1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/policy/restricted_mgs_policy_provider.h"
#include <utility>
#include "base/values.h"
#include "build/build_config.h"
#include "chrome/browser/ui/webui/certificates_handler.h"
#include "chromeos/ash/components/settings/cros_settings.h"
#include "chromeos/components/mgs/managed_guest_session_utils.h"
#include "components/policy/core/common/cloud/cloud_policy_client.h"
#include "components/policy/core/common/policy_bundle.h"
#include "components/policy/core/common/policy_map.h"
#include "components/policy/core/common/policy_namespace.h"
#include "components/policy/core/common/policy_types.h"
#include "components/policy/policy_constants.h"
static_assert(BUILDFLAG(IS_CHROMEOS));
namespace {
bool IsDeviceRestrictedManagedGuestSessionEnabled() {
bool device_restricted_managed_guest_session_enabled = false;
ash::CrosSettings::Get()->GetBoolean(
ash::kDeviceRestrictedManagedGuestSessionEnabled,
&device_restricted_managed_guest_session_enabled);
return device_restricted_managed_guest_session_enabled;
}
} // namespace
namespace policy {
RestrictedMGSPolicyProvider::RestrictedMGSPolicyProvider() {
UpdatePolicyBundle();
}
RestrictedMGSPolicyProvider::~RestrictedMGSPolicyProvider() = default;
// static
std::unique_ptr<RestrictedMGSPolicyProvider>
RestrictedMGSPolicyProvider::Create() {
if (!chromeos::IsManagedGuestSession()) {
return nullptr;
}
std::unique_ptr<RestrictedMGSPolicyProvider> provider(
new RestrictedMGSPolicyProvider());
return provider;
}
void RestrictedMGSPolicyProvider::RefreshPolicies(PolicyFetchReason reason) {}
void RestrictedMGSPolicyProvider::UpdatePolicyBundle() {
weak_factory_.InvalidateWeakPtrs();
PolicyBundle bundle = policies().Clone();
PolicyMap& chrome_policy =
bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));
if (IsDeviceRestrictedManagedGuestSessionEnabled())
ApplyRestrictedManagedGuestSessionOverride(&chrome_policy);
UpdatePolicy(std::move(bundle));
}
// Details about the restricted managed guest session and the overridden
// policies can be found here: go/restricted-managed-guest-session.
void RestrictedMGSPolicyProvider::ApplyRestrictedManagedGuestSessionOverride(
PolicyMap* chrome_policy) {
std::pair<std::string, base::Value> policy_overrides[] = {
{key::kArcEnabled, base::Value(false)},
{key::kCrostiniAllowed, base::Value(false)},
{key::kDeletePrintJobHistoryAllowed, base::Value(true)},
{key::kKerberosEnabled, base::Value(false)},
{key::kNetworkFileSharesAllowed, base::Value(false)},
{key::kUserBorealisAllowed, base::Value(false)},
{key::kUserPluginVmAllowed, base::Value(false)},
{key::kAllowDeletingBrowserHistory, base::Value(true)},
{key::kCACertificateManagementAllowed,
base::Value(static_cast<int>(CACertificateManagementPermission::kNone))},
{key::kClientCertificateManagementAllowed,
base::Value(
static_cast<int>(ClientCertificateManagementPermission::kNone))},
{key::kEnableMediaRouter, base::Value(false)},
{key::kPasswordManagerEnabled, base::Value(false)},
{key::kScreenCaptureAllowed, base::Value(false)},
};
for (auto& policy_override : policy_overrides) {
chrome_policy->Set(policy_override.first, POLICY_LEVEL_MANDATORY,
POLICY_SCOPE_USER,
POLICY_SOURCE_RESTRICTED_MANAGED_GUEST_SESSION_OVERRIDE,
std::move(policy_override.second), nullptr);
}
}
} // namespace policy
|
