Add policy controlled permission block list for extensions

components/policy/resources/policy_templates.json

 {
 # policy_templates.json - Metafile for policy templates
 #
 # The content of this file is evaluated as a Python expression.
 #
 # This file is used as input to generate the following policy templates:
 # ADM, ADMX+ADML, MCX/plist and html documentation.
 #
 # Policy templates are user interface definitions or documents about the
 # policies that can be used to configure Chrome. Each policy is a name-value
@@ skipping 1729 matching lines @@
             'type': 'object',
             'patternProperties': {
               '^[a-p]{32}$': {
                 'type': 'object',
                 'properties': {
                   'installation_mode': {
                     'type': 'string',
                     'enum': ['blocked', 'allowed', 'force_installed', 'normal_installed']
                   },
                   'update_url': { 'type': 'string' },
-                }
-              }
+                  'blocked_permissions': {
+                    'type': 'array',
+                    'items': {
+                      'type': 'string',
+                      'pattern': '^[a-z][a-zA-Z.]*$',
+                    },
+                    'id': 'ListOfPermissions',
+                  },
+                  'allowed_permissions': {
+                    '$ref': 'ListOfPermissions',
+                  },
+                },
+              },
             },
             'properties': {
               '*': {
                 'type': 'object',
                 'properties': {
                   'installation_mode': {
                     'type': 'string',
                     'enum': ['blocked', 'allowed']
                   },
+                  'blocked_permissions': {
+                    '$ref': 'ListOfPermissions',
+                  },
                   'install_sources': {
                     '$ref': 'ExtensionInstallSources',
                   },
                   'allowed_types': {
                     '$ref': 'ExtensionAllowedTypes',
                   },
-                }
-              }
-            }
+                },
+              },
+            },
           },
           'future': True,
           'supported_on': ['chrome.*:40-', 'chrome_os:40-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': True,
           },
           'example_value': {
             'abcdefghijklmnopabcdefghijklmnop' : {
               'installation_mode': 'allowed',
+              'blocked_permissions': ['history'],
             },
             'bcdefghijklmnopabcdefghijklmnopa' : {
               'installation_mode': 'force_installed',
               'update_url': 'http://example.com/update_url',
+              'allowed_permissions': ['downloads'],
             },
             '*': {
               'installation_mode': 'blocked',
+              'blocked_permissions': ['downloads', 'bookmarks'],
               'install_sources': ['http://company-intranet/chromeapps'],
               'allowed_types': ['hosted_app'],
             },
           },
           'id': 278,
           'caption': 'Extension management settings',
           'desc': '''Configures extension management settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
 
           This policy controls multiple settings, including settings controlled by any existing extension-related policies. This policy will override any legacy policies if both are set.
 
           This policy maps an extension ID to its configuration. A default configuration can be set for the special ID "*", which will apply to all extensions that don't have a custom configuration set in this policy. The configuration for each extension is another dictionary that can contain the fields documented below.
 
           "installation_mode": maps to a string indicating the installation mode for the extension. The valid strings are:
           * "allowed": allows the extension to be installed by the user. This is the default behavior.
           * "blocked": blocks installation of the extension.
           * "force_installed": the extension is automatically installed and can't be removed by the user.
           * "normal_installed": the extension is automatically installed but can be disabled by the user.
 
           The default "installation_mode" can be configured for the "*" extension. Only the "allowed" and "blocked" values can be used in this case.
 
           If the mode is set to "force_installed" or "normal_installed" then an "update_url" must be configured too. The update URL should point to an Update Manifest XML document as described at <ph name="LINK_TO_EXTENSION_DOC1">https://developer.chrome.com/extensions/autoupdate</ph>. Note that the update URL set in this policy is only used for the initial installation; subsequent updates of the extension will use the update URL indicated in the extension's manifest.
 
+          "blocked_permissions": maps to a list of strings indicating the blocked API permissions for the extension. The permissions names are same as the permission strings declared in manifest of extension as described at <ph name="LINK_TO_EXTENSION_DOC3">https://developer.chrome.com/extensions/declare_permissions</ph>. This setting also can be configured for "*" extension. If the extension requires a permission which is on the blocklist, it will not be allowed to load. If it contains a blocked permission as optional requirement, it will be handled in the normal way, but requesting conflicting permissions will be declined automatically at runtime.
+
+          "allowed_permissions": similar to "blocked_permissions", but instead explicitly allow some permissions which might be blocked by global blocked permission list, thus can not be configured for "*" extension. Note that this setting doesn't give granted permissions to extensions automatically.
+
           The following settings can be used only for the default "*" configuration:
 
           "install_sources": Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e.  the referrer) must be allowed by these patterns.
 
           "allowed_types": This setting whitelists the allowed types of extension/apps that can be installed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.  The value is a list of strings, each of which should be one of the following: "extension", "theme", "user_script", "hosted_app", "legacy_packaged_app", "platform_app". See the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> extensions documentation for more information on these types.
 
           This policy isn't ready for usage yet, please don't use it.
           '''
         },
       ],
@@ skipping 5205 matching lines @@
       'desc': '''Text appended in parentheses next to the policies top-level container to indicate that those policies are of the Recommended level''',
       'text': 'Default Settings (users can override)',
     },
     'doc_complex_policies_on_windows': {
       'desc': '''Text pointing the user to a help article for complex policies on Windows''',
       'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POLICIES_URL">http://www.chromium.org/administrators/complex-policies-on-windows<ex>http://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>''',
     },
   },
   'placeholders': [],
 }