br> getDLPFileAccessRecords(callback: AsyncCallback<Array<AccessedDLPFileInfo>>): void | Obtains the DLP files that are accessed recently. | 43e41f4b71Sopenharmony_ci|setSandboxAppConfig(configInfo: string): Promise<void>|Sets sandbox app configuration.| 44e41f4b71Sopenharmony_ci|getSandboxAppConfig(): Promise<string>|Obtains the sandbox app configuration.| 45e41f4b71Sopenharmony_ci|cleanSandboxAppConfig(): Promise<void>|Clears the sandbox app configuration.| 46e41f4b71Sopenharmony_ci| startDLPManagerForResult(context: common.UIAbilityContext, want: Want): Promise<DLPManagerResult> <br> | Starts the DLP manager app on the current UIAbility page in borderless mode (available only for the stage model). | 47e41f4b71Sopenharmony_ci 48e41f4b71Sopenharmony_ci## How to Develop 49e41f4b71Sopenharmony_ci 50e41f4b71Sopenharmony_ci1. Import the [dlpPermission](../../reference/apis-data-protection-kit/js-apis-dlppermission.md) module. 51e41f4b71Sopenharmony_ci 52e41f4b71Sopenharmony_ci ```ts 53e41f4b71Sopenharmony_ci import { dlpPermission } from '@kit.DataProtectionKit'; 54e41f4b71Sopenharmony_ci ``` 55e41f4b71Sopenharmony_ci 56e41f4b71Sopenharmony_ci2. Open a DLP file. The system automatically installs a DLP sandbox app for your app. <br>Add the following code to your app: 57e41f4b71Sopenharmony_ci 58e41f4b71Sopenharmony_ci ```ts 59e41f4b71Sopenharmony_ci async OpenDlpFile(dlpUri: string, fileName: string, fd: number) { 60e41f4b71Sopenharmony_ci let want:Want = { 61e41f4b71Sopenharmony_ci "action": "ohos.want.action.viewData", 62e41f4b71Sopenharmony_ci "bundleName": "com.example.example_bundle_name", 63e41f4b71Sopenharmony_ci "abilityName": "exampleAbility", 64e41f4b71Sopenharmony_ci "uri": dlpUri, 65e41f4b71Sopenharmony_ci "parameters": { 66e41f4b71Sopenharmony_ci "fileName": { 67e41f4b71Sopenharmony_ci "name": fileName 68e41f4b71Sopenharmony_ci }, 69e41f4b71Sopenharmony_ci "keyFd": { 70e41f4b71Sopenharmony_ci "type": "FD", 71e41f4b71Sopenharmony_ci "value": fd 72e41f4b71Sopenharmony_ci } 73e41f4b71Sopenharmony_ci } 74e41f4b71Sopenharmony_ci } 75e41f4b71Sopenharmony_ci 76e41f4b71Sopenharmony_ci try { 77e41f4b71Sopenharmony_ci console.log('openDLPFile:' + JSON.stringify(want)); 78e41f4b71Sopenharmony_ci console.log('openDLPFile: delegator:' + JSON.stringify(this.context)); 79e41f4b71Sopenharmony_ci this.context.startAbility(want); 80e41f4b71Sopenharmony_ci } catch (err) { 81e41f4b71Sopenharmony_ci console.error('openDLPFile startAbility failed', (err as BusinessError).code, (err as BusinessError).message); 82e41f4b71Sopenharmony_ci return; 83e41f4b71Sopenharmony_ci } 84e41f4b71Sopenharmony_ci } 85e41f4b71Sopenharmony_ci ``` 86e41f4b71Sopenharmony_ci 87e41f4b71Sopenharmony_ci Add **ohos.want.action.viewData** to the **module.json5** file. 88e41f4b71Sopenharmony_ci 89e41f4b71Sopenharmony_ci ```json 90e41f4b71Sopenharmony_ci "skills":[ 91e41f4b71Sopenharmony_ci { 92e41f4b71Sopenharmony_ci "entities":[ 93e41f4b71Sopenharmony_ci ... 94e41f4b71Sopenharmony_ci ], 95e41f4b71Sopenharmony_ci "actions":[ 96e41f4b71Sopenharmony_ci ... 97e41f4b71Sopenharmony_ci "ohos.want.action.viewData" 98e41f4b71Sopenharmony_ci ] 99e41f4b71Sopenharmony_ci } 100e41f4b71Sopenharmony_ci ] 101e41f4b71Sopenharmony_ci ``` 102e41f4b71Sopenharmony_ci 103e41f4b71Sopenharmony_ci3. Check whether the app is running in a sandbox. 