Bug 1463895 - Allow some policies to be machine-only. r=mkaply

Machine-only policies can only be triggered from sources that require user privileges to make machine-wide changes. Currently, that means the policies.json file in the installation folder, or the HKEY_LOCAL_MACHINE registry root. In other words, it currently excludes the HKEY_CURRENT_USER registry root MozReview-Commit-ID: G9wxEM19yVb --HG-- extra : rebase_source : 8343d247fa308313f5ca466290f515716fa33ba0
2018-05-28 18:35:15 -03:00 · 2018-05-28 18:35:15 -03:00 · b370cc0222
--- a/browser/components/enterprisepolicies/EnterprisePolicies.js
+++ b/browser/components/enterprisepolicies/EnterprisePolicies.js
@ -424,23 +424,11 @@ class GPOPoliciesProvider {
    this._policies = null;

    let wrk = Cc["@mozilla.org/windows-registry-key;1"].createInstance(Ci.nsIWindowsRegKey);
+
    // Machine policies override user policies, so we read
    // user policies first and then replace them if necessary.
-    wrk.open(wrk.ROOT_KEY_CURRENT_USER,
-             "SOFTWARE\\Policies",
-             wrk.ACCESS_READ);
-    if (wrk.hasChild("Mozilla\\Firefox")) {
-      this._readData(wrk);
-    }
-    wrk.close();
-
-    wrk.open(wrk.ROOT_KEY_LOCAL_MACHINE,
-             "SOFTWARE\\Policies",
-             wrk.ACCESS_READ);
-    if (wrk.hasChild("Mozilla\\Firefox")) {
-      this._readData(wrk);
-    }
-    wrk.close();
+    this._readData(wrk, wrk.ROOT_KEY_CURRENT_USER);
+    this._readData(wrk, wrk.ROOT_KEY_LOCAL_MACHINE);
  }

  get hasPolicies() {
@ -455,8 +443,13 @@ class GPOPoliciesProvider {
    return this._failed;
  }

-  _readData(wrk) {
-    this._policies = WindowsGPOParser.readPolicies(wrk, this._policies);
+  _readData(wrk, root) {
+    wrk.open(root, "SOFTWARE\\Policies", wrk.ACCESS_READ);
+    if (wrk.hasChild("Mozilla\\Firefox")) {
+      let isMachineRoot = (root == wrk.ROOT_KEY_LOCAL_MACHINE);
+      this._policies = WindowsGPOParser.readPolicies(wrk, this._policies, isMachineRoot);
+    }
+    wrk.close();
  }
 }

--- a/browser/components/enterprisepolicies/WindowsGPOParser.jsm
+++ b/browser/components/enterprisepolicies/WindowsGPOParser.jsm
@ -19,16 +19,20 @@ XPCOMUtils.defineLazyGetter(this, "log", () => {
  });
 });

+XPCOMUtils.defineLazyModuleGetters(this, {
+  schema: "resource:///modules/policies/schema.jsm",
+});
+
 var EXPORTED_SYMBOLS = ["WindowsGPOParser"];

 var WindowsGPOParser = {
-  readPolicies(wrk, policies) {
+  readPolicies(wrk, policies, isMachineRoot) {
    let childWrk = wrk.openChild("Mozilla\\Firefox", wrk.ACCESS_READ);
    if (!policies) {
      policies = {};
    }
    try {
-      policies = registryToObject(childWrk, policies);
+      policies = registryToObject(childWrk, policies, isMachineRoot);
    } catch (e) {
      log.error(e);
    } finally {
@ -37,13 +41,14 @@ var WindowsGPOParser = {
    // Need an extra check here so we don't
    // JSON.stringify if we aren't in debug mode
    if (log._maxLogLevel == "debug") {
+      log.debug("root = " + isMachineRoot ? "HKEY_LOCAL_MACHINE" : "HKEY_CURRENT_USER");
      log.debug(JSON.stringify(policies, null, 2));
    }
    return policies;
  }
 };

-function registryToObject(wrk, policies) {
+function registryToObject(wrk, policies, isMachineRoot) {
  if (!policies) {
    policies = {};
  }
@ -60,6 +65,14 @@ function registryToObject(wrk, policies) {
    for (let i = 0; i < wrk.valueCount; i++) {
      let name = wrk.getValueName(i);
      let value = readRegistryValue(wrk, name);
+
+      if (!isMachineRoot &&
+          schema.properties[name] &&
+          schema.properties[name].machine_only) {
+        log.error(`Policy ${name} is only allowed under the HKEY_LOCAL_MACHINE root`);
+        continue;
+      }
+
      policies[name] = value;
    }
  }