Introduce lock screen app manager

Introduce lock screen app manager

Adds default lock screen app manager implementation.
The app manager, when started, checks if a lock screen enabled
note taking app is set, and if so, loads it to the profile used
to run apps on the lock screen. When stopped, app manager will
remove (and uninstall) the app from the profile.
The app is installed and loaded to the lock screen profile as follows:
 *  for unpacked apps - the app is loaded from the (original) unpacked
    app location
 *  for others - the app resources are copied from the original, user 
    profile to the lock screen app profile's extension install 
    directory and loaded from the copied location

The app manager observes the note taking app state in the user
profile and updates lock screen app's profile accordingly.

BUG=715781
Review-Url: https://codereview.chromium.org/2902293002
Cr-Commit-Position: refs/heads/master@{#484815}
Committed: https://chromium.googlesource.com/chromium/src/+/c577bdc5b338dd58d27c8aeec32351263a47ad61

[tbarzic, 2017-05-25 19:06:12]

tbarzic@chromium.org changed reviewers:
+ jdufault@chromium.org, rdevlin.cronin@chromium.org, xiyuan@chromium.org

[tbarzic, 2017-05-25 19:06:12]

jdufault - primarily for note_taking_helper
xiyuan - chrome/browser/chromeos

rdevlin.cronin - app_manager_impl.cc
(as it adds a usage for RUNS_ON_LOCK_SCREEN flag I wanted to introduce in
https://codereview.chromium.org/2892403002/)

[jdufault, 2017-05-26 19:15:53]

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:81:
UnloadLockApp(lock_screen_app_id_);
what if state_ == State::kNotInitialized?

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h (right):

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h:55: kIdle,
kInitializing?

Idle implies that this class actively does work over a (long) period of time.

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/note_taking_helper.cc (right):

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/note_taking_helper.cc:158: if
(!ash::palette_utils::HasStylusInput())
Why do we disable preferred app if there is no stylus?

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/note_taking_helper.cc:162: if
(LooksLikeAndroidPackageName(preferred_app_id))
Add a comment,

// Lock screen does not currently support android.

[tbarzic, 2017-05-26 19:34:14]

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:81:
UnloadLockApp(lock_screen_app_id_);
On 2017/05/26 19:15:52, jdufault wrote:
> what if state_ == State::kNotInitialized?

Done.

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h (right):

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h:55: kIdle,
On 2017/05/26 19:15:53, jdufault wrote:
> kInitializing?
> 
> Idle implies that this class actively does work over a (long) period of time.

Changed name to kInactive

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/note_taking_helper.cc (right):

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/note_taking_helper.cc:158: if
(!ash::palette_utils::HasStylusInput())
On 2017/05/26 19:15:53, jdufault wrote:
> Why do we disable preferred app if there is no stylus?

Yeah, I guess we don;t have to.

https://codereview.chromium.org/2902293002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/note_taking_helper.cc:162: if
(LooksLikeAndroidPackageName(preferred_app_id))
On 2017/05/26 19:15:53, jdufault wrote:
> Add a comment,
> 
> // Lock screen does not currently support android.

Added a comment, but at the place where this method is used.
(returning null here matches the method name nicely, and I don't think it needs
extra clarification)

[xiyuan, 2017-05-26 22:44:53]

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager.h (right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager.h:44: virtual void
Start(Observer* observer) = 0;
Prefer to use a Callback than using an interface pointer unless we plan to add
more stuff to the interface. The benefit of using a Callback is that we can
decouple the lifetime of an observer with AppManager by using WeakPtr when using
Bind to create the Callback etc.

If we want to use Observer interface, we probably should have a way for an
Observer to remove itself from AppManager (e.g. provide an ObserverDetroyed() in
the interface, or passing WeakPtr instead of raw pointer) or ensure it stays
alive (e.g. scoped_refptr).

Or at least, document the lifetime expectation.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h (right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h:24: namespace
lock_screen_apps {
nit: insert an empty line

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl_unittest.cc
(right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl_unittest.cc:257:
true);
nit: The above lines are quite similar in the test cases before this one. Create
a helper to reduce dup code?

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc
(right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:68:
launch_count_++;
nit: ++launch_count_;

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:107:
Profile* expected_lock_screen_profile_;
nit: Profile* const for the two above

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/note_taking_helper.cc (right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:158: std::string preferred_app_id
=
nit: const std::string

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:162: const extensions::Extension*
preferred_app =
nit: insert an empty line before

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:167: if
(!IsWhitelistedChromeApp(preferred_app) &&
nit: insert an empty line before

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:172: NoteTakingLockScreenSupport
lock_screen_support =
nit: insert an empty line before

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:182:
std::unique_ptr<NoteTakingAppInfo> info =
nit: insert an empty line before

[tbarzic, 2017-05-27 00:48:36]

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager.h (right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager.h:44: virtual void
Start(Observer* observer) = 0;
On 2017/05/26 22:44:52, xiyuan wrote:
> Prefer to use a Callback than using an interface pointer unless we plan to add
> more stuff to the interface. The benefit of using a Callback is that we can
> decouple the lifetime of an observer with AppManager by using WeakPtr when
using
> Bind to create the Callback etc.
> 
> If we want to use Observer interface, we probably should have a way for an
> Observer to remove itself from AppManager (e.g. provide an ObserverDetroyed()
in
> the interface, or passing WeakPtr instead of raw pointer) or ensure it stays
> alive (e.g. scoped_refptr).
> 
> Or at least, document the lifetime expectation.

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h (right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.h:24: namespace
lock_screen_apps {
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: insert an empty line

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl_unittest.cc
(right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl_unittest.cc:257:
true);
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: The above lines are quite similar in the test cases before this one.
Create
> a helper to reduce dup code?

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc
(right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:68:
launch_count_++;
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: ++launch_count_;

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:107:
Profile* expected_lock_screen_profile_;
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: Profile* const for the two above

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
File chrome/browser/chromeos/note_taking_helper.cc (right):

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:158: std::string preferred_app_id
=
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: const std::string

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:162: const extensions::Extension*
preferred_app =
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: insert an empty line before

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:167: if
(!IsWhitelistedChromeApp(preferred_app) &&
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: insert an empty line before

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:172: NoteTakingLockScreenSupport
lock_screen_support =
On 2017/05/26 22:44:52, xiyuan wrote:
> nit: insert an empty line before

Done.

https://codereview.chromium.org/2902293002/diff/120001/chrome/browser/chromeo...
chrome/browser/chromeos/note_taking_helper.cc:182:
std::unique_ptr<NoteTakingAppInfo> info =
On 2017/05/26 22:44:53, xiyuan wrote:
> nit: insert an empty line before

Done.

[Devlin, 2017-05-27 02:03:02]

(focusing on https://codereview.chromium.org/2892403002 before this one)

[xiyuan, 2017-05-30 16:52:14]

lgtm

[tbarzic, 2017-06-02 05:58:45]

The CQ bit was checked by tbarzic@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-02 05:58:55]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-02 06:01:25]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-02 06:01:26]

Dry run: Try jobs failed on following builders:
  ios-device on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds...)
  ios-device-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device-xcode-...)
  ios-simulator on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...)
  ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-xco...)
  mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...)

[tbarzic, 2017-06-02 06:34:00]

The CQ bit was checked by tbarzic@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-02 06:34:16]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-02 08:28:58]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-02 08:29:01]

Dry run: This issue passed the CQ dry run.

[Devlin, 2017-06-05 16:09:35]

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:39:
DCHECK_NE(primary_profile, lock_screen_profile);
Is there any defined relation between primary and lock screen profile?  e.g.,
would calling lockscreen_profile->GetOriginalProfile() return primary profile?

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:81:
extensions_observer_.RemoveAll();
Is the ExtensionRegistry guaranteed to outlive this object?

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:105: Profile*
target_profile = lock_screen_profile_->GetOriginalProfile();
can we somewhere explain target, lockscreen, and primary profile distinctions?

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:188:
ExtensionService::UninstallExtensionHelper(
nit: prefer just using ExtensionService::UninstallExtension().

