Add more polices to the protected list.

components/policy/core/common/policy_loader_win.cc

 // Copyright (c) 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/policy/core/common/policy_loader_win.h"
 
 #include <windows.h>
 #include <lm.h>       // For limits.
 #include <ntdsapi.h>  // For Ds[Un]Bind
 #include <rpc.h>      // For struct GUID
@@ skipping 12 matching lines @@
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/file_util.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/metrics/histogram.h"
+#include "base/metrics/sparse_histogram.h"
 #include "base/scoped_native_library.h"
 #include "base/sequenced_task_runner.h"
 #include "base/stl_util.h"
 #include "base/strings/string16.h"
 #include "base/strings/string_util.h"
 #include "base/values.h"
 #include "base/win/win_util.h"
 #include "base/win/windows_version.h"
 #include "components/json_schema/json_schema_constants.h"
 #include "components/policy/core/common/policy_bundle.h"
@@ skipping 22 matching lines @@
 // TODO(joaodasilva): remove this for M35. http://crbug.com/325349
 const char kLegacyBrowserSupportExtensionId[] =
     "heildphpnddilhkemkielfhnkaagiabh";
 
 // The web store url that is the only trusted source for extensions.
 const char kExpectedWebStoreUrl[] =
     ";https://clients2.google.com/service/update2/crx";
 // String to be prepended to each blocked entry.
 const char kBlockedExtensionPrefix[] = "[BLOCKED]";
 
+// List of policies that are considered only if the user is part of a AD domain.
+const char* kInsecurePolicies[] = {
+    key::kMetricsReportingEnabled,
+    key::kDefaultSearchProviderEnabled,
+    key::kHomepageIsNewTabPage,
+    key::kHomepageLocation,
+    key::kRestoreOnStartup,
+    key::kRestoreOnStartupURLs
+};
+
 // The GUID of the registry settings group policy extension.
 GUID kRegistrySettingsCSEGUID = REGISTRY_EXTENSION_GUID;
 
 // The list of possible errors that can occur while collecting information about
 // the current enterprise environment.
 enum DomainCheckErrors {
   DOMAIN_CHECK_ERROR_GET_JOIN_INFO = 0,
   DOMAIN_CHECK_ERROR_DS_BIND,
   DOMAIN_CHECK_ERROR_LAST,
 };
@@ skipping 30 matching lines @@
   base::JSONWriter::Write(json.get(), &serialized);
   return serialized;
 }
 
 // Verifies that untrusted policies contain only safe values. Modifies the
 // |policy| in place.
 void FilterUntrustedPolicy(PolicyMap* policy) {
   if (base::win::IsEnrolledToDomain())
     return;
 
+  int invalid_policies = 0;
   const PolicyMap::Entry* map_entry =
       policy->Get(policy::key::kExtensionInstallForcelist);
   if (map_entry && map_entry->value) {
-    int invalid_policies = 0;
     const base::ListValue* policy_list_value = NULL;
     if (!map_entry->value->GetAsList(&policy_list_value))
       return;
 
     scoped_ptr<base::ListValue> filtered_values(new base::ListValue);
     for (base::ListValue::const_iterator list_entry(policy_list_value->begin());
          list_entry != policy_list_value->end(); ++list_entry) {
       std::string entry;
       if (!(*list_entry)->GetAsString(&entry))
         continue;
       size_t pos = entry.find(';');
       if (pos == std::string::npos)
         continue;
       // Only allow custom update urls in enterprise environments.
       if (!LowerCaseEqualsASCII(entry.substr(pos), kExpectedWebStoreUrl)) {
         entry = kBlockedExtensionPrefix + entry;
         invalid_policies++;
       }
 
       filtered_values->AppendString(entry);
     }
-    policy->Set(policy::key::kExtensionInstallForcelist,
-                map_entry->level, map_entry->scope,
-                filtered_values.release(),
-                map_entry->external_data_fetcher);
-    UMA_HISTOGRAM_COUNTS("EnterpriseCheck.InvalidPoliciesDetected",
-                         invalid_policies);
+    if (invalid_policies) {
+      policy->Set(policy::key::kExtensionInstallForcelist,
+                  map_entry->level, map_entry->scope,
+                  filtered_values.release(),
+                  map_entry->external_data_fetcher);
+
+      const PolicyDetails* details = policy::GetChromePolicyDetails(
+          policy::key::kExtensionInstallForcelist);
+      UMA_HISTOGRAM_SPARSE_SLOWLY("EnterpriseCheck.InvalidPolicies",
+                                  details->id);
+    }
   }
+
+  for (size_t i = 0; i < arraysize(kInsecurePolicies); ++i) {
+    if (policy->Get(kInsecurePolicies[i])) {
+      // TODO(pastarmovj): Surface this issue in the about:policy page.
+      policy->Erase(kInsecurePolicies[i]);
+      invalid_policies++;
+      const PolicyDetails* details =
+          policy::GetChromePolicyDetails(kInsecurePolicies[i]);
+      UMA_HISTOGRAM_SPARSE_SLOWLY("EnterpriseCheck.InvalidPolicies",
+                                  details->id);
+    }
+  }
+
+  UMA_HISTOGRAM_COUNTS("EnterpriseCheck.InvalidPoliciesDetected",
+                       invalid_policies);
 }
 
 // A helper class encapsulating run-time-linked function calls to Wow64 APIs.
 class Wow64Functions {
  public:
   Wow64Functions()
     : kernel32_lib_(base::FilePath(L"kernel32")),
       is_wow_64_process_(NULL),
       wow_64_disable_wow_64_fs_redirection_(NULL),
       wow_64_revert_wow_64_fs_redirection_(NULL) {
@@ skipping 479 matching lines @@
 
 void PolicyLoaderWin::OnObjectSignaled(HANDLE object) {
   DCHECK(object == user_policy_changed_event_.handle() ||
          object == machine_policy_changed_event_.handle())
       << "unexpected object signaled policy reload, obj = "
       << std::showbase << std::hex << object;
   Reload(false);
 }
 
 }  // namespace policy