Commit c2d24073 authored by Kathleen Brade's avatar Kathleen Brade Committed by Alex Catarineu
Browse files

Bug 32418: Allow updates to be disabled via an enterprise policy.

Restrict the Enterprise Policies mechanism to only consult a
policies.json file (avoiding the Windows Registry and macOS's
file system attributes).

Add a few disabledByPolicy() checks to the update service to
avoid extraneous (and potentially confusing) log messages when
updates are disabled by policy.

Sample content for distribution/policies.json:
{
  "policies": {
    "DisableAppUpdate": true
  }
}

On Linux, avoid reading policies from /etc/firefox/policies/policies.json
parent c0cb956d
......@@ -4,6 +4,10 @@
var EXPORTED_SYMBOLS = ["EnterprisePoliciesManager"];
// To ensure that policies intended for Firefox or another browser will not
// be used, Tor Browser only looks for policies in ${InstallDir}/distribution
#define AVOID_SYSTEM_POLICIES MOZ_PROXY_BYPASS_PROTECTION
const { XPCOMUtils } = ChromeUtils.import(
"resource://gre/modules/XPCOMUtils.jsm"
);
......@@ -13,9 +17,11 @@ const { AppConstants } = ChromeUtils.import(
);
XPCOMUtils.defineLazyModuleGetters(this, {
#ifndef AVOID_SYSTEM_POLICIES
WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm",
macOSPoliciesParser:
"resource://gre/modules/policies/macOSPoliciesParser.jsm",
#endif
Policies: "resource:///modules/policies/Policies.jsm",
JsonSchemaValidator:
"resource://gre/modules/components-utils/JsonSchemaValidator.jsm",
......@@ -137,6 +143,7 @@ EnterprisePoliciesManager.prototype = {
_chooseProvider() {
let provider = null;
#ifndef AVOID_SYSTEM_POLICIES
if (AppConstants.platform == "win") {
provider = new WindowsGPOPoliciesProvider();
} else if (AppConstants.platform == "macosx") {
......@@ -145,6 +152,7 @@ EnterprisePoliciesManager.prototype = {
if (provider && provider.hasPolicies) {
return provider;
}
#endif
provider = new JSONPoliciesProvider();
if (provider.hasPolicies) {
......@@ -495,7 +503,7 @@ class JSONPoliciesProvider {
_getConfigurationFile() {
let configFile = null;
#ifndef AVOID_SYSTEM_POLICIES
if (AppConstants.platform == "linux") {
let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance(
Ci.nsIFile
......@@ -508,7 +516,7 @@ class JSONPoliciesProvider {
return systemConfigFile;
}
}
#endif
try {
let perUserPath = Services.prefs.getBoolPref(PREF_PER_USER_DIR, false);
if (perUserPath) {
......@@ -589,6 +597,7 @@ class JSONPoliciesProvider {
}
}
#ifndef AVOID_SYSTEM_POLICIES
class WindowsGPOPoliciesProvider {
constructor() {
this._policies = null;
......@@ -654,3 +663,4 @@ class macOSPoliciesProvider {
return this._failed;
}
}
#endif
......@@ -21,6 +21,9 @@ if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android":
EXTRA_JS_MODULES += [
'EnterprisePolicies.jsm',
'EnterprisePoliciesContent.jsm',
]
EXTRA_PP_JS_MODULES += [
'EnterprisePoliciesParent.jsm',
]
......
......@@ -2811,6 +2811,10 @@ UpdateService.prototype = {
_checkForBackgroundUpdates: function AUS__checkForBackgroundUpdates(
isNotify
) {
if (this.disabledByPolicy) {
return;
}
this._isNotify = isNotify;
// Histogram IDs:
......@@ -3311,6 +3315,14 @@ UpdateService.prototype = {
* See nsIUpdateService.idl
*/
get canApplyUpdates() {
if (this.disabledByPolicy) {
LOG(
"UpdateService.canApplyUpdates - unable to apply updates, " +
"the option has been disabled by the administrator."
);
return false;
}
return getCanApplyUpdates() && hasUpdateMutex();
},
......@@ -3318,6 +3330,14 @@ UpdateService.prototype = {
* See nsIUpdateService.idl
*/
get canStageUpdates() {
if (this.disabledByPolicy) {
LOG(
"UpdateService.canStageUpdates - unable to stage updates, " +
"the option has been disabled by the administrator."
);
return false;
}
return getCanStageUpdates();
},
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment