Prevent ONC-pushed certificates from being used with multiprofiles.

chrome/browser/chromeos/login/multi_profile_user_controller.cc

Index: chrome/browser/chromeos/login/multi_profile_user_controller.cc
diff --git a/chrome/browser/chromeos/login/multi_profile_user_controller.cc b/chrome/browser/chromeos/login/multi_profile_user_controller.cc
index 1290663a44741135dd5057b4b4deb77c8507cf2b..fd9e0e105ef9e80ee12abf0d89fb24afc32fb001 100644
--- a/chrome/browser/chromeos/login/multi_profile_user_controller.cc
+++ b/chrome/browser/chromeos/login/multi_profile_user_controller.cc
@@ -12,6 +12,7 @@
 #include "base/prefs/scoped_user_pref_update.h"
 #include "chrome/browser/chromeos/login/multi_profile_user_controller_delegate.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
+#include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/prefs/pref_service_syncable.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/pref_names.h"
@@ -80,6 +81,11 @@ bool MultiProfileUserController::IsUserAllowedInSession(
   if (user_manager->GetOwnerEmail() == user_email)
     return false;
 
+  // Don't allow profiles potentially tainted by data fetched with policy-pushed
+  // certificates to join a multiprofile session.
+  if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email))
+    return false;
+
   // No user is allowed if the primary user policy forbids it.
   const std::string primary_user_behavior = GetCachedValue(primary_user_email);
   if (primary_user_behavior == kBehaviorNotAllowed)