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying and
installing the app to the target profile.
Yeah, this strikes me as very strange.  What happens when one of these profiles
tries to write to the extension directory?  Does the lock screen profile read
access to all the files under the user profile?

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:211: void
AppManagerImpl::UnloadLockApp(const std::string& app_id) {
s/Lock/LockScreen?

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:222:
ExtensionService::UninstallExtensionHelper(
Do we unload it, or uninstall it?  The two are not synonymous in the extension
system.

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:222:
ExtensionService::UninstallExtensionHelper(
This is pretty strange in combination with using the different path above.  We
delete the extension files when we uninstall the extension.  By virtue of
implementation details, I think this happens to work, but we really shouldn't be
relying on that.

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/state_controller.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/state_controller.cc:66: app_manager_ =
std::move(app_manager);
nit: DCHECK(!app_manager_)?

[tbarzic, 2017-06-06 01:54:55]

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:39:
DCHECK_NE(primary_profile, lock_screen_profile);
On 2017/06/05 16:09:35, Devlin wrote:
> Is there any defined relation between primary and lock screen profile?  e.g.,
> would calling lockscreen_profile->GetOriginalProfile() return primary profile?

Not really. GetOriginalProfile would return the sign-in profile that is OTR
(which is the case for sign-in profile).
Though, we don't really need OTR sign-in profile here - all usages will get
redirected to the original profile (either using
ExtensionSystem/ExtensionRegistry service getters, or explicitly in
LaunchNoteTaking) - I think I can just pass in the orignial profile as
lock_screen_profile in |Initialize|.

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:81:
extensions_observer_.RemoveAll();
On 2017/06/05 16:09:35, Devlin wrote:
> Is the ExtensionRegistry guaranteed to outlive this object?

yes, this is owned by StateController, which is destroyed before profiles (in
ChromeBrowserMainPartsChromeos::PostMainMessageLoopRun before "shared"
PostMainMessageLoopRun, which starts process tear down, part of which is
destroying profiles).

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:105: Profile*
target_profile = lock_screen_profile_->GetOriginalProfile();
On 2017/06/05 16:09:35, Devlin wrote:
> can we somewhere explain target, lockscreen, and primary profile distinctions?

Documentation for AppManager::Initialize has some explanations for lock screen
and primary profile.

I removed target profile (which was just non-OTR lock_screen_profile)

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:188:
ExtensionService::UninstallExtensionHelper(
On 2017/06/05 16:09:35, Devlin wrote:
> nit: prefer just using ExtensionService::UninstallExtension().

Done.

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying and
installing the app to the target profile.
On 2017/06/05 16:09:35, Devlin wrote:
> Yeah, this strikes me as very strange.  What happens when one of these
profiles
> tries to write to the extension directory?  Does the lock screen profile read
> access to all the files under the user profile?

Yeah, I have not yet completely figured out the best approach here :/

Lock screen profile should be able to load resources from user profile location
(provided that the user cryptohome remains decrypted; this might change in
future, but I don't see it happening soon) - after all the resources reading is
done by the same process.

As writing to the extension directory goes, that should generally happen on
extension installation/update, right?
I'd expect that an extension directory remains constant while the extension is
loaded, and that the resource changes become visible to the app after reload -
the similar thing would happen in lock screen profile (when user profile updates
an extension) - loading/unloading of the user profile app should cause the app
load/unload in the lock screen profile.

And lock screen profile should not really write to paths under the user profile
(we probably should also ensure that the extension updater is not started for
lock screen profile, so there are no unexpected updates - though, looking at
code, these would seem to end up in the lock screen profile).

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:211: void
AppManagerImpl::UnloadLockApp(const std::string& app_id) {
On 2017/06/05 16:09:35, Devlin wrote:
> s/Lock/LockScreen?

Done.

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:222:
ExtensionService::UninstallExtensionHelper(
On 2017/06/05 16:09:34, Devlin wrote:
> Do we unload it, or uninstall it?  The two are not synonymous in the extension
> system.

Closer to uninstall (though, the initial version of the cl had unloading - I
changed that so the app data is cleared between session locks).
Yeah, this happens to work due to implementation in chrome_assets_manager - I do
plan to make this check more explicit there when I introduce designated lock
screen app profile (provided the way the app is added to lock screen profile
does not change - otherwise this would become a moot point).

Or maybe I can just add an option to ExtensionService::UninstallExtension to
skip deleting extension files.

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/state_controller.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/state_controller.cc:66: app_manager_ =
std::move(app_manager);
On 2017/06/05 16:09:35, Devlin wrote:
> nit: DCHECK(!app_manager_)?

Done.

[tbarzic, 2017-06-09 17:11:26]

ping. Can I please get some traction on this?

[Devlin, 2017-06-09 18:18:41]

This looks fine except for the weirdness in installation/uninstallation.

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying and
installing the app to the target profile.
On 2017/06/06 01:54:55, tbarzic wrote:
> On 2017/06/05 16:09:35, Devlin wrote:
> > Yeah, this strikes me as very strange.  What happens when one of these
> profiles
> > tries to write to the extension directory?  Does the lock screen profile
read
> > access to all the files under the user profile?
> 
> Yeah, I have not yet completely figured out the best approach here :/
> 
> Lock screen profile should be able to load resources from user profile
location
> (provided that the user cryptohome remains decrypted; this might change in
> future, but I don't see it happening soon) - after all the resources reading
is
> done by the same process.
> 
> As writing to the extension directory goes, that should generally happen on
> extension installation/update, right?
> I'd expect that an extension directory remains constant while the extension is
> loaded, and that the resource changes become visible to the app after reload -
> the similar thing would happen in lock screen profile (when user profile
updates
> an extension) - loading/unloading of the user profile app should cause the app
> load/unload in the lock screen profile.
> 
> And lock screen profile should not really write to paths under the user
profile
> (we probably should also ensure that the extension updater is not started for
> lock screen profile, so there are no unexpected updates - though, looking at
> code, these would seem to end up in the lock screen profile).

Out of curiosity, is there a reason to not write the extension to the lockscreen
profile, thus avoiding this issue and the uninstall/delete file problem?

[tbarzic, 2017-06-09 19:01:45]

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying and
installing the app to the target profile.
On 2017/06/09 18:18:40, Devlin (sheriff Jun 9 - 12) wrote:
> On 2017/06/06 01:54:55, tbarzic wrote:
> > On 2017/06/05 16:09:35, Devlin wrote:
> > > Yeah, this strikes me as very strange.  What happens when one of these
> > profiles
> > > tries to write to the extension directory?  Does the lock screen profile
> read
> > > access to all the files under the user profile?
> > 
> > Yeah, I have not yet completely figured out the best approach here :/
> > 
> > Lock screen profile should be able to load resources from user profile
> location
> > (provided that the user cryptohome remains decrypted; this might change in
> > future, but I don't see it happening soon) - after all the resources reading
> is
> > done by the same process.
> > 
> > As writing to the extension directory goes, that should generally happen on
> > extension installation/update, right?
> > I'd expect that an extension directory remains constant while the extension
is
> > loaded, and that the resource changes become visible to the app after reload
-
> > the similar thing would happen in lock screen profile (when user profile
> updates
> > an extension) - loading/unloading of the user profile app should cause the
app
> > load/unload in the lock screen profile.
> > 
> > And lock screen profile should not really write to paths under the user
> profile
> > (we probably should also ensure that the extension updater is not started
for
> > lock screen profile, so there are no unexpected updates - though, looking at
> > code, these would seem to end up in the lock screen profile).
> 
> Out of curiosity, is there a reason to not write the extension to the
lockscreen
> profile, thus avoiding this issue and the uninstall/delete file problem?

One reason is time - I do plan to look more closely into possibility of copying
extension to the lock screen profile, but I think getting the lock screen APIs
working and possibly unbounding lock screen profile from sign-in profile have
somewhat higher priority at this moment.

One potential concern is that we'd end up copying data from (encrypted) user
profile to (unencrypted) lock screen profile, though I expect this being
relevant mainly for unpacked extensions; then there's the question of if the
memory cost of duplicating the extension dir and time cost of copying data is
justified; handling app updates (instead of just reloading the app in lock
screen profile, we'd have to reload and copy app directory)..
I don't think there's anything huge, but it's not that clear-cut to me that
introducing a new installer (from a location within another profile) would be
beneficial.

[Devlin, 2017-06-12 18:31:44]

rdevlin.cronin@chromium.org changed reviewers:
+ kerrnel@chromium.org

[Devlin, 2017-06-12 18:31:45]

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying and
installing the app to the target profile.
On 2017/06/09 19:01:45, tbarzic wrote:
> On 2017/06/09 18:18:40, Devlin (sheriff Jun 9 - 12) wrote:
> > On 2017/06/06 01:54:55, tbarzic wrote:
> > > On 2017/06/05 16:09:35, Devlin wrote:
> > > > Yeah, this strikes me as very strange.  What happens when one of these
> > > profiles
> > > > tries to write to the extension directory?  Does the lock screen profile
> > read
> > > > access to all the files under the user profile?
> > > 
> > > Yeah, I have not yet completely figured out the best approach here :/
> > > 
> > > Lock screen profile should be able to load resources from user profile
> > location
> > > (provided that the user cryptohome remains decrypted; this might change in
> > > future, but I don't see it happening soon) - after all the resources
reading
> > is
> > > done by the same process.
> > > 
> > > As writing to the extension directory goes, that should generally happen
on
> > > extension installation/update, right?
> > > I'd expect that an extension directory remains constant while the
extension
> is
> > > loaded, and that the resource changes become visible to the app after
reload
> -
> > > the similar thing would happen in lock screen profile (when user profile
> > updates
> > > an extension) - loading/unloading of the user profile app should cause the
> app
> > > load/unload in the lock screen profile.
> > > 
> > > And lock screen profile should not really write to paths under the user
> > profile
> > > (we probably should also ensure that the extension updater is not started
> for
> > > lock screen profile, so there are no unexpected updates - though, looking
at
> > > code, these would seem to end up in the lock screen profile).
> > 
> > Out of curiosity, is there a reason to not write the extension to the
> lockscreen
> > profile, thus avoiding this issue and the uninstall/delete file problem?
> 
> One reason is time - I do plan to look more closely into possibility of
copying
> extension to the lock screen profile, but I think getting the lock screen APIs
> working and possibly unbounding lock screen profile from sign-in profile have
> somewhat higher priority at this moment.
> 
> One potential concern is that we'd end up copying data from (encrypted) user
> profile to (unencrypted) lock screen profile, though I expect this being
> relevant mainly for unpacked extensions; then there's the question of if the
> memory cost of duplicating the extension dir and time cost of copying data is
> justified; handling app updates (instead of just reloading the app in lock
> screen profile, we'd have to reload and copy app directory)..
> I don't think there's anything huge, but it's not that clear-cut to me that
> introducing a new installer (from a location within another profile) would be
> beneficial.

I talked with kerrnel@ about this, and we both agreed that it makes us a little
uncomfortable from a security standpoint to have the lockscreen profile require
read access to the user's profile.  I think we really should strive to have the
lockscreen profile version separate from the other, which also alleviates any
concerns around the lockscreen profile interfering with the user's profile.

[tbarzic, 2017-06-12 22:11:48]

tbarzic@chromium.org changed reviewers:
+ rkc@chromium.org

[tbarzic, 2017-06-12 22:11:49]

This doesn't really give lock screen profile access to the user profile - lock
screen profile can already read user profile dir (user profile is not encrypted
while the user is logged in, so the user profile directory could be read from
any other profile). TBH, I don't think this is conceptually that much different
from loading an extension from a shared location (which in this case may be
inside a user profile directory).

I will look into changing extension loading logic to create a separate extension
dir from which to load the app, but, honestly, I'd prefer to focus on getting
required APIs working first, so the Keep team can start iterating on their end
(which is blocked on loading the app to the lock screen profile).

[Devlin, 2017-06-13 20:54:42]

On 2017/06/12 22:11:49, tbarzic wrote:
> This doesn't really give lock screen profile access to the user profile - lock
> screen profile can already read user profile dir (user profile is not
encrypted
> while the user is logged in, so the user profile directory could be read from
> any other profile). TBH, I don't think this is conceptually that much
different
> from loading an extension from a shared location (which in this case may be
> inside a user profile directory).
> 
> I will look into changing extension loading logic to create a separate
extension
> dir from which to load the app, but, honestly, I'd prefer to focus on getting
> required APIs working first, so the Keep team can start iterating on their end
> (which is blocked on loading the app to the lock screen profile).

I'll defer to kerrnel@ here whether this should be strict requirement from a
security stand point.  For predictability and consistency, it's my strong
preference (otherwise we may have to audit uses of Extension::path() to see
whether any are going to use that path to modify the extension contents).

I realize that this is more work in the short term, but it's a significantly
better state to be in IMO.

[rkc, 2017-06-13 21:18:17]

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying and
installing the app to the target profile.
On 2017/06/12 18:31:45, Devlin wrote:
> On 2017/06/09 19:01:45, tbarzic wrote:
> > On 2017/06/09 18:18:40, Devlin (sheriff Jun 9 - 12) wrote:
> > > On 2017/06/06 01:54:55, tbarzic wrote:
> > > > On 2017/06/05 16:09:35, Devlin wrote:
> > > > > Yeah, this strikes me as very strange.  What happens when one of these
> > > > profiles
> > > > > tries to write to the extension directory?  Does the lock screen
profile
> > > read
> > > > > access to all the files under the user profile?
> > > > 
> > > > Yeah, I have not yet completely figured out the best approach here :/
> > > > 
> > > > Lock screen profile should be able to load resources from user profile
> > > location
> > > > (provided that the user cryptohome remains decrypted; this might change
in
> > > > future, but I don't see it happening soon) - after all the resources
> reading
> > > is
> > > > done by the same process.
> > > > 
> > > > As writing to the extension directory goes, that should generally happen
> on
> > > > extension installation/update, right?
> > > > I'd expect that an extension directory remains constant while the
> extension
> > is
> > > > loaded, and that the resource changes become visible to the app after
> reload
> > -
> > > > the similar thing would happen in lock screen profile (when user profile
> > > updates
> > > > an extension) - loading/unloading of the user profile app should cause
the
> > app
> > > > load/unload in the lock screen profile.
> > > > 
> > > > And lock screen profile should not really write to paths under the user
> > > profile
> > > > (we probably should also ensure that the extension updater is not
started
> > for
> > > > lock screen profile, so there are no unexpected updates - though,
looking
> at
> > > > code, these would seem to end up in the lock screen profile).
> > > 
> > > Out of curiosity, is there a reason to not write the extension to the
> > lockscreen
> > > profile, thus avoiding this issue and the uninstall/delete file problem?
> > 
> > One reason is time - I do plan to look more closely into possibility of
> copying
> > extension to the lock screen profile, but I think getting the lock screen
APIs
> > working and possibly unbounding lock screen profile from sign-in profile
have
> > somewhat higher priority at this moment.
> > 
> > One potential concern is that we'd end up copying data from (encrypted) user
> > profile to (unencrypted) lock screen profile, though I expect this being
> > relevant mainly for unpacked extensions; then there's the question of if the
> > memory cost of duplicating the extension dir and time cost of copying data
is
> > justified; handling app updates (instead of just reloading the app in lock
> > screen profile, we'd have to reload and copy app directory)..
> > I don't think there's anything huge, but it's not that clear-cut to me that
> > introducing a new installer (from a location within another profile) would
be
> > beneficial.
> 
> I talked with kerrnel@ about this, and we both agreed that it makes us a
little
> uncomfortable from a security standpoint to have the lockscreen profile
require
> read access to the user's profile.  I think we really should strive to have
the
> lockscreen profile version separate from the other, which also alleviates any
> concerns around the lockscreen profile interfering with the user's profile.

We've had this discussion in many different forms now. This code runs in a
process that *has* access to the user profile. We are depending on the context
keying of code to prevent access to the logged in user's profile from the
lockscreen handling code.

That being said, making one explicit call to read data from the user's profile,
does not equate to "giving the lock screen access to the user profile". Again,
the lockscreen code *already* has that access.

I do want us to take any and all measures we can to ensure that we mitigate any
possible security issues - I just don't see removing this call does that.

We need to load the app. The app is in the user profile. Whether we have code
that copies the app out first, or code that directly loads the app - we *will*
be reading this one particular piece of data from the user profile.

I would argue that given that this call is a well defined call in very mature
code, it would be safer to use it than to introduce new code to do the copy.

[Greg K, 2017-06-13 22:25:35]

Description was changed from

==========
Introduce lock screen app manager

The manager is responsible for loading/unloading the lock screen note
taking app (if one is selected) to/from the profile used for lock
screen apps. StateController starts it when the user session is locked
and stops it when user session is unlocked (at which moment the action
handler app is unloaded from sign-in profile). StateController uses
LockAppManager to determine whether a lock screen enabled note taking
app is set up, and to dispatch launch event to the app in question.

BUG=715781
==========

to

==========
Introduce lock screen app manager

The manager is responsible for loading/unloading the lock screen note
taking app (if one is selected) to/from the profile used for lock
screen apps. StateController starts it when the user session is locked
and stops it when user session is unlocked (at which moment the action
handler app is unloaded from sign-in profile). StateController uses
LockAppManager to determine whether a lock screen enabled note taking
app is set up, and to dispatch launch event to the app in question.

BUG=715781
==========

[Greg K, 2017-06-13 22:25:36]

kerrnel@chromium.org changed reviewers:
+ jorgelo@chromium.org

[Greg K, 2017-06-13 22:25:57]

On 2017/06/13 21:18:17, rkc wrote:
>
https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
> File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):
> 
>
https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
> chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying
and
> installing the app to the target profile.
> On 2017/06/12 18:31:45, Devlin wrote:
> > On 2017/06/09 19:01:45, tbarzic wrote:
> > > On 2017/06/09 18:18:40, Devlin (sheriff Jun 9 - 12) wrote:
> > > > On 2017/06/06 01:54:55, tbarzic wrote:
> > > > > On 2017/06/05 16:09:35, Devlin wrote:
> > > > > > Yeah, this strikes me as very strange.  What happens when one of
these
> > > > > profiles
> > > > > > tries to write to the extension directory?  Does the lock screen
> profile
> > > > read
> > > > > > access to all the files under the user profile?
> > > > > 
> > > > > Yeah, I have not yet completely figured out the best approach here :/
> > > > > 
> > > > > Lock screen profile should be able to load resources from user profile
> > > > location
> > > > > (provided that the user cryptohome remains decrypted; this might
change
> in
> > > > > future, but I don't see it happening soon) - after all the resources
> > reading
> > > > is
> > > > > done by the same process.
> > > > > 
> > > > > As writing to the extension directory goes, that should generally
happen
> > on
> > > > > extension installation/update, right?
> > > > > I'd expect that an extension directory remains constant while the
> > extension
> > > is
> > > > > loaded, and that the resource changes become visible to the app after
> > reload
> > > -
> > > > > the similar thing would happen in lock screen profile (when user
profile
> > > > updates
> > > > > an extension) - loading/unloading of the user profile app should cause
> the
> > > app
> > > > > load/unload in the lock screen profile.
> > > > > 
> > > > > And lock screen profile should not really write to paths under the
user
> > > > profile
> > > > > (we probably should also ensure that the extension updater is not
> started
> > > for
> > > > > lock screen profile, so there are no unexpected updates - though,
> looking
> > at
> > > > > code, these would seem to end up in the lock screen profile).
> > > > 
> > > > Out of curiosity, is there a reason to not write the extension to the
> > > lockscreen
> > > > profile, thus avoiding this issue and the uninstall/delete file problem?
> > > 
> > > One reason is time - I do plan to look more closely into possibility of
> > copying
> > > extension to the lock screen profile, but I think getting the lock screen
> APIs
> > > working and possibly unbounding lock screen profile from sign-in profile
> have
> > > somewhat higher priority at this moment.
> > > 
> > > One potential concern is that we'd end up copying data from (encrypted)
user
> > > profile to (unencrypted) lock screen profile, though I expect this being
> > > relevant mainly for unpacked extensions; then there's the question of if
the
> > > memory cost of duplicating the extension dir and time cost of copying data
> is
> > > justified; handling app updates (instead of just reloading the app in lock
> > > screen profile, we'd have to reload and copy app directory)..
> > > I don't think there's anything huge, but it's not that clear-cut to me
that
> > > introducing a new installer (from a location within another profile) would
> be
> > > beneficial.
> > 
> > I talked with kerrnel@ about this, and we both agreed that it makes us a
> little
> > uncomfortable from a security standpoint to have the lockscreen profile
> require
> > read access to the user's profile.  I think we really should strive to have
> the
> > lockscreen profile version separate from the other, which also alleviates
any
> > concerns around the lockscreen profile interfering with the user's profile.
> 
> We've had this discussion in many different forms now. This code runs in a
> process that *has* access to the user profile. We are depending on the context
> keying of code to prevent access to the logged in user's profile from the
> lockscreen handling code.
> 
> That being said, making one explicit call to read data from the user's
profile,
> does not equate to "giving the lock screen access to the user profile". Again,
> the lockscreen code *already* has that access.
> 
> I do want us to take any and all measures we can to ensure that we mitigate
any
> possible security issues - I just don't see removing this call does that.
> 
> We need to load the app. The app is in the user profile. Whether we have code
> that copies the app out first, or code that directly loads the app - we *will*
> be reading this one particular piece of data from the user profile.
> 
> I would argue that given that this call is a well defined call in very mature
> code, it would be safer to use it than to introduce new code to do the copy.

I'm a bit distracted by other issues right now, so I'll defer to Jorge on this.

- Greg

[Greg K, 2017-06-14 20:18:02]

