OLD | NEW |
1 // Copyright (c) 2014 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/policy/core/common/policy_loader_win.h" | 5 #include "components/policy/core/common/policy_loader_win.h" |
6 | 6 |
7 #include <windows.h> | 7 #include <windows.h> |
8 #include <lm.h> // For limits. | 8 #include <lm.h> // For limits. |
9 #include <ntdsapi.h> // For Ds[Un]Bind | 9 #include <ntdsapi.h> // For Ds[Un]Bind |
10 #include <rpc.h> // For struct GUID | 10 #include <rpc.h> // For struct GUID |
(...skipping 372 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
383 | 383 |
384 // Policy scope and corresponding hive. | 384 // Policy scope and corresponding hive. |
385 static const struct { | 385 static const struct { |
386 PolicyScope scope; | 386 PolicyScope scope; |
387 HKEY hive; | 387 HKEY hive; |
388 } kScopes[] = { | 388 } kScopes[] = { |
389 { POLICY_SCOPE_MACHINE, HKEY_LOCAL_MACHINE }, | 389 { POLICY_SCOPE_MACHINE, HKEY_LOCAL_MACHINE }, |
390 { POLICY_SCOPE_USER, HKEY_CURRENT_USER }, | 390 { POLICY_SCOPE_USER, HKEY_CURRENT_USER }, |
391 }; | 391 }; |
392 | 392 |
| 393 bool is_enterprise = base::win::IsEnrolledToDomain(); |
| 394 VLOG(1) << "Reading policy from the registry is " |
| 395 << (is_enterprise ? "enabled." : "disabled."); |
| 396 |
393 // Load policy data for the different scopes/levels and merge them. | 397 // Load policy data for the different scopes/levels and merge them. |
394 scoped_ptr<PolicyBundle> bundle(new PolicyBundle()); | 398 scoped_ptr<PolicyBundle> bundle(new PolicyBundle()); |
395 PolicyMap* chrome_policy = | 399 PolicyMap* chrome_policy = |
396 &bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())); | 400 &bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())); |
397 for (size_t i = 0; i < arraysize(kScopes); ++i) { | 401 for (size_t i = 0; i < arraysize(kScopes); ++i) { |
398 PolicyScope scope = kScopes[i].scope; | 402 PolicyScope scope = kScopes[i].scope; |
399 PolicyLoadStatusSample status; | 403 PolicyLoadStatusSample status; |
400 RegistryDict gpo_dict; | 404 RegistryDict gpo_dict; |
401 | 405 |
402 // Note: GPO rules mandate a call to EnterCriticalPolicySection() here, and | 406 // Note: GPO rules mandate a call to EnterCriticalPolicySection() here, and |
403 // a matching LeaveCriticalPolicySection() call below after the | 407 // a matching LeaveCriticalPolicySection() call below after the |
404 // ReadPolicyFromGPO() block. Unfortunately, the policy mutex may be | 408 // ReadPolicyFromGPO() block. Unfortunately, the policy mutex may be |
405 // unavailable for extended periods of time, and there are reports of this | 409 // unavailable for extended periods of time, and there are reports of this |
406 // happening in the wild: http://crbug.com/265862. | 410 // happening in the wild: http://crbug.com/265862. |
407 // | 411 // |
408 // Blocking for minutes is neither acceptable for Chrome startup, nor on | 412 // Blocking for minutes is neither acceptable for Chrome startup, nor on |
409 // the FILE thread on which this code runs in steady state. Given that | 413 // the FILE thread on which this code runs in steady state. Given that |
410 // there have never been any reports of issues due to partially-applied / | 414 // there have never been any reports of issues due to partially-applied / |
411 // corrupt group policy, this code intentionally omits the | 415 // corrupt group policy, this code intentionally omits the |
412 // EnterCriticalPolicySection() call. | 416 // EnterCriticalPolicySection() call. |
413 // | 417 // |
414 // If there's ever reason to revisit this decision, one option could be to | 418 // If there's ever reason to revisit this decision, one option could be to |
415 // make the EnterCriticalPolicySection() call on a dedicated thread and | 419 // make the EnterCriticalPolicySection() call on a dedicated thread and |
416 // timeout on it more aggressively. For now, there's no justification for | 420 // timeout on it more aggressively. For now, there's no justification for |
417 // the additional effort this would introduce. | 421 // the additional effort this would introduce. |
418 | 422 |
419 if (!ReadPolicyFromGPO(scope, &gpo_dict, &status)) { | 423 if (is_enterprise || !ReadPolicyFromGPO(scope, &gpo_dict, &status)) { |
420 VLOG(1) << "Failed to read GPO files for " << scope | 424 VLOG_IF(1, !is_enterprise) << "Failed to read GPO files for " << scope |
421 << " falling back to registry."; | 425 << " falling back to registry."; |
422 gpo_dict.ReadRegistry(kScopes[i].hive, chrome_policy_key_); | 426 gpo_dict.ReadRegistry(kScopes[i].hive, chrome_policy_key_); |
423 } | 427 } |
424 | 428 |
425 // Remove special-cased entries from the GPO dictionary. | 429 // Remove special-cased entries from the GPO dictionary. |
426 scoped_ptr<RegistryDict> recommended_dict( | 430 scoped_ptr<RegistryDict> recommended_dict( |
427 gpo_dict.RemoveKey(kKeyRecommended)); | 431 gpo_dict.RemoveKey(kKeyRecommended)); |
428 scoped_ptr<RegistryDict> third_party_dict( | 432 scoped_ptr<RegistryDict> third_party_dict( |
429 gpo_dict.RemoveKey(kKeyThirdParty)); | 433 gpo_dict.RemoveKey(kKeyThirdParty)); |
430 | 434 |
431 // Load Chrome policy. | 435 // Load Chrome policy. |
(...skipping 205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
637 | 641 |
638 void PolicyLoaderWin::OnObjectSignaled(HANDLE object) { | 642 void PolicyLoaderWin::OnObjectSignaled(HANDLE object) { |
639 DCHECK(object == user_policy_changed_event_.handle() || | 643 DCHECK(object == user_policy_changed_event_.handle() || |
640 object == machine_policy_changed_event_.handle()) | 644 object == machine_policy_changed_event_.handle()) |
641 << "unexpected object signaled policy reload, obj = " | 645 << "unexpected object signaled policy reload, obj = " |
642 << std::showbase << std::hex << object; | 646 << std::showbase << std::hex << object; |
643 Reload(false); | 647 Reload(false); |
644 } | 648 } |
645 | 649 |
646 } // namespace policy | 650 } // namespace policy |
OLD | NEW |