0

Adding a policy for using the uiAccess enabled It2Me binary on Windows

This change adds a Chrome enterprise policy to control whether or not we use
the uiAccess enabled binary for It2Me or the binary which runs at the user's
integrity level.

BUG=617185

Review-Url: https://codereview.chromium.org/2252243002
Cr-Commit-Position: refs/heads/master@{#415107}
This commit is contained in:
joedow
2016-08-29 21:40:54 -07:00
committed by Commit bot
parent 3161c433a2
commit 6f0893de17
5 changed files with 70 additions and 10 deletions
chrome/test/data/policy
components/policy/resources
remoting/host
tools/metrics/histograms

@ -249,6 +249,9 @@
"RemoteAccessHostDebugOverridePolicies": {
},
"RemoteAccessHostAllowUiAccessForRemoteAssistance": {
},
"PrintingEnabled": {
"os": ["win", "linux", "mac", "chromeos"],
"test_policy": { "PrintingEnabled": false },

@ -137,7 +137,7 @@
# persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format!
# For your editing convenience: highest ID currently used: 343
# For your editing convenience: highest ID currently used: 344
#
# Placeholders:
# The following placeholder strings are automatically substituted:
@ -998,6 +998,23 @@
The value is parsed as a JSON dictionary of policy name to policy value mappings.''',
},
{
'name': 'RemoteAccessHostAllowUiAccessForRemoteAssistance',
'type': 'main',
'schema': { 'type': 'boolean' },
'supported_on': ['chrome.win:55-'],
'features': {
'dynamic_refresh': False,
'per_profile': False,
},
'example_value': True,
'id': 344,
'caption': '''Allow remote users to interact with elevated windows in remote assistance sessions''',
'tags': ['system-security'],
'desc': '''If this setting is enabled, the remote assistance host will be run in a process with <ph name="UIACCESS_PERMISSION_NAME">uiAccess</ph> permissions. This will allow remote users to interact with elevated windows on the local user's desktop.
If this setting is disabled or not configured, the remote assistance host will run in the user's context and remote users cannot interact with elevated windows on the desktop.''',
},
],
},
{

@ -195,6 +195,8 @@ PolicyWatcher::PolicyWatcher(
default_values_->SetBoolean(key::kRemoteAccessHostAllowRelayedConnection,
true);
default_values_->SetString(key::kRemoteAccessHostUdpPortRange, "");
default_values_->SetBoolean(
key::kRemoteAccessHostAllowUiAccessForRemoteAssistance, false);
}
PolicyWatcher::~PolicyWatcher() {

