[tbb-commits] [tor-browser/tor-browser-83.0-10.0-1] Bug 32418: Allow updates to be disabled via an enterprise policy.

sysrqb at torproject.org sysrqb at torproject.org
Thu Nov 26 14:53:03 UTC 2020


commit 457cb6d246add82b15b54e9666a806fa06df885e
Author: Kathy Brade <brade at pearlcrescent.com>
Date:   Thu Apr 16 17:07:09 2020 -0400

    Bug 32418: Allow updates to be disabled via an enterprise policy.
    
    Restrict the Enterprise Policies mechanism to only consult a
    policies.json file (avoiding the Windows Registry and macOS's
    file system attributes).
    
    Add a few disabledByPolicy() checks to the update service to
    avoid extraneous (and potentially confusing) log messages when
    updates are disabled by policy.
    
    Sample content for distribution/policies.json:
    {
      "policies": {
        "DisableAppUpdate": true
      }
    }
    
    On Linux, avoid reading policies from /etc/firefox/policies/policies.json
---
 .../enterprisepolicies/EnterprisePoliciesParent.jsm  | 14 ++++++++++++--
 toolkit/components/enterprisepolicies/moz.build      |  3 +++
 toolkit/mozapps/update/UpdateService.jsm             | 20 ++++++++++++++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm
index 8b0a5170cbdd..38e2c2b36a24 100644
--- a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm
+++ b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm
@@ -4,6 +4,10 @@
 
 var EXPORTED_SYMBOLS = ["EnterprisePoliciesManager"];
 
+// To ensure that policies intended for Firefox or another browser will not
+// be used, Tor Browser only looks for policies in ${InstallDir}/distribution
+#define AVOID_SYSTEM_POLICIES MOZ_PROXY_BYPASS_PROTECTION
+
 const { XPCOMUtils } = ChromeUtils.import(
   "resource://gre/modules/XPCOMUtils.jsm"
 );
@@ -13,9 +17,11 @@ const { AppConstants } = ChromeUtils.import(
 );
 
 XPCOMUtils.defineLazyModuleGetters(this, {
+#ifndef AVOID_SYSTEM_POLICIES
   WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm",
   macOSPoliciesParser:
     "resource://gre/modules/policies/macOSPoliciesParser.jsm",
+#endif
   Policies: "resource:///modules/policies/Policies.jsm",
   JsonSchemaValidator:
     "resource://gre/modules/components-utils/JsonSchemaValidator.jsm",
@@ -137,6 +143,7 @@ EnterprisePoliciesManager.prototype = {
 
   _chooseProvider() {
     let provider = null;
+#ifndef AVOID_SYSTEM_POLICIES
     if (AppConstants.platform == "win") {
       provider = new WindowsGPOPoliciesProvider();
     } else if (AppConstants.platform == "macosx") {
@@ -145,6 +152,7 @@ EnterprisePoliciesManager.prototype = {
     if (provider && provider.hasPolicies) {
       return provider;
     }
+#endif
 
     provider = new JSONPoliciesProvider();
     if (provider.hasPolicies) {
@@ -495,7 +503,7 @@ class JSONPoliciesProvider {
 
   _getConfigurationFile() {
     let configFile = null;
-
+#ifndef AVOID_SYSTEM_POLICIES
     if (AppConstants.platform == "linux") {
       let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance(
         Ci.nsIFile
@@ -508,7 +516,7 @@ class JSONPoliciesProvider {
         return systemConfigFile;
       }
     }
-
+#endif
     try {
       let perUserPath = Services.prefs.getBoolPref(PREF_PER_USER_DIR, false);
       if (perUserPath) {
@@ -589,6 +597,7 @@ class JSONPoliciesProvider {
   }
 }
 
+#ifndef AVOID_SYSTEM_POLICIES
 class WindowsGPOPoliciesProvider {
   constructor() {
     this._policies = null;
@@ -654,3 +663,4 @@ class macOSPoliciesProvider {
     return this._failed;
   }
 }
+#endif
diff --git a/toolkit/components/enterprisepolicies/moz.build b/toolkit/components/enterprisepolicies/moz.build
index 284089594b2f..b0485aade0e8 100644
--- a/toolkit/components/enterprisepolicies/moz.build
+++ b/toolkit/components/enterprisepolicies/moz.build
@@ -21,6 +21,9 @@ if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android":
     EXTRA_JS_MODULES += [
         'EnterprisePolicies.jsm',
         'EnterprisePoliciesContent.jsm',
+    ]
+
+    EXTRA_PP_JS_MODULES += [
         'EnterprisePoliciesParent.jsm',
     ]
 
diff --git a/toolkit/mozapps/update/UpdateService.jsm b/toolkit/mozapps/update/UpdateService.jsm
index 2eb0038c9a1a..7fc19777182f 100644
--- a/toolkit/mozapps/update/UpdateService.jsm
+++ b/toolkit/mozapps/update/UpdateService.jsm
@@ -2841,6 +2841,10 @@ UpdateService.prototype = {
   _checkForBackgroundUpdates: function AUS__checkForBackgroundUpdates(
     isNotify
   ) {
+    if (this.disabledByPolicy) {
+      return;
+    }
+
     this._isNotify = isNotify;
 
     // Histogram IDs:
@@ -3343,6 +3347,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canApplyUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canApplyUpdates - unable to apply updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanApplyUpdates() && hasUpdateMutex();
   },
 
@@ -3350,6 +3362,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canStageUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canStageUpdates - unable to stage updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanStageUpdates();
   },
 





More information about the tbb-commits mailing list