From fa3ed70d15b4ee44d28bec9577e3b363a3255430 Mon Sep 17 00:00:00 2001
From: Kathy Brade <brade@pearlcrescent.com>
Date: Thu, 16 Apr 2020 17:07:09 -0400
Subject: [PATCH] Bug 32418: Allow updates to be disabled via an enterprise
 policy.

Restrict the Enterprise Policies mechanism to only consult a
policies.json file (avoiding the Windows Registry and macOS's
file system attributes).

Add a few disabledByPolicy() checks to the update service to
avoid extraneous (and potentially confusing) log messages when
updates are disabled by policy.

Sample content for distribution/policies.json:
{
  "policies": {
    "DisableAppUpdate": true
  }
}
---
 .../enterprisepolicies/EnterprisePolicies.js  | 10 ++++++++++
 .../components/enterprisepolicies/moz.build   |  4 +++-
 toolkit/mozapps/update/UpdateService.jsm      | 20 +++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/toolkit/components/enterprisepolicies/EnterprisePolicies.js b/toolkit/components/enterprisepolicies/EnterprisePolicies.js
index dd26f75ed22da..5276725703f6b 100644
--- a/toolkit/components/enterprisepolicies/EnterprisePolicies.js
+++ b/toolkit/components/enterprisepolicies/EnterprisePolicies.js
@@ -2,6 +2,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+// To avoid accessing the Windows Registry or macOS' file system attributes,
+// Tor Browser only supports policies.json.
+#define JSON_POLICIES_ONLY MOZ_PROXY_BYPASS_PROTECTION
+
 const { XPCOMUtils } = ChromeUtils.import(
   "resource://gre/modules/XPCOMUtils.jsm"
 );
@@ -11,9 +15,11 @@ const { AppConstants } = ChromeUtils.import(
 );
 
 XPCOMUtils.defineLazyModuleGetters(this, {
+#ifndef JSON_POLICIES_ONLY
   WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm",
   macOSPoliciesParser:
     "resource://gre/modules/policies/macOSPoliciesParser.jsm",
+#endif
   Policies: "resource:///modules/policies/Policies.jsm",
   JsonSchemaValidator:
     "resource://gre/modules/components-utils/JsonSchemaValidator.jsm",
@@ -111,6 +117,7 @@ EnterprisePoliciesManager.prototype = {
 
   _chooseProvider() {
     let provider = null;
+#ifndef JSON_POLICIES_ONLY
     if (AppConstants.platform == "win") {
       provider = new WindowsGPOPoliciesProvider();
     } else if (AppConstants.platform == "macosx") {
@@ -119,6 +126,7 @@ EnterprisePoliciesManager.prototype = {
     if (provider && provider.hasPolicies) {
       return provider;
     }
+#endif
 
     provider = new JSONPoliciesProvider();
     if (provider.hasPolicies) {
@@ -561,6 +569,7 @@ class JSONPoliciesProvider {
   }
 }
 
+#ifndef JSON_POLICIES_ONLY
 class WindowsGPOPoliciesProvider {
   constructor() {
     this._policies = null;
@@ -622,6 +631,7 @@ class macOSPoliciesProvider {
     return this._failed;
   }
 }
+#endif
 
 var components = [EnterprisePoliciesManager];
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory(components);
diff --git a/toolkit/components/enterprisepolicies/moz.build b/toolkit/components/enterprisepolicies/moz.build
index 8f7d7d8cfed7d..7528f569bb3e1 100644
--- a/toolkit/components/enterprisepolicies/moz.build
+++ b/toolkit/components/enterprisepolicies/moz.build
@@ -19,10 +19,12 @@ TEST_DIRS += [
 
 if CONFIG['MOZ_WIDGET_TOOLKIT'] != "android":
     EXTRA_COMPONENTS += [
-        'EnterprisePolicies.js',
         'EnterprisePolicies.manifest',
         'EnterprisePoliciesContent.js',
     ]
+    EXTRA_PP_COMPONENTS += [
+        'EnterprisePolicies.js',
+    ]
 
 if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows':
     EXTRA_JS_MODULES.policies += [
diff --git a/toolkit/mozapps/update/UpdateService.jsm b/toolkit/mozapps/update/UpdateService.jsm
index 282e1aecc5e85..5fbcc15365403 100644
--- a/toolkit/mozapps/update/UpdateService.jsm
+++ b/toolkit/mozapps/update/UpdateService.jsm
@@ -2772,6 +2772,10 @@ UpdateService.prototype = {
   _checkForBackgroundUpdates: function AUS__checkForBackgroundUpdates(
     isNotify
   ) {
+    if (this.disabledByPolicy) {
+      return;
+    }
+
     this._isNotify = isNotify;
 
     // Histogram IDs:
@@ -3293,6 +3297,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canApplyUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canApplyUpdates - unable to apply updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanApplyUpdates() && hasUpdateMutex();
   },
 
@@ -3300,6 +3312,14 @@ UpdateService.prototype = {
    * See nsIUpdateService.idl
    */
   get canStageUpdates() {
+    if (this.disabledByPolicy) {
+      LOG(
+        "UpdateService.canStageUpdates - unable to stage updates, " +
+          "the option has been disabled by the administrator."
+      );
+      return false;
+    }
+
     return getCanStageUpdates();
   },
 
-- 
GitLab