Commit 9086b2ed authored by Kathleen Brade's avatar Kathleen Brade Committed by Matthew Finkel
Browse files

Bug 32418: Allow updates to be disabled via an enterprise policy.

Restrict the Enterprise Policies mechanism to only consult a
policies.json file (avoiding the Windows Registry and macOS's
file system attributes).

Add a few disabledByPolicy() checks to the update service to
avoid extraneous (and potentially confusing) log messages when
updates are disabled by policy.

Sample content for distribution/policies.json:
{
  "policies": {
    "DisableAppUpdate": true
  }
}

On Linux, avoid reading policies from /etc/firefox/policies/policies.json
parent c4b3103e
...@@ -2,6 +2,10 @@ ...@@ -2,6 +2,10 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
// To ensure that policies intended for Firefox or another browser will not
// be used, Tor Browser only looks for policies in ${InstallDir}/distribution
#define AVOID_SYSTEM_POLICIES MOZ_PROXY_BYPASS_PROTECTION
const { XPCOMUtils } = ChromeUtils.import( const { XPCOMUtils } = ChromeUtils.import(
"resource://gre/modules/XPCOMUtils.jsm" "resource://gre/modules/XPCOMUtils.jsm"
); );
...@@ -11,9 +15,11 @@ const { AppConstants } = ChromeUtils.import( ...@@ -11,9 +15,11 @@ const { AppConstants } = ChromeUtils.import(
); );
XPCOMUtils.defineLazyModuleGetters(this, { XPCOMUtils.defineLazyModuleGetters(this, {
#ifndef AVOID_SYSTEM_POLICIES
WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm", WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm",
macOSPoliciesParser: macOSPoliciesParser:
"resource://gre/modules/policies/macOSPoliciesParser.jsm", "resource://gre/modules/policies/macOSPoliciesParser.jsm",
#endif
Policies: "resource:///modules/policies/Policies.jsm", Policies: "resource:///modules/policies/Policies.jsm",
JsonSchemaValidator: JsonSchemaValidator:
"resource://gre/modules/components-utils/JsonSchemaValidator.jsm", "resource://gre/modules/components-utils/JsonSchemaValidator.jsm",
...@@ -117,11 +123,13 @@ EnterprisePoliciesManager.prototype = { ...@@ -117,11 +123,13 @@ EnterprisePoliciesManager.prototype = {
_chooseProvider() { _chooseProvider() {
let platformProvider = null; let platformProvider = null;
#ifndef AVOID_SYSTEM_POLICIES
if (AppConstants.platform == "win") { if (AppConstants.platform == "win") {
platformProvider = new WindowsGPOPoliciesProvider(); platformProvider = new WindowsGPOPoliciesProvider();
} else if (AppConstants.platform == "macosx") { } else if (AppConstants.platform == "macosx") {
platformProvider = new macOSPoliciesProvider(); platformProvider = new macOSPoliciesProvider();
} }
#endif
let jsonProvider = new JSONPoliciesProvider(); let jsonProvider = new JSONPoliciesProvider();
if (platformProvider && platformProvider.hasPolicies) { if (platformProvider && platformProvider.hasPolicies) {
if (jsonProvider.hasPolicies) { if (jsonProvider.hasPolicies) {
...@@ -470,6 +478,7 @@ class JSONPoliciesProvider { ...@@ -470,6 +478,7 @@ class JSONPoliciesProvider {
_getConfigurationFile() { _getConfigurationFile() {
let configFile = null; let configFile = null;
#ifndef AVOID_SYSTEM_POLICIES
if (AppConstants.platform == "linux") { if (AppConstants.platform == "linux") {
let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance( let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance(
Ci.nsIFile Ci.nsIFile
...@@ -482,6 +491,7 @@ class JSONPoliciesProvider { ...@@ -482,6 +491,7 @@ class JSONPoliciesProvider {
return systemConfigFile; return systemConfigFile;
} }
} }
#endif
try { try {
let perUserPath = Services.prefs.getBoolPref(PREF_PER_USER_DIR, false); let perUserPath = Services.prefs.getBoolPref(PREF_PER_USER_DIR, false);
...@@ -563,6 +573,7 @@ class JSONPoliciesProvider { ...@@ -563,6 +573,7 @@ class JSONPoliciesProvider {
} }
} }
#ifndef AVOID_SYSTEM_POLICIES
class WindowsGPOPoliciesProvider { class WindowsGPOPoliciesProvider {
constructor() { constructor() {
this._policies = null; this._policies = null;
...@@ -637,6 +648,7 @@ class macOSPoliciesProvider { ...@@ -637,6 +648,7 @@ class macOSPoliciesProvider {
return this._failed; return this._failed;
} }
} }
#endif
class CombinedProvider { class CombinedProvider {
constructor(primaryProvider, secondaryProvider) { constructor(primaryProvider, secondaryProvider) {
......
...@@ -19,10 +19,12 @@ TEST_DIRS += [ ...@@ -19,10 +19,12 @@ TEST_DIRS += [
if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android": if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android":
EXTRA_COMPONENTS += [ EXTRA_COMPONENTS += [
'EnterprisePolicies.js',
'EnterprisePolicies.manifest', 'EnterprisePolicies.manifest',
'EnterprisePoliciesContent.js', 'EnterprisePoliciesContent.js',
] ]
EXTRA_PP_COMPONENTS += [
'EnterprisePolicies.js',
]
if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows': if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows':
EXTRA_JS_MODULES.policies += [ EXTRA_JS_MODULES.policies += [
......
...@@ -3268,6 +3268,14 @@ UpdateService.prototype = { ...@@ -3268,6 +3268,14 @@ UpdateService.prototype = {
* See nsIUpdateService.idl * See nsIUpdateService.idl
*/ */
get canApplyUpdates() { get canApplyUpdates() {
if (this.disabledByPolicy) {
LOG(
"UpdateService.canApplyUpdates - unable to apply updates, " +
"the option has been disabled by the administrator."
);
return false;
}
return getCanApplyUpdates() && hasUpdateMutex(); return getCanApplyUpdates() && hasUpdateMutex();
}, },
...@@ -3275,6 +3283,14 @@ UpdateService.prototype = { ...@@ -3275,6 +3283,14 @@ UpdateService.prototype = {
* See nsIUpdateService.idl * See nsIUpdateService.idl
*/ */
get canStageUpdates() { get canStageUpdates() {
if (this.disabledByPolicy) {
LOG(
"UpdateService.canStageUpdates - unable to stage updates, " +
"the option has been disabled by the administrator."
);
return false;
}
return getCanStageUpdates(); return getCanStageUpdates();
}, },
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment