Chromium Code Reviews Chromium Code Reviews
Issue 714133002:
Add more management policy checking after extension installed (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/extensions/extension_service.h" | 5 #include "chrome/browser/extensions/extension_service.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <iterator> | 8 #include <iterator> |
| 9 #include <set> | 9 #include <set> |
| 10 | 10 |
| (...skipping 1416 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1427 const Version old_version(old_version_string); | 1427 const Version old_version(old_version_string); |
| 1428 | 1428 |
| 1429 VLOG(1) << "AddComponentExtension " << extension->name(); | 1429 VLOG(1) << "AddComponentExtension " << extension->name(); |
| 1430 if (!old_version.IsValid() || !old_version.Equals(*extension->version())) { | 1430 if (!old_version.IsValid() || !old_version.Equals(*extension->version())) { |
| 1431 VLOG(1) << "Component extension " << extension->name() << " (" | 1431 VLOG(1) << "Component extension " << extension->name() << " (" |
| 1432 << extension->id() << ") installing/upgrading from '" | 1432 << extension->id() << ") installing/upgrading from '" |
| 1433 << old_version_string << "' to " << extension->version()->GetString(); | 1433 << old_version_string << "' to " << extension->version()->GetString(); |
| 1434 | 1434 |
| 1435 AddNewOrUpdatedExtension(extension, | 1435 AddNewOrUpdatedExtension(extension, |
| 1436 Extension::ENABLED, | 1436 Extension::ENABLED, |
| 1437 Extension::DISABLE_NONE, | |
| 1437 extensions::kInstallFlagNone, | 1438 extensions::kInstallFlagNone, |
| 1438 syncer::StringOrdinal(), | 1439 syncer::StringOrdinal(), |
| 1439 std::string()); | 1440 std::string()); |
| 1440 return; | 1441 return; |
| 1441 } | 1442 } |
| 1442 | 1443 |
| 1443 AddExtension(extension); | 1444 AddExtension(extension); |
| 1444 } | 1445 } |
| 1445 | 1446 |
| 1446 void ExtensionService::CheckPermissionsIncrease(const Extension* extension, | 1447 void ExtensionService::CheckPermissionsIncrease(const Extension* extension, |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1564 crash_keys::SetActiveExtensions(extension_ids); | 1565 crash_keys::SetActiveExtensions(extension_ids); |
| 1565 } | 1566 } |
| 1566 | 1567 |
| 1567 void ExtensionService::OnExtensionInstalled( | 1568 void ExtensionService::OnExtensionInstalled( |
| 1568 const Extension* extension, | 1569 const Extension* extension, |
| 1569 const syncer::StringOrdinal& page_ordinal, | 1570 const syncer::StringOrdinal& page_ordinal, |
| 1570 int install_flags) { | 1571 int install_flags) { |
| 1571 CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 1572 CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
| 1572 | 1573 |
| 1573 const std::string& id = extension->id(); | 1574 const std::string& id = extension->id(); |
| 1574 bool initial_enable = ShouldEnableOnInstall(extension); | 1575 Extension::DisableReason initial_disable_reason = Extension::DISABLE_NONE; |
| 1576 bool initial_enable = | |
| 1577 ShouldEnableOnInstall(extension, &initial_disable_reason); | |
| 1575 std::string install_parameter; | 1578 std::string install_parameter; |
| 1576 const extensions::PendingExtensionInfo* pending_extension_info = | 1579 const extensions::PendingExtensionInfo* pending_extension_info = |
| 1577 pending_extension_manager()->GetById(id); | 1580 pending_extension_manager()->GetById(id); |
| 1578 if (pending_extension_info) { | 1581 if (pending_extension_info) { |
| 1579 if (!pending_extension_info->ShouldAllowInstall(extension)) { | 1582 if (!pending_extension_info->ShouldAllowInstall(extension)) { |
| 1580 pending_extension_manager()->Remove(id); | 1583 pending_extension_manager()->Remove(id); |
| 1581 | 1584 |
| 1582 LOG(WARNING) << "ShouldAllowInstall() returned false for " | 1585 LOG(WARNING) << "ShouldAllowInstall() returned false for " |
| 1583 << id << " of type " << extension->GetType() | 1586 << id << " of type " << extension->GetType() |
| 1584 << " and update URL " | 1587 << " and update URL " |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 1598 } | 1601 } |
| 1599 | 1602 |
| 1600 install_parameter = pending_extension_info->install_parameter(); | 1603 install_parameter = pending_extension_info->install_parameter(); |
| 1601 pending_extension_manager()->Remove(id); | 1604 pending_extension_manager()->Remove(id); |
| 1602 } else { | 1605 } else { |
| 1603 // We explicitly want to re-enable an uninstalled external | 1606 // We explicitly want to re-enable an uninstalled external |
| 1604 // extension; if we're here, that means the user is manually | 1607 // extension; if we're here, that means the user is manually |
| 1605 // installing the extension. | 1608 // installing the extension. |
| 1606 if (extension_prefs_->IsExternalExtensionUninstalled(id)) { | 1609 if (extension_prefs_->IsExternalExtensionUninstalled(id)) { |
| 1607 initial_enable = true; | 1610 initial_enable = true; |
| 1611 initial_disable_reason = Extension::DISABLE_NONE; | |
| 1608 } | 1612 } |
| 1609 } | 1613 } |
| 1610 | 1614 |
| 1611 // Unsupported requirements overrides the management policy. | 1615 // Unsupported requirements overrides the management policy. |
| 1612 if (install_flags & extensions::kInstallFlagHasRequirementErrors) { | 1616 if (install_flags & extensions::kInstallFlagHasRequirementErrors) { |
| 1613 initial_enable = false; | 1617 initial_enable = false; |
| 1614 extension_prefs_->AddDisableReason( | 1618 initial_disable_reason = Extension::DISABLE_UNSUPPORTED_REQUIREMENT; |
| 1615 id, Extension::DISABLE_UNSUPPORTED_REQUIREMENT); | |
| 1616 // If the extension was disabled because of unsupported requirements but | 1619 // If the extension was disabled because of unsupported requirements but |
| 1617 // now supports all requirements after an update and there are not other | 1620 // now supports all requirements after an update and there are not other |
| 1618 // disable reasons, enable it. | 1621 // disable reasons, enable it. |
| 1619 } else if (extension_prefs_->GetDisableReasons(id) == | 1622 } else if (extension_prefs_->GetDisableReasons(id) == |
| 1620 Extension::DISABLE_UNSUPPORTED_REQUIREMENT) { | 1623 Extension::DISABLE_UNSUPPORTED_REQUIREMENT) { |
| 1621 initial_enable = true; | 1624 initial_enable = true; |
| 1625 initial_disable_reason = Extension::DISABLE_NONE; | |
| 1622 extension_prefs_->ClearDisableReasons(id); | 1626 extension_prefs_->ClearDisableReasons(id); |
| 1623 } | 1627 } |
| 1624 | 1628 |
| 1625 if (install_flags & extensions::kInstallFlagIsBlacklistedForMalware) { | 1629 if (install_flags & extensions::kInstallFlagIsBlacklistedForMalware) { |
| 1626 // Installation of a blacklisted extension can happen from sync, policy, | 1630 // Installation of a blacklisted extension can happen from sync, policy, |
| 1627 // etc, where to maintain consistency we need to install it, just never | 1631 // etc, where to maintain consistency we need to install it, just never |
| 1628 // load it (see AddExtension). Usually it should be the job of callers to | 1632 // load it (see AddExtension). Usually it should be the job of callers to |
| 1629 // incercept blacklisted extension earlier (e.g. CrxInstaller, before even | 1633 // incercept blacklisted extension earlier (e.g. CrxInstaller, before even |
| 1630 // showing the install dialogue). | 1634 // showing the install dialogue). |
| 1631 extension_prefs_->AcknowledgeBlacklistedExtension(id); | 1635 extension_prefs_->AcknowledgeBlacklistedExtension(id); |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 1655 } | 1659 } |
| 1656 | 1660 |
| 1657 const Extension::State initial_state = | 1661 const Extension::State initial_state = |
| 1658 initial_enable ? Extension::ENABLED : Extension::DISABLED; | 1662 initial_enable ? Extension::ENABLED : Extension::DISABLED; |
| 1659 if (ShouldDelayExtensionUpdate( | 1663 if (ShouldDelayExtensionUpdate( |
| 1660 id, | 1664 id, |
| 1661 !!(install_flags & extensions::kInstallFlagInstallImmediately))) { | 1665 !!(install_flags & extensions::kInstallFlagInstallImmediately))) { |
| 1662 extension_prefs_->SetDelayedInstallInfo( | 1666 extension_prefs_->SetDelayedInstallInfo( |
| 1663 extension, | 1667 extension, |
| 1664 initial_state, | 1668 initial_state, |
| 1669 initial_disable_reason, | |
| 1665 install_flags, | 1670 install_flags, |
| 1666 extensions::ExtensionPrefs::DELAY_REASON_WAIT_FOR_IDLE, | 1671 extensions::ExtensionPrefs::DELAY_REASON_WAIT_FOR_IDLE, |
| 1667 page_ordinal, | 1672 page_ordinal, |
| 1668 install_parameter); | 1673 install_parameter); |
| 1669 | 1674 |
| 1670 // Transfer ownership of |extension|. | 1675 // Transfer ownership of |extension|. |
| 1671 delayed_installs_.Insert(extension); | 1676 delayed_installs_.Insert(extension); |
| 1672 | 1677 |
| 1673 // Notify observers that app update is available. | 1678 // Notify observers that app update is available. |
| 1674 FOR_EACH_OBSERVER(extensions::UpdateObserver, update_observers_, | 1679 FOR_EACH_OBSERVER(extensions::UpdateObserver, update_observers_, |
| 1675 OnAppUpdateAvailable(extension)); | 1680 OnAppUpdateAvailable(extension)); |
| 1676 return; | 1681 return; |
| 1677 } | 1682 } |
| 1678 | 1683 |
| 1679 extensions::SharedModuleService::ImportStatus status = | 1684 extensions::SharedModuleService::ImportStatus status = |
| 1680 shared_module_service_->SatisfyImports(extension); | 1685 shared_module_service_->SatisfyImports(extension); |
| 1681 if (installs_delayed_for_gc_) { | 1686 if (installs_delayed_for_gc_) { |
| 1682 extension_prefs_->SetDelayedInstallInfo( | 1687 extension_prefs_->SetDelayedInstallInfo( |
| 1683 extension, | 1688 extension, |
| 1684 initial_state, | 1689 initial_state, |
| 1690 initial_disable_reason, | |
| 1685 install_flags, | 1691 install_flags, |
| 1686 extensions::ExtensionPrefs::DELAY_REASON_GC, | 1692 extensions::ExtensionPrefs::DELAY_REASON_GC, |
| 1687 page_ordinal, | 1693 page_ordinal, |
| 1688 install_parameter); | 1694 install_parameter); |
| 1689 delayed_installs_.Insert(extension); | 1695 delayed_installs_.Insert(extension); |
| 1690 } else if (status != SharedModuleService::IMPORT_STATUS_OK) { | 1696 } else if (status != SharedModuleService::IMPORT_STATUS_OK) { |
| 1691 if (status == SharedModuleService::IMPORT_STATUS_UNSATISFIED) { | 1697 if (status == SharedModuleService::IMPORT_STATUS_UNSATISFIED) { |
| 1692 extension_prefs_->SetDelayedInstallInfo( | 1698 extension_prefs_->SetDelayedInstallInfo( |
| 1693 extension, | 1699 extension, |
| 1694 initial_state, | 1700 initial_state, |
| 1701 initial_disable_reason, | |
| 1695 install_flags, | 1702 install_flags, |
| 1696 extensions::ExtensionPrefs::DELAY_REASON_WAIT_FOR_IMPORTS, | 1703 extensions::ExtensionPrefs::DELAY_REASON_WAIT_FOR_IMPORTS, |
| 1697 page_ordinal, | 1704 page_ordinal, |
| 1698 install_parameter); | 1705 install_parameter); |
| 1699 delayed_installs_.Insert(extension); | 1706 delayed_installs_.Insert(extension); |
| 1700 } | 1707 } |
| 1701 } else { | 1708 } else { |
| 1702 AddNewOrUpdatedExtension(extension, | 1709 AddNewOrUpdatedExtension(extension, |
| 1703 initial_state, | 1710 initial_state, |
| 1711 initial_disable_reason, | |
| 1704 install_flags, | 1712 install_flags, |
| 1705 page_ordinal, | 1713 page_ordinal, |
| 1706 install_parameter); | 1714 install_parameter); |
| 1707 } | 1715 } |
| 1708 } | 1716 } |
| 1709 | 1717 |
| 1710 void ExtensionService::OnExtensionManagementSettingsChanged() { | 1718 void ExtensionService::OnExtensionManagementSettingsChanged() { |
| 1711 error_controller_->ShowErrorIfNeeded(); | 1719 error_controller_->ShowErrorIfNeeded(); |
| 1712 | 1720 |
| 1713 // Revokes blocked permissions from active_permissions for all extensions. | 1721 // Revokes blocked permissions from active_permissions for all extensions. |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 1725 settings->GetBlockedPermissions(extension.get()).get()); | 1733 settings->GetBlockedPermissions(extension.get()).get()); |
| 1726 } | 1734 } |
| 1727 } | 1735 } |
| 1728 | 1736 |
| 1729 CheckManagementPolicy(); | 1737 CheckManagementPolicy(); |
| 1730 } | 1738 } |
| 1731 | 1739 |
| 1732 void ExtensionService::AddNewOrUpdatedExtension( | 1740 void ExtensionService::AddNewOrUpdatedExtension( |
| 1733 const Extension* extension, | 1741 const Extension* extension, |
| 1734 Extension::State initial_state, | 1742 Extension::State initial_state, |
| 1743 Extension::DisableReason initial_disable_reason, | |
| 1735 int install_flags, | 1744 int install_flags, |
| 1736 const syncer::StringOrdinal& page_ordinal, | 1745 const syncer::StringOrdinal& page_ordinal, |
| 1737 const std::string& install_parameter) { | 1746 const std::string& install_parameter) { |
| 1738 CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 1747 CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
| 1739 bool was_ephemeral = extension_prefs_->IsEphemeralApp(extension->id()); | 1748 bool was_ephemeral = extension_prefs_->IsEphemeralApp(extension->id()); |
| 1740 extension_prefs_->OnExtensionInstalled( | 1749 extension_prefs_->OnExtensionInstalled(extension, initial_state, |
| 1741 extension, initial_state, page_ordinal, install_flags, install_parameter); | 1750 initial_disable_reason, page_ordinal, |
| 1751 install_flags, install_parameter); | |
| 1742 delayed_installs_.Remove(extension->id()); | 1752 delayed_installs_.Remove(extension->id()); |
| 1743 if (InstallVerifier::NeedsVerification(*extension)) | 1753 if (InstallVerifier::NeedsVerification(*extension)) |
| 1744 system_->install_verifier()->VerifyExtension(extension->id()); | 1754 system_->install_verifier()->VerifyExtension(extension->id()); |
| 1745 FinishInstallation(extension, was_ephemeral); | 1755 FinishInstallation(extension, was_ephemeral); |
| 1746 } | 1756 } |
| 1747 | 1757 |
| 1748 void ExtensionService::MaybeFinishDelayedInstallation( | 1758 void ExtensionService::MaybeFinishDelayedInstallation( |
| 1749 const std::string& extension_id) { | 1759 const std::string& extension_id) { |
| 1750 // Check if the extension already got installed. | 1760 // Check if the extension already got installed. |
| 1751 if (!delayed_installs_.Contains(extension_id)) | 1761 if (!delayed_installs_.Contains(extension_id)) |
| (...skipping 393 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2145 case chrome::NOTIFICATION_PROFILE_DESTRUCTION_STARTED: { | 2155 case chrome::NOTIFICATION_PROFILE_DESTRUCTION_STARTED: { |
| 2146 OnProfileDestructionStarted(); | 2156 OnProfileDestructionStarted(); |
| 2147 break; | 2157 break; |
| 2148 } | 2158 } |
| 2149 | 2159 |
| 2150 default: | 2160 default: |
| 2151 NOTREACHED() << "Unexpected notification type."; | 2161 NOTREACHED() << "Unexpected notification type."; |
| 2152 } | 2162 } |
| 2153 } | 2163 } |
| 2154 | 2164 |
| 2155 bool ExtensionService::ShouldEnableOnInstall(const Extension* extension) { | 2165 bool ExtensionService::ShouldEnableOnInstall( |