On 2017/06/13 22:25:57, Greg K wrote:
> On 2017/06/13 21:18:17, rkc wrote:
> >
>
https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
> > File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):
> > 
> >
>
https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
> > chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: // copying
> and
> > installing the app to the target profile.
> > On 2017/06/12 18:31:45, Devlin wrote:
> > > On 2017/06/09 19:01:45, tbarzic wrote:
> > > > On 2017/06/09 18:18:40, Devlin (sheriff Jun 9 - 12) wrote:
> > > > > On 2017/06/06 01:54:55, tbarzic wrote:
> > > > > > On 2017/06/05 16:09:35, Devlin wrote:
> > > > > > > Yeah, this strikes me as very strange.  What happens when one of
> these
> > > > > > profiles
> > > > > > > tries to write to the extension directory?  Does the lock screen
> > profile
> > > > > read
> > > > > > > access to all the files under the user profile?
> > > > > > 
> > > > > > Yeah, I have not yet completely figured out the best approach here
:/
> > > > > > 
> > > > > > Lock screen profile should be able to load resources from user
profile
> > > > > location
> > > > > > (provided that the user cryptohome remains decrypted; this might
> change
> > in
> > > > > > future, but I don't see it happening soon) - after all the resources
> > > reading
> > > > > is
> > > > > > done by the same process.
> > > > > > 
> > > > > > As writing to the extension directory goes, that should generally
> happen
> > > on
> > > > > > extension installation/update, right?
> > > > > > I'd expect that an extension directory remains constant while the
> > > extension
> > > > is
> > > > > > loaded, and that the resource changes become visible to the app
after
> > > reload
> > > > -
> > > > > > the similar thing would happen in lock screen profile (when user
> profile
> > > > > updates
> > > > > > an extension) - loading/unloading of the user profile app should
cause
> > the
> > > > app
> > > > > > load/unload in the lock screen profile.
> > > > > > 
> > > > > > And lock screen profile should not really write to paths under the
> user
> > > > > profile
> > > > > > (we probably should also ensure that the extension updater is not
> > started
> > > > for
> > > > > > lock screen profile, so there are no unexpected updates - though,
> > looking
> > > at
> > > > > > code, these would seem to end up in the lock screen profile).
> > > > > 
> > > > > Out of curiosity, is there a reason to not write the extension to the
> > > > lockscreen
> > > > > profile, thus avoiding this issue and the uninstall/delete file
problem?
> > > > 
> > > > One reason is time - I do plan to look more closely into possibility of
> > > copying
> > > > extension to the lock screen profile, but I think getting the lock
screen
> > APIs
> > > > working and possibly unbounding lock screen profile from sign-in profile
> > have
> > > > somewhat higher priority at this moment.
> > > > 
> > > > One potential concern is that we'd end up copying data from (encrypted)
> user
> > > > profile to (unencrypted) lock screen profile, though I expect this being
> > > > relevant mainly for unpacked extensions; then there's the question of if
> the
> > > > memory cost of duplicating the extension dir and time cost of copying
data
> > is
> > > > justified; handling app updates (instead of just reloading the app in
lock
> > > > screen profile, we'd have to reload and copy app directory)..
> > > > I don't think there's anything huge, but it's not that clear-cut to me
> that
> > > > introducing a new installer (from a location within another profile)
would
> > be
> > > > beneficial.
> > > 
> > > I talked with kerrnel@ about this, and we both agreed that it makes us a
> > little
> > > uncomfortable from a security standpoint to have the lockscreen profile
> > require
> > > read access to the user's profile.  I think we really should strive to
have
> > the
> > > lockscreen profile version separate from the other, which also alleviates
> any
> > > concerns around the lockscreen profile interfering with the user's
profile.
> > 
> > We've had this discussion in many different forms now. This code runs in a
> > process that *has* access to the user profile. We are depending on the
context
> > keying of code to prevent access to the logged in user's profile from the
> > lockscreen handling code.
> > 
> > That being said, making one explicit call to read data from the user's
> profile,
> > does not equate to "giving the lock screen access to the user profile".
Again,
> > the lockscreen code *already* has that access.
> > 
> > I do want us to take any and all measures we can to ensure that we mitigate
> any
> > possible security issues - I just don't see removing this call does that.
> > 
> > We need to load the app. The app is in the user profile. Whether we have
code
> > that copies the app out first, or code that directly loads the app - we
*will*
> > be reading this one particular piece of data from the user profile.
> > 
> > I would argue that given that this call is a well defined call in very
mature
> > code, it would be safer to use it than to introduce new code to do the copy.
> 
> I'm a bit distracted by other issues right now, so I'll defer to Jorge on
this.
> 
> - Greg

By the way, is there a  reason not to just install the CRX into the lock screen
profile?

- Greg

[tbarzic, 2017-06-14 20:25:48]

On 2017/06/14 20:18:02, Greg K wrote:
> On 2017/06/13 22:25:57, Greg K wrote:
> > On 2017/06/13 21:18:17, rkc wrote:
> > >
> >
>
https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
> > > File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):
> > > 
> > >
> >
>
https://codereview.chromium.org/2902293002/diff/260001/chrome/browser/chromeo...
> > > chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:194: //
copying
> > and
> > > installing the app to the target profile.
> > > On 2017/06/12 18:31:45, Devlin wrote:
> > > > On 2017/06/09 19:01:45, tbarzic wrote:
> > > > > On 2017/06/09 18:18:40, Devlin (sheriff Jun 9 - 12) wrote:
> > > > > > On 2017/06/06 01:54:55, tbarzic wrote:
> > > > > > > On 2017/06/05 16:09:35, Devlin wrote:
> > > > > > > > Yeah, this strikes me as very strange.  What happens when one of
> > these
> > > > > > > profiles
> > > > > > > > tries to write to the extension directory?  Does the lock screen
> > > profile
> > > > > > read
> > > > > > > > access to all the files under the user profile?
> > > > > > > 
> > > > > > > Yeah, I have not yet completely figured out the best approach here
> :/
> > > > > > > 
> > > > > > > Lock screen profile should be able to load resources from user
> profile
> > > > > > location
> > > > > > > (provided that the user cryptohome remains decrypted; this might
> > change
> > > in
> > > > > > > future, but I don't see it happening soon) - after all the
resources
> > > > reading
> > > > > > is
> > > > > > > done by the same process.
> > > > > > > 
> > > > > > > As writing to the extension directory goes, that should generally
> > happen
> > > > on
> > > > > > > extension installation/update, right?
> > > > > > > I'd expect that an extension directory remains constant while the
> > > > extension
> > > > > is
> > > > > > > loaded, and that the resource changes become visible to the app
> after
> > > > reload
> > > > > -
> > > > > > > the similar thing would happen in lock screen profile (when user
> > profile
> > > > > > updates
> > > > > > > an extension) - loading/unloading of the user profile app should
> cause
> > > the
> > > > > app
> > > > > > > load/unload in the lock screen profile.
> > > > > > > 
> > > > > > > And lock screen profile should not really write to paths under the
> > user
> > > > > > profile
> > > > > > > (we probably should also ensure that the extension updater is not
> > > started
> > > > > for
> > > > > > > lock screen profile, so there are no unexpected updates - though,
> > > looking
> > > > at
> > > > > > > code, these would seem to end up in the lock screen profile).
> > > > > > 
> > > > > > Out of curiosity, is there a reason to not write the extension to
the
> > > > > lockscreen
> > > > > > profile, thus avoiding this issue and the uninstall/delete file
> problem?
> > > > > 
> > > > > One reason is time - I do plan to look more closely into possibility
of
> > > > copying
> > > > > extension to the lock screen profile, but I think getting the lock
> screen
> > > APIs
> > > > > working and possibly unbounding lock screen profile from sign-in
profile
> > > have
> > > > > somewhat higher priority at this moment.
> > > > > 
> > > > > One potential concern is that we'd end up copying data from
(encrypted)
> > user
> > > > > profile to (unencrypted) lock screen profile, though I expect this
being
> > > > > relevant mainly for unpacked extensions; then there's the question of
if
> > the
> > > > > memory cost of duplicating the extension dir and time cost of copying
> data
> > > is
> > > > > justified; handling app updates (instead of just reloading the app in
> lock
> > > > > screen profile, we'd have to reload and copy app directory)..
> > > > > I don't think there's anything huge, but it's not that clear-cut to me
> > that
> > > > > introducing a new installer (from a location within another profile)
> would
> > > be
> > > > > beneficial.
> > > > 
> > > > I talked with kerrnel@ about this, and we both agreed that it makes us a
> > > little
> > > > uncomfortable from a security standpoint to have the lockscreen profile
> > > require
> > > > read access to the user's profile.  I think we really should strive to
> have
> > > the
> > > > lockscreen profile version separate from the other, which also
alleviates
> > any
> > > > concerns around the lockscreen profile interfering with the user's
> profile.
> > > 
> > > We've had this discussion in many different forms now. This code runs in a
> > > process that *has* access to the user profile. We are depending on the
> context
> > > keying of code to prevent access to the logged in user's profile from the
> > > lockscreen handling code.
> > > 
> > > That being said, making one explicit call to read data from the user's
> > profile,
> > > does not equate to "giving the lock screen access to the user profile".
> Again,
> > > the lockscreen code *already* has that access.
> > > 
> > > I do want us to take any and all measures we can to ensure that we
mitigate
> > any
> > > possible security issues - I just don't see removing this call does that.
> > > 
> > > We need to load the app. The app is in the user profile. Whether we have
> code
> > > that copies the app out first, or code that directly loads the app - we
> *will*
> > > be reading this one particular piece of data from the user profile.
> > > 
> > > I would argue that given that this call is a well defined call in very
> mature
> > > code, it would be safer to use it than to introduce new code to do the
copy.
> > 
> > I'm a bit distracted by other issues right now, so I'll defer to Jorge on
> this.
> > 
> > - Greg
> 
> By the way, is there a  reason not to just install the CRX into the lock
screen
> profile?
> 
> - Greg

There might not be a crx present (as it often gets disposed after the app is
installed; or might not even exist - e.g. for unpacked apps). Though, that's
actually, a possibility I plan to look into:
- for unpacked apps - load the app from the extension path - i.e. what's done
here
- for apps installed from CRX - when a lock screen handler app is installed,
cache the source CRX somewhere, and later, when require, install that CRX to the
lock screen profile

For now, I updated this CL to only handle unpacked apps, so I can unblock work
on browser tests while I figure out the best way to install the rest.
WDYT?

