DLP Development

Data loss prevention (DLP) is a system solution provided by OpenHarmony to prevent data disclosure. It provides a file format called DLP. The DLP file name consists of the original file name including the file name extension and .dlp, for example, test.docx.dlp. The DLP file consists of the authorization credential and the original file in ciphertext.

The DLP file can be accessed only after a device-cloud synergy authentication (network connection required) is successful. The authorized user can have any of the following permissions on the file:

• Read-only: The user can read the file only.
• Edit: The user can read and write the file content, but cannot modify the permissions on the file.
• Full control: The user can read and write the file, modify the permissions on the file, and restore the plaintext of the file.

When an application needs to access a DLP file, the system automatically installs a DLP sandbox twin application for the application. The twin application is a completely independent application. It inherits data and configuration from the application, but is isolated from the application. The twin application is running in a DLP sandbox environment. External access permissions are restricted to prevent data leakage. Each time a new DLP file is opened, an application twin is generated. The sandbox applications are also isolated from each other. When an application is closed, the application twin is automatically uninstalled and the temporary data generated during the sandbox is cleared.

Normally, the application is unaware of the sandbox and accesses the file in plaintext, like accessing a common file. The DLP sandbox restricts access permissions (such as network access, clipboard, and Bluetooth). Your application needs to be adapted for better user experience. For example, hide the Save button and disable automatic network connection if a file is read-only.

Sandbox Restrictions

When an application is in the DLP sandbox state, the available permissions are restricted based on the permission on the DLP file.

Available APIs

How to Develop

Procedure

1. Import the dlpPermission module.

   import dlpPermission from '@ohos.dlpPermission';

1. Check whether the application is running in a sandbox.

   dlpPermission.isInSandbox().then((data)=> { 
     console.log('isInSandbox, result: ' + JSON.stringify(data));
   }).catch((err:BusinessError) => {
     console.log("isInSandbox: "  + JSON.stringify(err));
   });

1. Obtain the permissions on the file. For more information, see Sandbox Restrictions.

   dlpPermission.getDLPPermissionInfo().then((data)=> { 
     console.log('getDLPPermissionInfo, result: ' + JSON.stringify(data));
   }).catch((err:BusinessError) => {
     console.log("getDLPPermissionInfo: "  + JSON.stringify(err));
   });

1. Obtain information about the file name extension types that support the DLP solution. Based on the information obtained, you can learn the types of files that be used to generate DLP files.

   dlpPermission.getDLPSupportedFileTypes((err, result) => { 
     console.log("getDLPSupportedFileTypes: " + JSON.stringify(err));
     console.log('getDLPSupportedFileTypes: ' + JSON.stringify(result));
   });

1. Check whether the opened file is a DLP file.

   let file = fs.openSync(uri);
   try {
     let res = await dlpPermission.isDLPFile(file.fd); // Check whether the file is a DLP file.
     console.info('res', res);
   } catch (err) {
     console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Error reported if the operation fails.
   }
   fs.closeSync(file);

1. Subscribe to and unsubscribe from the file open event for a DLP file.

   event(info: dlpPermission.VisitedDLPFileInfo) {
     console.info('openDlpFile event', info.uri, info.recentOpenTime)
   }
   unSubscribe() {
     try {
       dlpPermission.off('openDLPFile', this.event); // Unsubscribe from the file open event.
     } catch (err) {
       console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Error reported if the operation fails.
     }
   }
   subscribe() {
     try {
       dlpPermission.on ('openDLPFile' , this.event); // Subscribe to a file open event.
     } catch (err) {
       console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Error reported if the operation fails.
     }
   }
   async func() {
     this.subscribe();
     this.unSubscribe();
   }

1. Obtain information about the DLP files that are recently accessed.

   async func() {
     try {
       let res:Array<dlpPermission.VisitedDLPFileInfo> = await dlpPermission.getDLPFileAccessRecords(); // Obtain the list of recently accessed DLP files.
       console.info('res', JSON.stringify(res))
     } catch (err) {
       console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Error reported if the operation fails.
     }
   }

1. Obtain information about the DLP sandbox applications in the retention state.

   async func() {
     try {
       let res:Array<dlpPermission.VisitedDLPFileInfo> = await dlpPermission.getRetentionSandboxList(); // Obtain the list of sandbox applications in the retention state.
       console.info('res', JSON.stringify(res))
     } catch (err) {
       console.error('error', (err as BusinessError).code, (err as BusinessError).message); // Error reported if the operation fails.
     }
   }

你可能感兴趣的鸿蒙文章

harmony 鸿蒙Security

harmony 鸿蒙Applying for Permissions

harmony 鸿蒙Access Control (Permission) Overview

harmony 鸿蒙HarmonyAppProvision Configuration File

harmony 鸿蒙Certificate Development

harmony 鸿蒙Certificate Overview

harmony 鸿蒙Crypto Framework Development

harmony 鸿蒙Crypto Framework Overview

harmony 鸿蒙DLP Overview

harmony 鸿蒙hapsigner Guide