| 2166 const Extension* extension, | |
| 2167 Extension::DisableReason* disable_reason) { | |
| 2168 // Extensions disabled by managemeny policy should always be disabled, even | |
| 2169 // if it's force-installed. | |
| 2170 if (system_->management_policy()->MustRemainDisabled( | |
| 2171 extension, disable_reason, nullptr)) { | |
| 2172 return false; | |
| 2173 } | |
| 2174 | |
| 2156 // Extensions installed by policy can't be disabled. So even if a previous | 2175 // Extensions installed by policy can't be disabled. So even if a previous |
| 2157 // installation disabled the extension, make sure it is now enabled. | 2176 // installation disabled the extension, make sure it is now enabled. |
| 2158 if (system_->management_policy()->MustRemainEnabled(extension, NULL)) | 2177 if (system_->management_policy()->MustRemainEnabled(extension, nullptr)) |
| 2159 return true; | 2178 return true; |
| 2160 | 2179 |
| 2161 if (extension_prefs_->IsExtensionDisabled(extension->id())) | 2180 if (extension_prefs_->IsExtensionDisabled(extension->id())) { |
| 2181 *disable_reason = Extension::DISABLE_NONE; | |
|
Finnur
2014/11/11 22:58:03
It is a bit weird to set this only when this funct
binjin
2014/11/12 16:33:18
Yes, the |disable_reason| will be ignored if true
| |
| 2162 return false; | 2182 return false; |
| 2183 } | |
| 2163 | 2184 |
| 2164 if (FeatureSwitch::prompt_for_external_extensions()->IsEnabled()) { | 2185 if (FeatureSwitch::prompt_for_external_extensions()->IsEnabled()) { |
| 2165 // External extensions are initially disabled. We prompt the user before | 2186 // External extensions are initially disabled. We prompt the user before |
| 2166 // enabling them. Hosted apps are excepted because they are not dangerous | 2187 // enabling them. Hosted apps are excepted because they are not dangerous |
| 2167 // (they need to be launched by the user anyway). | 2188 // (they need to be launched by the user anyway). |
| 2168 if (extension->GetType() != Manifest::TYPE_HOSTED_APP && | 2189 if (extension->GetType() != Manifest::TYPE_HOSTED_APP && |
| 2169 Manifest::IsExternalLocation(extension->location()) && | 2190 Manifest::IsExternalLocation(extension->location()) && |
| 2170 !extension_prefs_->IsExternalExtensionAcknowledged(extension->id())) { | 2191 !extension_prefs_->IsExternalExtensionAcknowledged(extension->id())) { |
| 2192 *disable_reason = Extension::DISABLE_NONE; | |
| 2171 return false; | 2193 return false; |
| 2172 } | 2194 } |
| 2173 } | 2195 } |
| 2174 | 2196 |
| 2175 return true; | 2197 return true; |
| 2176 } | 2198 } |
| 2177 | 2199 |
| 2178 bool ExtensionService::ShouldDelayExtensionUpdate( | 2200 bool ExtensionService::ShouldDelayExtensionUpdate( |
| 2179 const std::string& extension_id, | 2201 const std::string& extension_id, |
| 2180 bool install_immediately) const { | 2202 bool install_immediately) const { |
| (...skipping 207 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2388 } | 2410 } |
| 2389 | 2411 |
| 2390 void ExtensionService::OnProfileDestructionStarted() { | 2412 void ExtensionService::OnProfileDestructionStarted() { |
| 2391 ExtensionIdSet ids_to_unload = registry_->enabled_extensions().GetIDs(); | 2413 ExtensionIdSet ids_to_unload = registry_->enabled_extensions().GetIDs(); |
| 2392 for (ExtensionIdSet::iterator it = ids_to_unload.begin(); | 2414 for (ExtensionIdSet::iterator it = ids_to_unload.begin(); |
| 2393 it != ids_to_unload.end(); | 2415 it != ids_to_unload.end(); |
| 2394 ++it) { | 2416 ++it) { |
| 2395 UnloadExtension(*it, UnloadedExtensionInfo::REASON_PROFILE_SHUTDOWN); | 2417 UnloadExtension(*it, UnloadedExtensionInfo::REASON_PROFILE_SHUTDOWN); |
| 2396 } | 2418 } |
| 2397 } | 2419 } |
| OLD | NEW |