[Devlin, 2017-06-15 17:49:50]

On 2017/06/14 20:25:48, tbarzic wrote:
> There might not be a crx present (as it often gets disposed after the app is
> installed; or might not even exist - e.g. for unpacked apps). Though, that's
> actually, a possibility I plan to look into:
> - for unpacked apps - load the app from the extension path - i.e. what's done
> here
> - for apps installed from CRX - when a lock screen handler app is installed,
> cache the source CRX somewhere, and later, when require, install that CRX to
the
> lock screen profile
> 
> For now, I updated this CL to only handle unpacked apps, so I can unblock work
> on browser tests while I figure out the best way to install the rest.
> WDYT?

In practice, on CrOS, won't an unpacked app still always point to a directory in
the user's profile?  So won't this still have all the same concerns, including
access to user profile and possibility of a lockscreen profile changing state
(since it will still point to the same directory from which the app is loaded in
the user's profile)?

[tbarzic, 2017-06-15 19:52:41]

On 2017/06/15 17:49:50, Devlin wrote:
> On 2017/06/14 20:25:48, tbarzic wrote:
> > There might not be a crx present (as it often gets disposed after the app is
> > installed; or might not even exist - e.g. for unpacked apps). Though, that's
> > actually, a possibility I plan to look into:
> > - for unpacked apps - load the app from the extension path - i.e. what's
done
> > here
> > - for apps installed from CRX - when a lock screen handler app is installed,
> > cache the source CRX somewhere, and later, when require, install that CRX to
> the
> > lock screen profile
> > 
> > For now, I updated this CL to only handle unpacked apps, so I can unblock
work
> > on browser tests while I figure out the best way to install the rest.
> > WDYT?
> 
> In practice, on CrOS, won't an unpacked app still always point to a directory
in
> the user's profile?  So won't this still have all the same concerns, including
> access to user profile and possibility of a lockscreen profile changing state
> (since it will still point to the same directory from which the app is loaded
in
> the user's profile)?

One huge difference is that loading an unpacked app from anywhere else than the
user's directory is not acceptable, as it would require copying user data to a
location outside the user's cryptohome.

And when it comes to unpacked extensions, I think browser process changing the
app dir state on behalf of user profile is just as bad as doing it on behalf of
any other profile - it should not really happen.
(though, I'd argue something similar for all apps - we should already be
ensuring that browser process does not change extension's path as long as the
extension is installed, regardless of profile for which that's done - am I
missing a situation where that is allowed?)

[Devlin, 2017-06-16 15:21:56]

On 2017/06/15 19:52:41, tbarzic wrote:
> On 2017/06/15 17:49:50, Devlin wrote:
> > On 2017/06/14 20:25:48, tbarzic wrote:
> > > There might not be a crx present (as it often gets disposed after the app
is
> > > installed; or might not even exist - e.g. for unpacked apps). Though,
that's
> > > actually, a possibility I plan to look into:
> > > - for unpacked apps - load the app from the extension path - i.e. what's
> done
> > > here
> > > - for apps installed from CRX - when a lock screen handler app is
installed,
> > > cache the source CRX somewhere, and later, when require, install that CRX
to
> > the
> > > lock screen profile
> > > 
> > > For now, I updated this CL to only handle unpacked apps, so I can unblock
> work
> > > on browser tests while I figure out the best way to install the rest.
> > > WDYT?
> > 
> > In practice, on CrOS, won't an unpacked app still always point to a
directory
> in
> > the user's profile?  So won't this still have all the same concerns,
including
> > access to user profile and possibility of a lockscreen profile changing
state
> > (since it will still point to the same directory from which the app is
loaded
> in
> > the user's profile)?
> 
> One huge difference is that loading an unpacked app from anywhere else than
the
> user's directory is not acceptable, as it would require copying user data to a
> location outside the user's cryptohome.

I'm a bit confused by this - I read it as saying "unpacked extensions *must* be
loaded from the original directory, which is in the user's (and not the
lockscreen) profile".  Is that right?  If so, that sounds like it has all the
same concerns would apply?

> And when it comes to unpacked extensions, I think browser process changing the
> app dir state on behalf of user profile is just as bad as doing it on behalf
of
> any other profile - it should not really happen.
> (though, I'd argue something similar for all apps - we should already be
> ensuring that browser process does not change extension's path as long as the
> extension is installed, regardless of profile for which that's done - am I
> missing a situation where that is allowed?)

Why?  The extension is installed in a given profile, and the profile data dir is
designed to be modifiable by the profile... why would we assume that the
extension install directory is frozen in state while the rest is not?  As to
when this happens, it's relatively rare that we modify the contents.  The main
case I can think of off the top of my head (excepting updates) is content
verification, but that wouldn't apply for unpacked extensions.

------

Overall, I am less worried about unpacked extensions than I am about packed
extensions from *a functionality standpoint*, since they don't unconditionally
reside in the user's profile (though perhaps they do in practice on CrOS).  But
I'd still like Jorge's opinion on the security aspect, since this still seems a
little odd.

[tbarzic, 2017-06-19 03:54:06]

On 2017/06/16 15:21:56, Devlin wrote:
> On 2017/06/15 19:52:41, tbarzic wrote:
> > On 2017/06/15 17:49:50, Devlin wrote:
> > > On 2017/06/14 20:25:48, tbarzic wrote:
> > > > There might not be a crx present (as it often gets disposed after the
app
> is
> > > > installed; or might not even exist - e.g. for unpacked apps). Though,
> that's
> > > > actually, a possibility I plan to look into:
> > > > - for unpacked apps - load the app from the extension path - i.e. what's
> > done
> > > > here
> > > > - for apps installed from CRX - when a lock screen handler app is
> installed,
> > > > cache the source CRX somewhere, and later, when require, install that
CRX
> to
> > > the
> > > > lock screen profile
> > > > 
> > > > For now, I updated this CL to only handle unpacked apps, so I can
unblock
> > work
> > > > on browser tests while I figure out the best way to install the rest.
> > > > WDYT?
> > > 
> > > In practice, on CrOS, won't an unpacked app still always point to a
> directory
> > in
> > > the user's profile?  So won't this still have all the same concerns,
> including
> > > access to user profile and possibility of a lockscreen profile changing
> state
> > > (since it will still point to the same directory from which the app is
> loaded
> > in
> > > the user's profile)?
> > 
> > One huge difference is that loading an unpacked app from anywhere else than
> the
> > user's directory is not acceptable, as it would require copying user data to
a
> > location outside the user's cryptohome.
> 
> I'm a bit confused by this - I read it as saying "unpacked extensions *must*
be
> loaded from the original directory, which is in the user's (and not the
> lockscreen) profile".  Is that right?  If so, that sounds like it has all the
> same concerns would apply?
> 

Yes, they're generally be loaded from the user's cryptohome (though, that's not
neccesarilly the case, afaik we support loading an app from a removable
storage). The difference is that they're not loaded from a path "owned" by the
profile; they're load from user data dir, and as such I would expect then not to
be modifyable by Chrome extensions system, so concerns are little different.

