This is an automated email from the git hooks/post-receive script.
pierov pushed a commit to branch tor-browser-102.0.1-12.0-1 in repository tor-browser.
commit 5eb9372b1ebef303a2010172861a3ad07aa207c0 Author: Pier Angelo Vendrame pierov@torproject.org AuthorDate: Tue Jul 26 16:20:07 2022 +0200
Bug 32418: Add a configure flag to load policies only from the local policies.json
Add a configuration flag to make Enterprise Policies mechanism only consult a policies.json file (avoiding the Windows Registry, macOS's file system attributes, and /etc/firefox/policies/policies.json on other OS).
We avoid system policies because their proxy settings override our preferences, however updates can be disabled only with enterprise policies, so we allow them from a local file as a trade off. --- browser/config/mozconfigs/base-browser | 3 +++ .../components/enterprisepolicies/EnterprisePoliciesParent.jsm | 9 ++++++--- toolkit/modules/AppConstants.jsm | 7 +++++++ toolkit/modules/moz.build | 1 + toolkit/moz.configure | 10 ++++++++++ 5 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/browser/config/mozconfigs/base-browser b/browser/config/mozconfigs/base-browser index 9963ab7ef9e62..3281543dc71ab 100644 --- a/browser/config/mozconfigs/base-browser +++ b/browser/config/mozconfigs/base-browser @@ -26,6 +26,9 @@ ac_add_options --disable-parental-controls # Let's make sure no preference is enabling either Adobe's or Google's CDM. ac_add_options --disable-eme ac_add_options --enable-proxy-bypass-protection +# See bugs #30575 and #32418: system policies are harmful either because they +# could allow proxy bypass, and override a number of other preferences we set +ac_add_options --disable-system-policies
# Disable telemetry ac_add_options MOZ_TELEMETRY_REPORTING= diff --git a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm index bfb8c02573f22..1ec347ca3f5d1 100644 --- a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm +++ b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm @@ -140,9 +140,12 @@ EnterprisePoliciesManager.prototype = {
_chooseProvider() { let platformProvider = null; - if (AppConstants.platform == "win") { + if (AppConstants.platform == "win" && AppConstants.MOZ_SYSTEM_POLICIES) { platformProvider = new WindowsGPOPoliciesProvider(); - } else if (AppConstants.platform == "macosx") { + } else if ( + AppConstants.platform == "macosx" && + AppConstants.MOZ_SYSTEM_POLICIES + ) { platformProvider = new macOSPoliciesProvider(); } let jsonProvider = new JSONPoliciesProvider(); @@ -526,7 +529,7 @@ class JSONPoliciesProvider { _getConfigurationFile() { let configFile = null;
- if (AppConstants.platform == "linux") { + if (AppConstants.platform == "linux" && AppConstants.MOZ_SYSTEM_POLICIES) { let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance( Ci.nsIFile ); diff --git a/toolkit/modules/AppConstants.jsm b/toolkit/modules/AppConstants.jsm index 7f8ac95dd9625..5799b78178aaf 100644 --- a/toolkit/modules/AppConstants.jsm +++ b/toolkit/modules/AppConstants.jsm @@ -453,6 +453,13 @@ this.AppConstants = Object.freeze({ false, #endif
+ MOZ_SYSTEM_POLICIES: +#ifdef MOZ_SYSTEM_POLICIES + true, +#else + false, +#endif + // Returns true for CN region build when distibution id set as 'MozillaOnline' isChinaRepack() { return ( diff --git a/toolkit/modules/moz.build b/toolkit/modules/moz.build index 26acb92b37b7c..f8f65aef789e0 100644 --- a/toolkit/modules/moz.build +++ b/toolkit/modules/moz.build @@ -292,6 +292,7 @@ for var in ( "MOZ_ALLOW_ADDON_SIDELOAD", "MOZ_BACKGROUNDTASKS", "MOZ_SYSTEM_NSS", + "MOZ_SYSTEM_POLICIES", "MOZ_UNSIGNED_APP_SCOPE", "MOZ_UNSIGNED_SYSTEM_SCOPE", "MOZ_UPDATE_AGENT", diff --git a/toolkit/moz.configure b/toolkit/moz.configure index 0dd52bd5203b7..a3dcca6909017 100644 --- a/toolkit/moz.configure +++ b/toolkit/moz.configure @@ -3210,3 +3210,13 @@ with only_when(compile_environment & depends(target.os)(lambda os: os != "WINNT" set_define("HAVE_ARC4RANDOM", check_symbol("arc4random")) set_define("HAVE_ARC4RANDOM_BUF", check_symbol("arc4random_buf")) set_define("HAVE_MALLINFO", check_symbol("mallinfo")) + +# System policies +# ============================================================== + +option( + "--disable-system-policies", + help="Disable reading policies from Windows registry, macOS's file system attributes, and /etc/firefox", +) + +set_config("MOZ_SYSTEM_POLICIES", True, when="--enable-system-policies")