[tor-browser/tor-browser-68.7.0esr-9.5-1] Bug 32418: Allow updates to be disabled via an enterprise policy.

28 Apr 2020

commit e577d655d2044e3b6636b0bccfbb5bd776148582
Author: Kathy Brade <brade@pearlcrescent.com>
Date:   Thu Apr 16 17:07:09 2020 -0400

    Bug 32418: Allow updates to be disabled via an enterprise policy.
    
    Restrict the Enterprise Policies mechanism to only consult a
    policies.json file (avoiding the Windows Registry and macOS's
    file system attributes).
    
    Add a few disabledByPolicy() checks to the update service to
    avoid extraneous (and potentially confusing) log messages when
    updates are disabled by policy.
    
    Sample content for distribution/policies.json:
    {
      "policies": {
        "DisableAppUpdate": true
      }
    }
---
 .../enterprisepolicies/EnterprisePolicies.js         | 10 ++++++++++
 toolkit/components/enterprisepolicies/moz.build      |  4 +++-
 toolkit/mozapps/update/UpdateService.jsm             | 20 ++++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/toolkit/components/enterprisepolicies/EnterprisePolicies.js b/toolkit/components/enterprisepolicies/EnterprisePolicies.js
index db77b4717736..bc0171867dfa 100644
--- a/toolkit/components/enterprisepolicies/EnterprisePolicies.js
+++ b/toolkit/components/enterprisepolicies/EnterprisePolicies.js
@@ -2,6 +2,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+// To avoid accessing the Windows Registry or macOS' file system attributes,
+// Tor Browser only supports policies.json.
+#define JSON_POLICIES_ONLY MOZ_PROXY_BYPASS_PROTECTION
+
 const { XPCOMUtils } = ChromeUtils.import(
   "resource://gre/modules/XPCOMUtils.jsm"
 );
@@ -11,9 +15,11 @@ const { AppConstants } = ChromeUtils.import(
 );
 
 XPCOMUtils.defineLazyModuleGetters(this, {
+#ifndef JSON_POLICIES_ONLY
   WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm",
   macOSPoliciesParser:
     "resource://gre/modules/policies/macOSPoliciesParser.jsm",
+#endif
   Policies: "resource:///modules/policies/Policies.jsm",
   JsonSchemaValidator:
     "resource://gre/modules/components-utils/JsonSchemaValidator.jsm",
@@ -111,6 +117,7 @@ EnterprisePoliciesManager.prototype = {
 
   _chooseProvider() {
     let provider = null;
+#ifndef JSON_POLICIES_ONLY
     if (AppConstants.platform == "win") {
       provider = new WindowsGPOPoliciesProvider();
     } else if (AppConstants.platform == "macosx") {
@@ -119,6 +126,7 @@ EnterprisePoliciesManager.prototype = {
     if (provider && provider.hasPolicies) {
       return provider;
     }
+#endif
 
     provider = new JSONPoliciesProvider();
     if (provider.hasPolicies) {
@@ -547,6 +555,7 @@ class JSONPoliciesProvider {
   }
 }
 
+#ifndef JSON_POLICIES_ONLY
 class WindowsGPOPoliciesProvider {
   constructor() {
     this._policies = null;
@@ -608,6 +617,7 @@ class macOSPoliciesProvider {
     return this._failed;
   }
 }
+#endif
 
 var components = [EnterprisePoliciesManager];
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory(components);
diff --git a/toolkit/components/enterprisepolicies/moz.build b/toolkit/components/enterprisepolicies/moz.build
index 8f7d7d8cfed7..7528f569bb3e 100644
--- a/toolkit/components/enterprisepolicies/moz.build
+++ b/toolkit/components/enterprisepolicies/moz.build
@@ -19,10 +19,12 @@ TEST_DIRS += [
 
 if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android":
     EXTRA_COMPONENTS += [
-        'EnterprisePolicies.js',
         'EnterprisePolicies.manifest',
         'EnterprisePoliciesContent.js',
     ]
+    EXTRA_PP_COMPONENTS += [
+        'EnterprisePolicies.js',
+    ]
 
 if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows':
     EXTRA_JS_MODULES.policies += [
diff --git a/toolkit/mozapps/update/UpdateService.jsm b/toolkit/mozapps/update/UpdateService.jsm
index 282e1aecc5e8..5fbcc1536540 100644
--- a/toolkit/mozapps/update/UpdateService.jsm
+++ b/toolkit/mozapps/update/UpdateService.jsm
@@ -2772,6 +2772,10 @@ UpdateService.prototype = {
   _checkForBackgroundUpdates: function AUS__checkForBackgroundUpdates(
     isNotify
   ) {
+    if (this.disabledByPolicy) {
+      return;
+    }
+
     this._isNotify = isNotify;
 
     // Histogram IDs:
@@ -3293,6 +3297,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canApplyUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canApplyUpdates - unable to apply updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanApplyUpdates() && hasUpdateMutex();
   },
 
@@ -3300,6 +3312,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canStageUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canStageUpdates - unable to stage updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanStageUpdates();
   },

    

sysrqb＠torproject.org

tags

participants (1)