Adding a policy for using the uiAccess enabled It2Me binary on Windows
This change adds a Chrome enterprise policy to control whether or not we use the uiAccess enabled binary for It2Me or the binary which runs at the user's integrity level. BUG=617185 Review-Url: https://codereview.chromium.org/2252243002 Cr-Commit-Position: refs/heads/master@{#415107}
This commit is contained in:
chrome/test/data/policy
components/policy/resources
remoting/host
tools/metrics/histograms
@ -249,6 +249,9 @@
|
||||
"RemoteAccessHostDebugOverridePolicies": {
|
||||
},
|
||||
|
||||
"RemoteAccessHostAllowUiAccessForRemoteAssistance": {
|
||||
},
|
||||
|
||||
"PrintingEnabled": {
|
||||
"os": ["win", "linux", "mac", "chromeos"],
|
||||
"test_policy": { "PrintingEnabled": false },
|
||||
|
@ -137,7 +137,7 @@
|
||||
# persistent IDs for all fields (but not for groups!) are needed. These are
|
||||
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
|
||||
# because doing so would break the deployed wire format!
|
||||
# For your editing convenience: highest ID currently used: 343
|
||||
# For your editing convenience: highest ID currently used: 344
|
||||
#
|
||||
# Placeholders:
|
||||
# The following placeholder strings are automatically substituted:
|
||||
@ -998,6 +998,23 @@
|
||||
|
||||
The value is parsed as a JSON dictionary of policy name to policy value mappings.''',
|
||||
},
|
||||
{
|
||||
'name': 'RemoteAccessHostAllowUiAccessForRemoteAssistance',
|
||||
'type': 'main',
|
||||
'schema': { 'type': 'boolean' },
|
||||
'supported_on': ['chrome.win:55-'],
|
||||
'features': {
|
||||
'dynamic_refresh': False,
|
||||
'per_profile': False,
|
||||
},
|
||||
'example_value': True,
|
||||
'id': 344,
|
||||
'caption': '''Allow remote users to interact with elevated windows in remote assistance sessions''',
|
||||
'tags': ['system-security'],
|
||||
'desc': '''If this setting is enabled, the remote assistance host will be run in a process with <ph name="UIACCESS_PERMISSION_NAME">uiAccess</ph> permissions. This will allow remote users to interact with elevated windows on the local user's desktop.
|
||||
|
||||
If this setting is disabled or not configured, the remote assistance host will run in the user's context and remote users cannot interact with elevated windows on the desktop.''',
|
||||
},
|
||||
],
|
||||
},
|
||||
{
|
||||
|
@ -195,6 +195,8 @@ PolicyWatcher::PolicyWatcher(
|
||||
default_values_->SetBoolean(key::kRemoteAccessHostAllowRelayedConnection,
|
||||
true);
|
||||
default_values_->SetString(key::kRemoteAccessHostUdpPortRange, "");
|
||||
default_values_->SetBoolean(
|
||||
key::kRemoteAccessHostAllowUiAccessForRemoteAssistance, false);
|
||||
}
|
||||
|
||||
PolicyWatcher::~PolicyWatcher() {
|
||||
|
@ -148,6 +148,10 @@ class PolicyWatcherTest : public testing::Test {
|
||||
third_party_auth_cert_empty_.MergeDictionary(&third_party_auth_partial_);
|
||||
third_party_auth_cert_empty_.SetString(
|
||||
key::kRemoteAccessHostTokenValidationCertificateIssuer, "");
|
||||
remote_assistance_uiaccess_true_.SetBoolean(
|
||||
key::kRemoteAccessHostAllowUiAccessForRemoteAssistance, true);
|
||||
remote_assistance_uiaccess_false_.SetBoolean(
|
||||
key::kRemoteAccessHostAllowUiAccessForRemoteAssistance, false);
|
||||
}
|
||||
|
||||
void TearDown() override {
|
||||
@ -238,6 +242,8 @@ class PolicyWatcherTest : public testing::Test {
|
||||
base::DictionaryValue third_party_auth_full_;
|
||||
base::DictionaryValue third_party_auth_partial_;
|
||||
base::DictionaryValue third_party_auth_cert_empty_;
|
||||
base::DictionaryValue remote_assistance_uiaccess_true_;
|
||||
base::DictionaryValue remote_assistance_uiaccess_false_;
|
||||
|
||||
private:
|
||||
void SetDefaults(base::DictionaryValue& dict) {
|
||||
@ -255,6 +261,8 @@ class PolicyWatcherTest : public testing::Test {
|
||||
dict.SetString(key::kRemoteAccessHostTokenValidationCertificateIssuer, "");
|
||||
dict.SetBoolean(key::kRemoteAccessHostAllowClientPairing, true);
|
||||
dict.SetBoolean(key::kRemoteAccessHostAllowGnubbyAuth, true);
|
||||
dict.SetBoolean(key::kRemoteAccessHostAllowUiAccessForRemoteAssistance,
|
||||
false);
|
||||
|
||||
ASSERT_THAT(&dict, IsPolicies(&GetDefaultValues()))
|
||||
<< "Sanity check that defaults expected by the test code "
|
||||
@ -491,6 +499,26 @@ TEST_F(PolicyWatcherTest, GnubbyAuth) {
|
||||
SetPolicies(gnubby_auth_true_);
|
||||
}
|
||||
|
||||
TEST_F(PolicyWatcherTest, RemoteAssistanceUiAccess) {
|
||||
testing::InSequence sequence;
|
||||
EXPECT_CALL(mock_policy_callback_,
|
||||
OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
|
||||
#if defined(OS_WIN)
|
||||
// This setting only affects Windows, it is ignored on other platforms so the
|
||||
// 2 SetPolicies calls won't result in any calls to OnPolicyUpdate.
