[tor-commits] [tor-browser/tor-browser-78.5.0esr-10.0-1] Bug 32418: Allow updates to be disabled via an enterprise policy.

Thu Nov 12 19:36:42 UTC 2020

commit 13c5930c9f4f03054b335e03bfca6c4e0d9f3490
Author: Kathy Brade <brade at pearlcrescent.com>
Date:   Thu Apr 16 17:07:09 2020 -0400

    Bug 32418: Allow updates to be disabled via an enterprise policy.
    
    Restrict the Enterprise Policies mechanism to only consult a
    policies.json file (avoiding the Windows Registry and macOS's
    file system attributes).
    
    Add a few disabledByPolicy() checks to the update service to
    avoid extraneous (and potentially confusing) log messages when
    updates are disabled by policy.
    
    Sample content for distribution/policies.json:
    {
      "policies": {
        "DisableAppUpdate": true
      }
    }
    
    On Linux, avoid reading policies from /etc/firefox/policies/policies.json
---
 .../enterprisepolicies/EnterprisePolicies.js         | 12 ++++++++++++
 toolkit/components/enterprisepolicies/moz.build      |  4 +++-
 toolkit/mozapps/update/UpdateService.jsm             | 20 ++++++++++++++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/toolkit/components/enterprisepolicies/EnterprisePolicies.js b/toolkit/components/enterprisepolicies/EnterprisePolicies.js
index aa8a2e54024e..8f9cd6f5039d 100644
--- a/toolkit/components/enterprisepolicies/EnterprisePolicies.js
+++ b/toolkit/components/enterprisepolicies/EnterprisePolicies.js
@@ -2,6 +2,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+// To ensure that policies intended for Firefox or another browser will not
+// be used, Tor Browser only looks for policies in ${InstallDir}/distribution
+#define AVOID_SYSTEM_POLICIES MOZ_PROXY_BYPASS_PROTECTION
+
 const { XPCOMUtils } = ChromeUtils.import(
   "resource://gre/modules/XPCOMUtils.jsm"
 );
@@ -11,9 +15,11 @@ const { AppConstants } = ChromeUtils.import(
 );
 
 XPCOMUtils.defineLazyModuleGetters(this, {
+#ifndef AVOID_SYSTEM_POLICIES
   WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm",
   macOSPoliciesParser:
     "resource://gre/modules/policies/macOSPoliciesParser.jsm",
+#endif
   Policies: "resource:///modules/policies/Policies.jsm",
   JsonSchemaValidator:
     "resource://gre/modules/components-utils/JsonSchemaValidator.jsm",
@@ -114,6 +120,7 @@ EnterprisePoliciesManager.prototype = {
 
   _chooseProvider() {
     let provider = null;
+#ifndef AVOID_SYSTEM_POLICIES
     if (AppConstants.platform == "win") {
       provider = new WindowsGPOPoliciesProvider();
     } else if (AppConstants.platform == "macosx") {
@@ -122,6 +129,7 @@ EnterprisePoliciesManager.prototype = {
     if (provider && provider.hasPolicies) {
       return provider;
     }
+#endif
 
     provider = new JSONPoliciesProvider();
     if (provider.hasPolicies) {
@@ -473,6 +481,7 @@ class JSONPoliciesProvider {
   _getConfigurationFile() {
     let configFile = null;
 
+#ifndef AVOID_SYSTEM_POLICIES
     if (AppConstants.platform == "linux") {
       let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance(
         Ci.nsIFile
@@ -485,6 +494,7 @@ class JSONPoliciesProvider {
         return systemConfigFile;
       }
     }
+#endif
 
     try {
       let perUserPath = Services.prefs.getBoolPref(PREF_PER_USER_DIR, false);
@@ -566,6 +576,7 @@ class JSONPoliciesProvider {
   }
 }
 
+#ifndef AVOID_SYSTEM_POLICIES
 class WindowsGPOPoliciesProvider {
   constructor() {
     this._policies = null;
@@ -631,6 +642,7 @@ class macOSPoliciesProvider {
     return this._failed;
   }
 }
+#endif
 
 var components = [EnterprisePoliciesManager];
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory(components);
diff --git a/toolkit/components/enterprisepolicies/moz.build b/toolkit/components/enterprisepolicies/moz.build
index 8f7d7d8cfed7..7528f569bb3e 100644
--- a/toolkit/components/enterprisepolicies/moz.build
+++ b/toolkit/components/enterprisepolicies/moz.build
@@ -19,10 +19,12 @@ TEST_DIRS += [
 
 if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android":
     EXTRA_COMPONENTS += [
-        'EnterprisePolicies.js',
         'EnterprisePolicies.manifest',
         'EnterprisePoliciesContent.js',
     ]
+    EXTRA_PP_COMPONENTS += [
+        'EnterprisePolicies.js',
+    ]
 
 if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows':
     EXTRA_JS_MODULES.policies += [
diff --git a/toolkit/mozapps/update/UpdateService.jsm b/toolkit/mozapps/update/UpdateService.jsm
index 855230e83c31..93a6ee81c295 100644
--- a/toolkit/mozapps/update/UpdateService.jsm
+++ b/toolkit/mozapps/update/UpdateService.jsm
@@ -2754,6 +2754,10 @@ UpdateService.prototype = {
   _checkForBackgroundUpdates: function AUS__checkForBackgroundUpdates(
     isNotify
   ) {
+    if (this.disabledByPolicy) {
+      return;
+    }
+
     this._isNotify = isNotify;
 
     // Histogram IDs:
@@ -3254,6 +3258,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canApplyUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canApplyUpdates - unable to apply updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanApplyUpdates() && hasUpdateMutex();
   },
 
@@ -3261,6 +3273,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canStageUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canStageUpdates - unable to stage updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanStageUpdates();
   },
 