104e41f4b71Sopenharmony_ci 105e41f4b71Sopenharmony_ci ```ts 106e41f4b71Sopenharmony_ci dlpPermission.isInSandbox().then((data)=> { 107e41f4b71Sopenharmony_ci console.log('isInSandbox, result: ' + JSON.stringify(data)); 108e41f4b71Sopenharmony_ci }).catch((err:BusinessError) => { 109e41f4b71Sopenharmony_ci console.log('isInSandbox: ' + JSON.stringify(err)); 110e41f4b71Sopenharmony_ci }); 111e41f4b71Sopenharmony_ci ``` 112e41f4b71Sopenharmony_ci 113e41f4b71Sopenharmony_ci4. Obtain the permissions on the file. The permissions of the DLP sandbox app vary with the user's permission on the file. For more information, see [Sandbox Restrictions](#sandbox-restrictions). 114e41f4b71Sopenharmony_ci 115e41f4b71Sopenharmony_ci ```ts 116e41f4b71Sopenharmony_ci dlpPermission.getDLPPermissionInfo().then((data)=> { 117e41f4b71Sopenharmony_ci console.log('getDLPPermissionInfo, result: ' + JSON.stringify(data)); 118e41f4b71Sopenharmony_ci }).catch((err:BusinessError) => { 119e41f4b71Sopenharmony_ci console.log('getDLPPermissionInfo: ' + JSON.stringify(err)); 120e41f4b71Sopenharmony_ci }); 121e41f4b71Sopenharmony_ci ``` 122e41f4b71Sopenharmony_ci 123e41f4b71Sopenharmony_ci5. Obtain information about the file name extension types that support the DLP solution. Based on the information obtained, you can learn what types of files can be used to generate DLP files. 124e41f4b71Sopenharmony_ci 125e41f4b71Sopenharmony_ci ```ts 126e41f4b71Sopenharmony_ci dlpPermission.getDLPSupportedFileTypes((err, result) => { 127e41f4b71Sopenharmony_ci console.log('getDLPSupportedFileTypes: ' + JSON.stringify(err)); 128e41f4b71Sopenharmony_ci console.log('getDLPSupportedFileTypes: ' + JSON.stringify(result)); 129e41f4b71Sopenharmony_ci }); 130e41f4b71Sopenharmony_ci ``` 131e41f4b71Sopenharmony_ci 132e41f4b71Sopenharmony_ci6. Check whether the opened file is a DLP file. 133e41f4b71Sopenharmony_ci 134e41f4b71Sopenharmony_ci ```ts 135e41f4b71Sopenharmony_ci import { dlpPermission } from '@kit.DataProtectionKit'; 136e41f4b71Sopenharmony_ci import { fileIo } from '@kit.CoreFileKit'; 137e41f4b71Sopenharmony_ci import { BusinessError } from '@kit.BasicServicesKit'; 138e41f4b71Sopenharmony_ci 139e41f4b71Sopenharmony_ci let uri = "file://docs/storage/Users/currentUser/Desktop/test.txt.dlp"; 140e41f4b71Sopenharmony_ci let file = fileIo.openSync(uri); 141e41f4b71Sopenharmony_ci try { 142e41f4b71Sopenharmony_ci let res = dlpPermission.isDLPFile(file.fd); // Check whether the file is a DLP file. 143e41f4b71Sopenharmony_ci console.info('res', res); 144e41f4b71Sopenharmony_ci } catch (err) { 145e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 146e41f4b71Sopenharmony_ci } 147e41f4b71Sopenharmony_ci fileIo.closeSync(file); 148e41f4b71Sopenharmony_ci ``` 149e41f4b71Sopenharmony_ci 150e41f4b71Sopenharmony_ci7. Subscribe to or unsubscribe from the DLP file open event. 