Policy implementation for encryptfs to ext4 migration strategy

chrome/browser/chromeos/arc/arc_util.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/arc/arc_util.h"
 
 #include <linux/magic.h>
 #include <sys/statfs.h>
 
 #include "base/callback.h"
+#include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/sys_info.h"
 #include "base/task_scheduler/post_task.h"
 #include "base/threading/thread_restrictions.h"
+#include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/arc/arc_session_manager.h"
 #include "chrome/browser/chromeos/login/user_flow.h"
 #include "chrome/browser/chromeos/login/users/chrome_user_manager.h"
+#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/pref_names.h"
+#include "chromeos/chromeos_switches.h"
 #include "components/arc/arc_util.h"
 #include "components/prefs/pref_service.h"
 #include "components/user_manager/known_user.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 
 namespace arc {
 
 namespace {
 
 constexpr char kLsbReleaseArcVersionKey[] = "CHROMEOS_ARC_ANDROID_SDK_VERSION";
 constexpr char kAndroidMSdkVersion[] = "23";
 
 // Let IsAllowedForProfile() return "false" for any profile.
 bool g_disallow_for_testing = false;
 
 // Let IsArcBlockedDueToIncompatibleFileSystem() return the specified value
 // during test runs.
 bool g_arc_blocked_due_to_incomaptible_filesystem_for_testing = false;
 
+// This flag is set the first time the check if migration to ext4 is allowed,
+// and remains unchanged after that.
+// TODO(igorcov): Remove this after migration. crbug.com/725493
+base::Optional<bool> g_is_arc_migration_allowed;

[bartfab (slow), 2017/06/12 12:49:03]

Nit: #include "base/optional.h"

[igorcov, 2017/06/12 16:50:09]

Done.

+
 // Returns whether ARC can run on the filesystem mounted at |path|.
 // This function should run only on threads where IO operations are allowed.
 bool IsArcCompatibleFilesystem(const base::FilePath& path) {
   base::ThreadRestrictions::AssertIOAllowed();
 
   // If it can be verified it is not on ecryptfs, then it is ok.
   struct statfs statfs_buf;
   if (statfs(path.value().c_str(), &statfs_buf) < 0)
     return false;
   return statfs_buf.f_type != ECRYPTFS_SUPER_MAGIC;
@@ skipping 13 matching lines @@
 }
 
 FileSystemCompatibilityState GetFileSystemCompatibilityPref(
     const AccountId& account_id) {
   int pref_value = kFileSystemIncompatible;
   user_manager::known_user::GetIntegerPref(
       account_id, prefs::kArcCompatibleFilesystemChosen, &pref_value);
   return static_cast<FileSystemCompatibilityState>(pref_value);
 }
 
+bool IsArcMigrationAllowedInternal() {
+  // If the device is not managed, then the migration allowed.
+  if (!g_browser_process->platform_part()

[bartfab (slow), 2017/06/12 12:49:03]

Nit: #include "chrome/browser/browser_process_platform_part.h"

[igorcov, 2017/06/12 16:50:09]

Done.

+           ->browser_policy_connector_chromeos()
+           ->IsEnterpriseManaged()) {
+    return true;
+  }
+
+  const auto* command_line = base::CommandLine::ForCurrentProcess();

[bartfab (slow), 2017/06/12 12:49:04]

Nit: const pointer to const

[igorcov, 2017/06/12 16:50:09]

Done.

+  // If the command line flag is missing, the migration for this type of
+  // device is allowed regardless of the policy data.
+  if (!command_line->HasSwitch(
+          chromeos::switches::kNeedArcMigrationPolicyCheck)) {
+    return true;
+  }
+
+  const PrefService* pref_service =

[bartfab (slow), 2017/06/12 12:49:03]

Nit: const pointer to const

[igorcov, 2017/06/12 16:50:09]

Done.

+      user_manager::UserManager::Get()->GetLocalState();
+  const PrefService::Preference* pref =

[bartfab (slow), 2017/06/12 12:49:04]

Nit: const pointer to const

[igorcov, 2017/06/12 16:50:09]

Done.