@ -148,6 +148,10 @@ class PolicyWatcherTest : public testing::Test {
third_party_auth_cert_empty_.MergeDictionary(&third_party_auth_partial_);
third_party_auth_cert_empty_.SetString(
key::kRemoteAccessHostTokenValidationCertificateIssuer, "");
remote_assistance_uiaccess_true_.SetBoolean(
key::kRemoteAccessHostAllowUiAccessForRemoteAssistance, true);
remote_assistance_uiaccess_false_.SetBoolean(
key::kRemoteAccessHostAllowUiAccessForRemoteAssistance, false);
}
void TearDown() override {
@ -238,6 +242,8 @@ class PolicyWatcherTest : public testing::Test {
base::DictionaryValue third_party_auth_full_;
base::DictionaryValue third_party_auth_partial_;
base::DictionaryValue third_party_auth_cert_empty_;
base::DictionaryValue remote_assistance_uiaccess_true_;
base::DictionaryValue remote_assistance_uiaccess_false_;
private:
void SetDefaults(base::DictionaryValue& dict) {
@ -255,6 +261,8 @@ class PolicyWatcherTest : public testing::Test {
dict.SetString(key::kRemoteAccessHostTokenValidationCertificateIssuer, "");
dict.SetBoolean(key::kRemoteAccessHostAllowClientPairing, true);
dict.SetBoolean(key::kRemoteAccessHostAllowGnubbyAuth, true);
dict.SetBoolean(key::kRemoteAccessHostAllowUiAccessForRemoteAssistance,
false);
ASSERT_THAT(&dict, IsPolicies(&GetDefaultValues()))
<< "Sanity check that defaults expected by the test code "
@ -491,6 +499,26 @@ TEST_F(PolicyWatcherTest, GnubbyAuth) {
SetPolicies(gnubby_auth_true_);
}
TEST_F(PolicyWatcherTest, RemoteAssistanceUiAccess) {
testing::InSequence sequence;
EXPECT_CALL(mock_policy_callback_,
OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
#if defined(OS_WIN)
// This setting only affects Windows, it is ignored on other platforms so the
// 2 SetPolicies calls won't result in any calls to OnPolicyUpdate.
EXPECT_CALL(mock_policy_callback_,
OnPolicyUpdatePtr(IsPolicies(&remote_assistance_uiaccess_true_)));
EXPECT_CALL(
mock_policy_callback_,
OnPolicyUpdatePtr(IsPolicies(&remote_assistance_uiaccess_false_)));
#endif // defined(OS_WIN)
SetPolicies(empty_);
StartWatching();
SetPolicies(remote_assistance_uiaccess_true_);
SetPolicies(remote_assistance_uiaccess_false_);
}
TEST_F(PolicyWatcherTest, Relay) {
testing::InSequence sequence;
EXPECT_CALL(mock_policy_callback_,
@ -616,6 +644,9 @@ TEST_F(PolicyWatcherTest, PolicySchemaAndPolicyWatcherShouldBeInSync) {
// RemoteAccessHostMatchUsername is marked in policy_templates.json as not
// supported on Windows and therefore is (by design) excluded from the schema.
expected_schema.erase(key::kRemoteAccessHostMatchUsername);
#else // !defined(OS_WIN)
// RemoteAssistanceHostAllowUiAccess does not exist on non-Windows platforms.
expected_schema.erase(key::kRemoteAccessHostAllowUiAccessForRemoteAssistance);
#endif
std::map<std::string, base::Value::Type> actual_schema;

@ -75897,8 +75897,10 @@ http://cs/file:chrome/histograms.xml - but prefer this file for new entries.
<int value="290" label="Report hardware status"/>
<int value="291" label="Report information about active kiosk sessions"/>
<int value="292" label="Frequency of device status report uploads"/>
<int value="293" label="Send monitoring heartbeats to the management server"/>
<int value="294" label="Frequency of monitoring heartbeats"/>
<int value="293"
label="Send network packets to the management server to monitor online
status"/>
<int value="294" label="Frequency of monitoring network packets"/>
<int value="295" label="Captive portal authentication ignores proxy"/>
<int value="296" label="Set Apps and Extensions cache size (in bytes)"/>
<int value="297" label="Enable domain name autocomplete during user sign in"/>
@ -75951,17 +75953,22 @@ http://cs/file:chrome/histograms.xml - but prefer this file for new entries.
<int value="333" label="Enables cast"/>
<int value="334" label="Whether DHE cipher suites in TLS are enabled"/>
<int value="335"
label="Disable Certificate Transparency enforcement for these sites"/>
label="Disable Certificate Transparency enforcement for a list of URLs"/>
<int value="336"
label="Configure the list of installed apps on the login screen"/>
<int value="337" label="Enable Android Backup Service"/>
<int value="338"
label="Enable generated content suggestions on the New Tab page"/>
<int value="339" label="Restrict the UDP port range used by WebRTC"/>
<int value="340" label="Enable SHA-1 certificates from local trust anchors"/>
<int value="338" label="Show content suggestions on the New Tab page"/>
<int value="339"
label="Restrict the range of local UDP ports used by WebRTC"/>
<int value="340"
label="Whether SHA-1 signed certificates issued by local trust anchors
are allowed"/>
<int value="341" label="Set an external source of URL restrictions"/>
<int value="342" label="Enable component updates"/>
<int value="343" label="Mount external storage only in read-only mode"/>
<int value="342" label="Enables component updates in Google Chrome."/>
<int value="343" label="Treat external storage devices as read-only."/>
<int value="344"
label="Allow remote users to interact with elevated windows in remote
assistance sessions"/>
</enum>
<enum name="EnterprisePolicyInvalidations" type="int">