151e41f4b71Sopenharmony_ci 152e41f4b71Sopenharmony_ci ```ts 153e41f4b71Sopenharmony_ci event(info: dlpPermission.AccessedDLPFileInfo) { 154e41f4b71Sopenharmony_ci console.info('openDlpFile event', info.uri, info.lastOpenTime) 155e41f4b71Sopenharmony_ci } 156e41f4b71Sopenharmony_ci unSubscribe() { 157e41f4b71Sopenharmony_ci try { 158e41f4b71Sopenharmony_ci dlpPermission.off('openDLPFile', this.event); // Unsubscribe from the file open event. 159e41f4b71Sopenharmony_ci } catch (err) { 160e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 161e41f4b71Sopenharmony_ci } 162e41f4b71Sopenharmony_ci } 163e41f4b71Sopenharmony_ci subscribe() { 164e41f4b71Sopenharmony_ci try { 165e41f4b71Sopenharmony_ci dlpPermission.on ('openDLPFile' , this.event); // Subscribe to the DLP file open event. 166e41f4b71Sopenharmony_ci } catch (err) { 167e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 168e41f4b71Sopenharmony_ci } 169e41f4b71Sopenharmony_ci } 170e41f4b71Sopenharmony_ci onCreate() { 171e41f4b71Sopenharmony_ci this.subscribe(); 172e41f4b71Sopenharmony_ci } 173e41f4b71Sopenharmony_ci onDestroy() { 174e41f4b71Sopenharmony_ci this.unSubscribe(); 175e41f4b71Sopenharmony_ci } 176e41f4b71Sopenharmony_ci ``` 177e41f4b71Sopenharmony_ci 178e41f4b71Sopenharmony_ci8. Obtain information about the DLP files that are recently accessed. 179e41f4b71Sopenharmony_ci 180e41f4b71Sopenharmony_ci ```ts 181e41f4b71Sopenharmony_ci async getDLPFileAccessRecords() { 182e41f4b71Sopenharmony_ci try { 183e41f4b71Sopenharmony_ci let res:Array<dlpPermission.AccessedDLPFileInfo> = await dlpPermission.getDLPFileAccessRecords(); // Obtain the list of recently accessed DLP files. 184e41f4b71Sopenharmony_ci console.info('res', JSON.stringify(res)) 185e41f4b71Sopenharmony_ci } catch (err) { 186e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 187e41f4b71Sopenharmony_ci } 188e41f4b71Sopenharmony_ci } 189e41f4b71Sopenharmony_ci ``` 190e41f4b71Sopenharmony_ci 191e41f4b71Sopenharmony_ci9. Obtain information about the DLP sandbox apps in the retention state. 192e41f4b71Sopenharmony_ci 193e41f4b71Sopenharmony_ci ```ts 194e41f4b71Sopenharmony_ci async getRetentionSandboxList() { 195e41f4b71Sopenharmony_ci try { 196e41f4b71Sopenharmony_ci let res:Array<dlpPermission.RetentionSandboxInfo> = await dlpPermission.getRetentionSandboxList(); // Obtain the sandbox apps in the retention state. 197e41f4b71Sopenharmony_ci console.info('res', JSON.stringify(res)) 198e41f4b71Sopenharmony_ci } catch (err) { 199e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 200e41f4b71Sopenharmony_ci } 201e41f4b71Sopenharmony_ci } 202e41f4b71Sopenharmony_ci ``` 203e41f4b71Sopenharmony_ci 204e41f4b71Sopenharmony_ci10. Set sandbox app configuration. 205e41f4b71Sopenharmony_ci 206e41f4b71Sopenharmony_ci ```ts 207e41f4b71Sopenharmony_ci async setSandboxAppConfig() { 208e41f4b71Sopenharmony_ci try { 209e41f4b71Sopenharmony_ci await dlpPermission.setSandboxAppConfig('configInfo'); // Set sandbox app configuration. 210e41f4b71Sopenharmony_ci } catch (err) { 211e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 212e41f4b71Sopenharmony_ci } 213e41f4b71Sopenharmony_ci } 214e41f4b71Sopenharmony_ci ``` 215e41f4b71Sopenharmony_ci 216e41f4b71Sopenharmony_ci11. Clear the sandbox app configuration. 217e41f4b71Sopenharmony_ci 218e41f4b71Sopenharmony_ci ```ts 219e41f4b71Sopenharmony_ci async cleanSandboxAppConfig() { 220e41f4b71Sopenharmony_ci try { 221e41f4b71Sopenharmony_ci await dlpPermission.cleanSandboxAppConfig(); // Clear the sandbox app configuration. 