+      pref_service->FindPreference(prefs::kDeviceEcryptfsMigrationStrategy);
+
+  return pref && pref->GetValue() &&
+         pref->GetValue()->GetInt() ==

[bartfab (slow), 2017/06/12 12:49:03]

Nit: #include "base/values.h"

[igorcov, 2017/06/12 16:50:09]

Done.

+             enterprise_management::DeviceEcryptfsMigrationStrategyProto::
+                 ALLOW_MIGRATION;
+}
+
 }  // namespace
 
 bool IsArcAllowedForProfile(const Profile* profile) {

[kinaba, 2017/06/12 00:22:07]

Returning false from this utility method does not block the migration UI
(contrarily to IsArcAvailable() that indeed blocks the migration.)

Will there be additional CL coming for blocking the migration to happen?

[igorcov, 2017/06/12 16:50:09]

Added additional checks for migration UI. Thank you.

   if (g_disallow_for_testing) {
     VLOG(1) << "ARC is disallowed for testing.";
     return false;
   }
 
   // ARC Kiosk can be enabled even if ARC is not yet supported on the device.
   // In that case IsArcKioskMode() should return true as profile is already
   // created.
   if (!IsArcAvailable() && !(IsArcKioskMode() && IsArcKioskAvailable())) {
     VLOG(1) << "ARC is not available.";
@@ skipping 26 matching lines @@
   // users do this through GAIA, but Kiosk and Active Directory users use
   // different application install mechanism. ARC is not allowed otherwise
   // (e.g. in public sessions). cf) crbug.com/605545
   const user_manager::User* user =
       chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
   if (!IsArcAllowedForUser(user)) {
     VLOG(1) << "ARC is not allowed for the user.";
     return false;
   }
 
+  // If migration policy check is needed (specified by commandline flag), check
+  // the policy, which should be already available here. If policy says
+  // migration is not allowed, do not run ARC, regardless whether file system
+  // migration is actually needed. For example, even if file system is still
+  // ecryptfs and ARC version is M, or file system is already migrated into ext4
+  // crypt and ARC version is N or later, if policy says migration is not
+  // allowed, ARC will never run. Practically, in the former example case,
+  // --need-arc-migration-policy-check is not set, so this check passes and user
+  // can use ARC. In latter case, policy should say migration is allowed, so
+  // also user can use ARC then.
+  // TODO(igorcov): Remove this after migration. crbug.com/725493
+  if (!IsArcMigrationAllowed()) {
+    VLOG(1) << "ARC requires migration, but is not allowed by the policy.";

[bartfab (slow), 2017/06/12 12:49:04]

Nit: The log statement contradicts the comment above it. ARC may be disabled,
even though no migration is needed.

[igorcov, 2017/06/12 16:50:09]

Fixed the log statement.

+    return false;
+  }
+
   // Do not run ARC instance when supervised user is being created.
   // Otherwise noisy notification may be displayed.
   chromeos::UserFlow* user_flow =
       chromeos::ChromeUserManager::Get()->GetUserFlow(user->GetAccountId());
   if (!user_flow || !user_flow->CanStartArc()) {
     VLOG(1) << "ARC is not allowed in the current user flow.";
     return false;
   }
 
   return true;
@@ skipping 120 matching lines @@
 
   // Otherwise, check the underlying filesystem.
   base::PostTaskWithTraitsAndReplyWithResult(
       FROM_HERE,
       {base::MayBlock(), base::TaskPriority::USER_BLOCKING,
        base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
       base::Bind(&IsArcCompatibleFilesystem, profile_path),
       base::Bind(&StoreCompatibilityCheckResult, account_id, callback));
 }
 
+bool IsArcMigrationAllowed() {
+  if (!g_is_arc_migration_allowed.has_value())
+    g_is_arc_migration_allowed = IsArcMigrationAllowedInternal();
+  return g_is_arc_migration_allowed.value();
+}
+
+void ResetArcMigrationAllowedForTesting() {
+  g_is_arc_migration_allowed.reset();
+}
+
 }  // namespace arc