PS - Remove Clipboard Read permission from extensions in Public Sessions (except for whitelisted on…

chrome/browser/chromeos/extensions/permissions_updater_delegate_chromeos.cc

Index: chrome/browser/chromeos/extensions/permissions_updater_delegate_chromeos.cc
diff --git a/chrome/browser/chromeos/extensions/permissions_updater_delegate_chromeos.cc b/chrome/browser/chromeos/extensions/permissions_updater_delegate_chromeos.cc
new file mode 100644
index 0000000000000000000000000000000000000000..28af4c8469ba2a3acf05fc87be106e56fc9c6ea0
--- /dev/null
+++ b/chrome/browser/chromeos/extensions/permissions_updater_delegate_chromeos.cc
@@ -0,0 +1,42 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/extensions/permissions_updater_delegate_chromeos.h"
+
+#include "chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.h"
+#include "chrome/browser/profiles/profiles_state.h"
+#include "extensions/common/permissions/api_permission.h"
+#include "extensions/common/permissions/api_permission_set.h"
+#include "extensions/common/permissions/manifest_permission_set.h"
+#include "extensions/common/permissions/permission_set.h"
+#include "extensions/common/url_pattern_set.h"
+
+namespace extensions {
+
+PermissionsUpdaterDelegateChromeOS::PermissionsUpdaterDelegateChromeOS() {}
+
+PermissionsUpdaterDelegateChromeOS::~PermissionsUpdaterDelegateChromeOS() {}
+
+void PermissionsUpdaterDelegateChromeOS::InitializePermissions(
+    const Extension* extension,
+    std::unique_ptr<const PermissionSet>* granted_permissions) {
+  if (!profiles::IsPublicSession() ||
+      chromeos::DeviceLocalAccountManagementPolicyProvider::IsWhitelisted(
+          extension) ||
+      !(*granted_permissions)

[Andrew T Wilson (Slow), 2017/04/11 11:32:54]

Why check for this here? If kClipboardRead isn't set, then the code below is a
no-op? I'm just thinking that if we ever want to extend this code to remove
other permissions, it's gonna make this logic more convoluted.

[Ivan Šandrk, 2017/04/11 13:37:27]

Devlin told me to add this part.

[Devlin, 2017/04/11 15:03:38]

PermissionSets are designed to be (mostly) immutable, so when we remove a
permission, we do so by constructing a new PermissionSet, which isn't terribly
expensive, but isn't free.  I'd prefer we only do that work if necessary.

+           ->HasAPIPermission(APIPermission::kClipboardRead)) {
+    return;
+  }
+  // Revoke kClipboardRead permission (used in Public Sessions to secure
+  // clipboard read functionality). This forceful removal of permission is safe
+  // since the clipboard pasting code checks for this permission before doing
+  // the paste (the end result is just an empty paste).
+  APIPermissionSet api_permission_set((*granted_permissions)->apis());
+  api_permission_set.erase(APIPermission::kClipboardRead);
+  granted_permissions->reset(
+      new PermissionSet(api_permission_set, ManifestPermissionSet(),
+                        URLPatternSet(), URLPatternSet()));
+}
+
+}  // namespace extensions