> > And when it comes to unpacked extensions, I think browser process changing
the
> > app dir state on behalf of user profile is just as bad as doing it on behalf
> of
> > any other profile - it should not really happen.
> > (though, I'd argue something similar for all apps - we should already be
> > ensuring that browser process does not change extension's path as long as
the
> > extension is installed, regardless of profile for which that's done - am I
> > missing a situation where that is allowed?)
> 
> Why?  The extension is installed in a given profile, and the profile data dir
is
> designed to be modifiable by the profile... why would we assume that the
> extension install directory is frozen in state while the rest is not?  As to
> when this happens, it's relatively rare that we modify the contents.  The main
> case I can think of off the top of my head (excepting updates) is content
> verification, but that wouldn't apply for unpacked extensions.
> 

Yes, that's a fair point.
I don't thing having extension->path() remain constant (and equivalent to
unpacked CRX contents) would be unreasonable proposition, given that the
extension has read access to the path (via
chrome.runtime.getPackageDirectoryEntry), and the possibility of the extension
being installed to a shared path rather than in the user profile dir (as it can
be the case on Chrome OS); but I wasn't trying to say I'd consider that
requirement either.

> ------
> 
> Overall, I am less worried about unpacked extensions than I am about packed
> extensions from *a functionality standpoint*, since they don't unconditionally
> reside in the user's profile (though perhaps they do in practice on CrOS). 
But
> I'd still like Jorge's opinion on the security aspect, since this still seems
a
> little odd.

OK, that sounds good to me.

[tbarzic, 2017-06-21 22:09:45]

Description was changed from

==========
Introduce lock screen app manager

The manager is responsible for loading/unloading the lock screen note
taking app (if one is selected) to/from the profile used for lock
screen apps. StateController starts it when the user session is locked
and stops it when user session is unlocked (at which moment the action
handler app is unloaded from sign-in profile). StateController uses
LockAppManager to determine whether a lock screen enabled note taking
app is set up, and to dispatch launch event to the app in question.

BUG=715781
==========

to

==========
Introduce lock screen app manager

Adds default lock screen app manager implementation.
The app manager, when started, checks if a lock screen enabled
note taking app is set, and if so, loads it to the profile used
to run apps on the lock screen. When stopped, app manager will
remove (and uninstall) the app from the profile.

The app manager observes the note taking app state in the user
profile and updates lock screen app's profile accordingly.

BUG=715781
==========

[tbarzic, 2017-06-22 19:00:11]

jorgelo, kerrnel; ping

[Jorge Lucangeli Obes, 2017-06-23 18:57:59]

On 2017/06/22 19:00:11, tbarzic wrote:
> jorgelo, kerrnel; ping

Let me see if I understand what we're doing in this CL: when a lock screen app
is set, as soon as the screen is locked we'll load an unpacked app into a
separate, lock-screen profile, and then synchronize the data between the version
on the lock screen and the version in the user profile?

[tbarzic, 2017-06-23 19:27:49]

On 2017/06/23 18:57:59, Jorge Lucangeli Obes wrote:
> On 2017/06/22 19:00:11, tbarzic wrote:
> > jorgelo, kerrnel; ping
> 
> Let me see if I understand what we're doing in this CL: when a lock screen app
> is set, as soon as the screen is locked we'll load an unpacked app into a
> separate, lock-screen profile, and then synchronize the data between the
version
> on the lock screen and the version in the user profile?

We'll load the app into a lock-screen profile, but we won't really synchronize
data between the profiles (i.e. the app prefs/local storage will be separate for
the app in the lock screen profile and the app in the user profile).
Though, the app in the lock screen profile would be loaded from the same
location as the app in the user profile.
(i.e. the app resources would be shared between app instances).

[tbarzic, 2017-06-27 20:28:09]

The CQ bit was checked by tbarzic@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-27 20:28:33]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-27 22:28:24]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-27 22:28:26]

Dry run: This issue passed the CQ dry run.

[tbarzic, 2017-06-27 23:59:33]

During offline discussion last Friday, we ended up on the  proposal to create a
read-only symbolic link to the app path in the user profile, and install the app
to the lock screen profile from that path.

Unfortunately, it doesn't seem that would be easily achievable:
* chmod on a symbolic link writes through to the target link path (so, changing
symbolic link access permissions would change the target path, too, w)
* mount --bind, which can create a read only view of a directory subtree,
requires root permission, so it can't be used by Chrome

I'm not aware of another way to achieve that goal (I'm open for suggestions), so
I abandoned that approach and switched to the following:
* for unpacked apps - load from the original app path
* for the rest - copy app path to the lock screen profile install directory, and
install the app from 
  the copied location

Let me know what you think.

[tbarzic, 2017-06-29 22:07:00]

friendly ping

[Devlin, 2017-07-05 16:12:06]

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:49: // Loads
extension with the provided extension ID. install source location and
nit: add punctuation
... the provided |extension_id|, |location|, and |creation_flags|

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:87:
std::unique_ptr<base::ScopedTempDir> extension_temp_dir =
optional nit: auto extension_temp_dir = base::MakeUnique<...>()
MakeUnique<T> is known to only ever return a std::unique_ptr<T>.

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:91:
callback.Run(scoped_refptr<const extensions::Extension>());
does Run(nullptr) work?

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:281: // If the app
is already installed, remove it.
Can you describe when this would happen?

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:289: is_unpacked ?
app->path() : base::FilePath(), app->location(),
add a comment explaining this

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:293: if
(!lock_profile_app)
When could this happen?

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:324: if (install_id
!= install_count_ || state_ != State::kActivating)
When do we clean up the resources we copied?

[tbarzic, 2017-07-05 20:16:06]

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:49: // Loads
extension with the provided extension ID. install source location and
On 2017/07/05 16:12:05, Devlin wrote:
> nit: add punctuation
> ... the provided |extension_id|, |location|, and |creation_flags|

Done.

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:87:
std::unique_ptr<base::ScopedTempDir> extension_temp_dir =
On 2017/07/05 16:12:05, Devlin wrote:
> optional nit: auto extension_temp_dir = base::MakeUnique<...>()
> MakeUnique<T> is known to only ever return a std::unique_ptr<T>.

Done.

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:91:
callback.Run(scoped_refptr<const extensions::Extension>());
On 2017/07/05 16:12:05, Devlin wrote:
> does Run(nullptr) work?

it does.

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:281: // If the app
is already installed, remove it.
On 2017/07/05 16:12:05, Devlin wrote:
> Can you describe when this would happen?

I can't really think of a scenario as long as the lock screen profile is
ephemeral (it the profile were not ephemeral, an app might be left lingering
from the previous user session (potentially from a different user)).

I'll remove this (at least for now).

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:289: is_unpacked ?
app->path() : base::FilePath(), app->location(),
On 2017/07/05 16:12:05, Devlin wrote:
> add a comment explaining this

Done.

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:293: if
(!lock_profile_app)
On 2017/07/05 16:12:05, Devlin wrote:
> When could this happen?

In theory, if we attempt to create an extension with invalid properties; though,
in that case the original app would not be installed in the user profile - I
changed this to a dcheck, and added a comment.

https://codereview.chromium.org/2902293002/diff/460001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:324: if (install_id
!= install_count_ || state_ != State::kActivating)
On 2017/07/05 16:12:05, Devlin wrote:
> When do we clean up the resources we copied?

It will be cleaned up with the profile on Chrome restart (or if the app is later
loaded to the lock screen profile, when the app gets uninstalled).

(given that the chance of this happening - i.e. lock screen app status changing
while the app is installed - are very slim, I don't think we need something more
complex).

[Devlin, 2017-07-06 15:14:14]

interfacing with extension system lgtm.  Thanks for your patience and iteration
here!

https://codereview.chromium.org/2902293002/diff/500001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/500001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:77: // |callback| -
called with the app loaded from the final installation path,
nit: s/,/.

[tbarzic, 2017-07-06 16:36:15]

https://codereview.chromium.org/2902293002/diff/500001/chrome/browser/chromeo...
File chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc (right):

https://codereview.chromium.org/2902293002/diff/500001/chrome/browser/chromeo...
chrome/browser/chromeos/lock_screen_apps/app_manager_impl.cc:77: // |callback| -
called with the app loaded from the final installation path,
On 2017/07/06 15:14:14, Devlin wrote:
> nit: s/,/.

Done.