222e41f4b71Sopenharmony_ci } catch (err) { 223e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 224e41f4b71Sopenharmony_ci } 225e41f4b71Sopenharmony_ci } 226e41f4b71Sopenharmony_ci ``` 227e41f4b71Sopenharmony_ci 228e41f4b71Sopenharmony_ci12. Obtain the sandbox app configuration. 229e41f4b71Sopenharmony_ci 230e41f4b71Sopenharmony_ci ```ts 231e41f4b71Sopenharmony_ci async getSandboxAppConfig() { 232e41f4b71Sopenharmony_ci try { 233e41f4b71Sopenharmony_ci let res:string = await dlpPermission.getSandboxAppConfig(); // Obtain the sandbox app configuration. 234e41f4b71Sopenharmony_ci console.info('res', JSON.stringify(res)) 235e41f4b71Sopenharmony_ci } catch (err) { 236e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 237e41f4b71Sopenharmony_ci } 238e41f4b71Sopenharmony_ci } 239e41f4b71Sopenharmony_ci ``` 240e41f4b71Sopenharmony_ci 241e41f4b71Sopenharmony_ci13. Start the DLP manager app in borderless mode. This API can be called only in the UIAbility context and supports only the stage model. 242e41f4b71Sopenharmony_ci 243e41f4b71Sopenharmony_ci ```ts 244e41f4b71Sopenharmony_ci import { dlpPermission } from '@kit.DataProtectionKit'; 245e41f4b71Sopenharmony_ci import { common, UIAbility, AbilityConstant, Want } from '@kit.AbilityKit'; 246e41f4b71Sopenharmony_ci import { BusinessError } from '@kit.BasicServicesKit'; 247e41f4b71Sopenharmony_ci 248e41f4b71Sopenharmony_ci try { 249e41f4b71Sopenharmony_ci let context = getContext () as common.UIAbilityContext; // Obtain the UIAbility context. 250e41f4b71Sopenharmony_ci let want: Want = { 251e41f4b71Sopenharmony_ci "uri": "file://docs/storage/Users/currentUser/Desktop/1.txt", 252e41f4b71Sopenharmony_ci "parameters": { 253e41f4b71Sopenharmony_ci "displayName": "1.txt" 254e41f4b71Sopenharmony_ci } 255e41f4b71Sopenharmony_ci }; // Request parameters. 256e41f4b71Sopenharmony_ci dlpPermission.startDLPManagerForResult(context, want).then((res) => { 257e41f4b71Sopenharmony_ci console.info('res.resultCode', res.resultCode); 258e41f4b71Sopenharmony_ci console.info('res.want', JSON.stringify(res.want)); 259e41f4b71Sopenharmony_ci }); // Start the DLP manager app. 260e41f4b71Sopenharmony_ci } catch (err) { 261e41f4b71Sopenharmony_ci console.error('error', err.code, err.message); // Report an error upon a failure. 262e41f4b71Sopenharmony_ci } 263e41f4b71Sopenharmony_ci ``` 264e41f4b71Sopenharmony_ci 265e41f4b71Sopenharmony_ci14. Check whether the current system provides the DLP feature. 266e41f4b71Sopenharmony_ci ```ts 267e41f4b71Sopenharmony_ci import { dlpPermission } from '@kit.DataProtectionKit'; 268e41f4b71Sopenharmony_ci import { BusinessError } from '@kit.BasicServicesKit'; 269e41f4b71Sopenharmony_ci 270e41f4b71Sopenharmony_ci dlpPermission.isDLPFeatureProvided().then((res) => { 271e41f4b71Sopenharmony_ci console.info('res', JSON.stringify(res)); 272e41f4b71Sopenharmony_ci }).catch((err: BusinessError) => { 273e41f4b71Sopenharmony_ci console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Throw an error if the operation fails. 274e41f4b71Sopenharmony_ci }); 275e41f4b71Sopenharmony_ci ``` 276