|
||||
EXPECT_CALL(mock_policy_callback_,
|
||||
OnPolicyUpdatePtr(IsPolicies(&remote_assistance_uiaccess_true_)));
|
||||
EXPECT_CALL(
|
||||
mock_policy_callback_,
|
||||
OnPolicyUpdatePtr(IsPolicies(&remote_assistance_uiaccess_false_)));
|
||||
#endif // defined(OS_WIN)
|
||||
|
||||
SetPolicies(empty_);
|
||||
StartWatching();
|
||||
SetPolicies(remote_assistance_uiaccess_true_);
|
||||
SetPolicies(remote_assistance_uiaccess_false_);
|
||||
}
|
||||
|
||||
TEST_F(PolicyWatcherTest, Relay) {
|
||||
testing::InSequence sequence;
|
||||
EXPECT_CALL(mock_policy_callback_,
|
||||
@ -616,6 +644,9 @@ TEST_F(PolicyWatcherTest, PolicySchemaAndPolicyWatcherShouldBeInSync) {
|
||||
// RemoteAccessHostMatchUsername is marked in policy_templates.json as not
|
||||
// supported on Windows and therefore is (by design) excluded from the schema.
|
||||
expected_schema.erase(key::kRemoteAccessHostMatchUsername);
|
||||
#else // !defined(OS_WIN)
|
||||
// RemoteAssistanceHostAllowUiAccess does not exist on non-Windows platforms.
|
||||
expected_schema.erase(key::kRemoteAccessHostAllowUiAccessForRemoteAssistance);
|
||||
#endif
|
||||
|
||||
std::map<std::string, base::Value::Type> actual_schema;
|
||||
|
@ -75897,8 +75897,10 @@ http://cs/file:chrome/histograms.xml - but prefer this file for new entries.
|
||||
<int value="290" label="Report hardware status"/>
|
||||
<int value="291" label="Report information about active kiosk sessions"/>
|
||||
<int value="292" label="Frequency of device status report uploads"/>
|
||||
<int value="293" label="Send monitoring heartbeats to the management server"/>
|
||||
<int value="294" label="Frequency of monitoring heartbeats"/>
|
||||
<int value="293"
|
||||
label="Send network packets to the management server to monitor online
|
||||
status"/>
|
||||
<int value="294" label="Frequency of monitoring network packets"/>
|
||||
<int value="295" label="Captive portal authentication ignores proxy"/>
|
||||
<int value="296" label="Set Apps and Extensions cache size (in bytes)"/>
|
||||
<int value="297" label="Enable domain name autocomplete during user sign in"/>
|
||||
@ -75951,17 +75953,22 @@ http://cs/file:chrome/histograms.xml - but prefer this file for new entries.
|
||||
<int value="333" label="Enables cast"/>
|
||||
<int value="334" label="Whether DHE cipher suites in TLS are enabled"/>
|
||||
<int value="335"
|
||||
label="Disable Certificate Transparency enforcement for these sites"/>
|
||||
label="Disable Certificate Transparency enforcement for a list of URLs"/>
|
||||
<int value="336"
|
||||
label="Configure the list of installed apps on the login screen"/>
|
||||
<int value="337" label="Enable Android Backup Service"/>
|
||||
<int value="338"
|
||||
label="Enable generated content suggestions on the New Tab page"/>
|
||||
<int value="339" label="Restrict the UDP port range used by WebRTC"/>
|
||||
<int value="340" label="Enable SHA-1 certificates from local trust anchors"/>
|
||||
<int value="338" label="Show content suggestions on the New Tab page"/>
|
||||
<int value="339"
|
||||
label="Restrict the range of local UDP ports used by WebRTC"/>
|
||||
<int value="340"
|
||||
label="Whether SHA-1 signed certificates issued by local trust anchors
|
||||
are allowed"/>
|
||||
<int value="341" label="Set an external source of URL restrictions"/>
|
||||
<int value="342" label="Enable component updates"/>
|
||||
<int value="343" label="Mount external storage only in read-only mode"/>
|
||||
<int value="342" label="Enables component updates in Google Chrome."/>
|
||||
<int value="343" label="Treat external storage devices as read-only."/>
|
||||
<int value="344"
|
||||
label="Allow remote users to interact with elevated windows in remote
|
||||
assistance sessions"/>
|
||||
</enum>
|
||||
|
||||
<enum name="EnterprisePolicyInvalidations" type="int">
|
||||
|
Reference in New Issue
Block a user