[tbarzic, 2017-07-06 19:19:45]

The CQ bit was checked by tbarzic@chromium.org

[tbarzic, 2017-07-06 19:19:46]

The patchset sent to the CQ was uploaded after l-g-t-m from xiyuan@chromium.org,
rdevlin.cronin@chromium.org
Link to the patchset: https://codereview.chromium.org/2902293002/#ps540001
(title: "rebase")

[commit-bot: I haz the power, 2017-07-06 19:20:07]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-07-06 20:01:44]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-07-06 20:01:46]

Try jobs failed on following builders:
  android_n5x_swarming_rel on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_n5x_...)

[tbarzic, 2017-07-06 20:35:26]

The CQ bit was checked by tbarzic@chromium.org

[commit-bot: I haz the power, 2017-07-06 20:35:43]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-07-06 21:49:17]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-07-06 21:49:18]

Try jobs failed on following builders:
  android_clang_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_clan...)

[tbarzic, 2017-07-06 22:13:05]

The CQ bit was checked by tbarzic@chromium.org

[commit-bot: I haz the power, 2017-07-06 22:13:14]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-07-06 22:41:46]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-07-06 22:41:48]

Try jobs failed on following builders:
  android_n5x_swarming_rel on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_n5x_...)

[Jorge Lucangeli Obes, 2017-07-06 22:57:01]

On 2017/06/27 23:59:33, tbarzic wrote:
> During offline discussion last Friday, we ended up on the  proposal to create
a
> read-only symbolic link to the app path in the user profile, and install the
app
> to the lock screen profile from that path.
> 
> Unfortunately, it doesn't seem that would be easily achievable:
> * chmod on a symbolic link writes through to the target link path (so,
changing
> symbolic link access permissions would change the target path, too, w)
> * mount --bind, which can create a read only view of a directory subtree,
> requires root permission, so it can't be used by Chrome
> 
> I'm not aware of another way to achieve that goal (I'm open for suggestions),
so
> I abandoned that approach and switched to the following:
> * for unpacked apps - load from the original app path
> * for the rest - copy app path to the lock screen profile install directory,
and
> install the app from 
>   the copied location
> 
> Let me know what you think.

Apologies for the delay. What does "copy app path to the lock screen" mean? Is
it copying actual files, or just the path?

[tbarzic, 2017-07-06 22:58:04]

On 2017/07/06 22:57:01, Jorge Lucangeli Obes wrote:
> On 2017/06/27 23:59:33, tbarzic wrote:
> > During offline discussion last Friday, we ended up on the  proposal to
create
> a
> > read-only symbolic link to the app path in the user profile, and install the
> app
> > to the lock screen profile from that path.
> > 
> > Unfortunately, it doesn't seem that would be easily achievable:
> > * chmod on a symbolic link writes through to the target link path (so,
> changing
> > symbolic link access permissions would change the target path, too, w)
> > * mount --bind, which can create a read only view of a directory subtree,
> > requires root permission, so it can't be used by Chrome
> > 
> > I'm not aware of another way to achieve that goal (I'm open for
suggestions),
> so
> > I abandoned that approach and switched to the following:
> > * for unpacked apps - load from the original app path
> > * for the rest - copy app path to the lock screen profile install directory,
> and
> > install the app from 
> >   the copied location
> > 
> > Let me know what you think.
> 
> Apologies for the delay. What does "copy app path to the lock screen" mean? Is
> it copying actual files, or just the path?

it's copying actual files

[Jorge Lucangeli Obes, 2017-07-06 23:00:47]

On 2017/07/06 22:58:04, tbarzic wrote:
> On 2017/07/06 22:57:01, Jorge Lucangeli Obes wrote:
> > On 2017/06/27 23:59:33, tbarzic wrote:
> > > During offline discussion last Friday, we ended up on the  proposal to
> create
> > a
> > > read-only symbolic link to the app path in the user profile, and install
the
> > app
> > > to the lock screen profile from that path.
> > > 
> > > Unfortunately, it doesn't seem that would be easily achievable:
> > > * chmod on a symbolic link writes through to the target link path (so,
> > changing
> > > symbolic link access permissions would change the target path, too, w)
> > > * mount --bind, which can create a read only view of a directory subtree,
> > > requires root permission, so it can't be used by Chrome
> > > 
> > > I'm not aware of another way to achieve that goal (I'm open for
> suggestions),
> > so
> > > I abandoned that approach and switched to the following:
> > > * for unpacked apps - load from the original app path
> > > * for the rest - copy app path to the lock screen profile install
directory,
> > and
> > > install the app from 
> > >   the copied location
> > > 
> > > Let me know what you think.
> > 
> > Apologies for the delay. What does "copy app path to the lock screen" mean?
Is
> > it copying actual files, or just the path?
> 
> it's copying actual files

Alright, that is one of the options we discussed. lgtm.

[tbarzic, 2017-07-06 23:05:34]

Description was changed from

==========
Introduce lock screen app manager

Adds default lock screen app manager implementation.
The app manager, when started, checks if a lock screen enabled
note taking app is set, and if so, loads it to the profile used
to run apps on the lock screen. When stopped, app manager will
remove (and uninstall) the app from the profile.

The app manager observes the note taking app state in the user
profile and updates lock screen app's profile accordingly.

BUG=715781
==========

to

==========
Introduce lock screen app manager

Adds default lock screen app manager implementation.
The app manager, when started, checks if a lock screen enabled
note taking app is set, and if so, loads it to the profile used
to run apps on the lock screen. When stopped, app manager will
remove (and uninstall) the app from the profile.
The app is installed and loaded to the lock screen profile as follows:
 *  for unpacked apps - the app is loaded from the (original) unpacked
    app location
 *  for others - the app resources are copied from the original, user 
    profile to the lock screen app profile's extension install 
    directory and loaded from the copied location

The app manager observes the note taking app state in the user
profile and updates lock screen app's profile accordingly.

BUG=715781
==========

[tbarzic, 2017-07-07 01:54:04]

The CQ bit was checked by tbarzic@chromium.org

[commit-bot: I haz the power, 2017-07-07 01:54:22]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-07-07 03:07:49]

CQ is committing da patch.

Bot data: {"patchset_id": 540001, "attempt_start_ts": 1499392444240850,
"parent_rev": "b18578bd35569b971144d4547ee048b68adf795a", "commit_rev":
"c577bdc5b338dd58d27c8aeec32351263a47ad61"}

[commit-bot: I haz the power, 2017-07-07 03:08:07]

Description was changed from

==========
Introduce lock screen app manager

Adds default lock screen app manager implementation.
The app manager, when started, checks if a lock screen enabled
note taking app is set, and if so, loads it to the profile used
to run apps on the lock screen. When stopped, app manager will
remove (and uninstall) the app from the profile.
The app is installed and loaded to the lock screen profile as follows:
 *  for unpacked apps - the app is loaded from the (original) unpacked
    app location
 *  for others - the app resources are copied from the original, user 
    profile to the lock screen app profile's extension install 
    directory and loaded from the copied location

The app manager observes the note taking app state in the user
profile and updates lock screen app's profile accordingly.

BUG=715781
==========

to

==========
Introduce lock screen app manager

Adds default lock screen app manager implementation.
The app manager, when started, checks if a lock screen enabled
note taking app is set, and if so, loads it to the profile used
to run apps on the lock screen. When stopped, app manager will
remove (and uninstall) the app from the profile.
The app is installed and loaded to the lock screen profile as follows:
 *  for unpacked apps - the app is loaded from the (original) unpacked
    app location
 *  for others - the app resources are copied from the original, user 
    profile to the lock screen app profile's extension install 
    directory and loaded from the copied location

The app manager observes the note taking app state in the user
profile and updates lock screen app's profile accordingly.

BUG=715781

Review-Url: https://codereview.chromium.org/2902293002
Cr-Commit-Position: refs/heads/master@{#484815}
Committed:
https://chromium.googlesource.com/chromium/src/+/c577bdc5b338dd58d27c8aeec323...
==========

[commit-bot: I haz the power, 2017-07-07 03:08:09]

Committed patchset #28 (id:540001) as
https://chromium.googlesource.com/chromium/src/+/c577bdc5b338dd58d27c8aeec323...