commit e577d655d2044e3b6636b0bccfbb5bd776148582 Author: Kathy Brade brade@pearlcrescent.com Date: Thu Apr 16 17:07:09 2020 -0400
Bug 32418: Allow updates to be disabled via an enterprise policy.
Restrict the Enterprise Policies mechanism to only consult a policies.json file (avoiding the Windows Registry and macOS's file system attributes).
Add a few disabledByPolicy() checks to the update service to avoid extraneous (and potentially confusing) log messages when updates are disabled by policy.
Sample content for distribution/policies.json: { "policies": { "DisableAppUpdate": true } } --- .../enterprisepolicies/EnterprisePolicies.js | 10 ++++++++++ toolkit/components/enterprisepolicies/moz.build | 4 +++- toolkit/mozapps/update/UpdateService.jsm | 20 ++++++++++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/toolkit/components/enterprisepolicies/EnterprisePolicies.js b/toolkit/components/enterprisepolicies/EnterprisePolicies.js index db77b4717736..bc0171867dfa 100644 --- a/toolkit/components/enterprisepolicies/EnterprisePolicies.js +++ b/toolkit/components/enterprisepolicies/EnterprisePolicies.js @@ -2,6 +2,10 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+// To avoid accessing the Windows Registry or macOS' file system attributes, +// Tor Browser only supports policies.json. +#define JSON_POLICIES_ONLY MOZ_PROXY_BYPASS_PROTECTION + const { XPCOMUtils } = ChromeUtils.import( "resource://gre/modules/XPCOMUtils.jsm" ); @@ -11,9 +15,11 @@ const { AppConstants } = ChromeUtils.import( );
XPCOMUtils.defineLazyModuleGetters(this, { +#ifndef JSON_POLICIES_ONLY WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm", macOSPoliciesParser: "resource://gre/modules/policies/macOSPoliciesParser.jsm", +#endif Policies: "resource:///modules/policies/Policies.jsm", JsonSchemaValidator: "resource://gre/modules/components-utils/JsonSchemaValidator.jsm", @@ -111,6 +117,7 @@ EnterprisePoliciesManager.prototype = {
_chooseProvider() { let provider = null; +#ifndef JSON_POLICIES_ONLY if (AppConstants.platform == "win") { provider = new WindowsGPOPoliciesProvider(); } else if (AppConstants.platform == "macosx") { @@ -119,6 +126,7 @@ EnterprisePoliciesManager.prototype = { if (provider && provider.hasPolicies) { return provider; } +#endif
provider = new JSONPoliciesProvider(); if (provider.hasPolicies) { @@ -547,6 +555,7 @@ class JSONPoliciesProvider { } }
+#ifndef JSON_POLICIES_ONLY class WindowsGPOPoliciesProvider { constructor() { this._policies = null; @@ -608,6 +617,7 @@ class macOSPoliciesProvider { return this._failed; } } +#endif
var components = [EnterprisePoliciesManager]; this.NSGetFactory = XPCOMUtils.generateNSGetFactory(components); diff --git a/toolkit/components/enterprisepolicies/moz.build b/toolkit/components/enterprisepolicies/moz.build index 8f7d7d8cfed7..7528f569bb3e 100644 --- a/toolkit/components/enterprisepolicies/moz.build +++ b/toolkit/components/enterprisepolicies/moz.build @@ -19,10 +19,12 @@ TEST_DIRS += [
if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android": EXTRA_COMPONENTS += [ - 'EnterprisePolicies.js', 'EnterprisePolicies.manifest', 'EnterprisePoliciesContent.js', ] + EXTRA_PP_COMPONENTS += [ + 'EnterprisePolicies.js', + ]
if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows': EXTRA_JS_MODULES.policies += [ diff --git a/toolkit/mozapps/update/UpdateService.jsm b/toolkit/mozapps/update/UpdateService.jsm index 282e1aecc5e8..5fbcc1536540 100644 --- a/toolkit/mozapps/update/UpdateService.jsm +++ b/toolkit/mozapps/update/UpdateService.jsm @@ -2772,6 +2772,10 @@ UpdateService.prototype = { _checkForBackgroundUpdates: function AUS__checkForBackgroundUpdates( isNotify ) { + if (this.disabledByPolicy) { + return; + } + this._isNotify = isNotify;
// Histogram IDs: @@ -3293,6 +3297,14 @@ UpdateService.prototype = { * See nsIUpdateService.idl */ get canApplyUpdates() { + if (this.disabledByPolicy) { + LOG( + "UpdateService.canApplyUpdates - unable to apply updates, " + + "the option has been disabled by the administrator." + ); + return false; + } + return getCanApplyUpdates() && hasUpdateMutex(); },
@@ -3300,6 +3312,14 @@ UpdateService.prototype = { * See nsIUpdateService.idl */ get canStageUpdates() { + if (this.disabledByPolicy) { + LOG( + "UpdateService.canStageUpdates - unable to stage updates, " + + "the option has been disabled by the administrator." + ); + return false; + } + return getCanStageUpdates(); },
tbb-commits@lists.torproject.org