New device policy to allow Linux VMs on Chrome OS.

If the policy is unset or set to true, running Linux VMs on Chrome OS is
allowed. The unset is allowed means non-managed devices are allowed.

At this time, in order for Linux VMs to run, the Finch experiment also
needs to be enabled. After this feature is fully launched, the Finch
control logic will be removed.

BUG=chromium:800120
TEST=manually tested on an eve device with dbus-send results verified.

Change-Id: Iceec3341540edce5b815cc74aea0b56e12c35252
Reviewed-on: https://chromium-review.googlesource.com/899767
Commit-Queue: Tim Zheng <timzheng@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Dan Erat <derat@chromium.org>
Cr-Commit-Position: refs/heads/master@{#535769}

chrome/browser/chromeos/BUILD.gn

@@ -1577,6 +1577,8 @@ source_set("chromeos") {
     "ui/screen_capture_notification_ui_chromeos.h",
     "upgrade_detector_chromeos.cc",
     "upgrade_detector_chromeos.h",
+    "virtual_machines/virtual_machines_util.cc",
+    "virtual_machines/virtual_machines_util.h",
 
     # Extension API implementations.
     "extensions/backdrop_wallpaper_handlers/backdrop_wallpaper_handlers.cc",

chrome/browser/chromeos/dbus/finch_features_service_provider_delegate.cc

@@ -5,6 +5,7 @@
 #include "chrome/browser/chromeos/dbus/finch_features_service_provider_delegate.h"
 
 #include "base/feature_list.h"
+#include "chrome/browser/chromeos/virtual_machines/virtual_machines_util.h"
 #include "chrome/common/chrome_features.h"
 
 namespace chromeos {
@@ -14,7 +15,8 @@ FinchFeaturesServiceProviderDelegate::FinchFeaturesServiceProviderDelegate() {}
 FinchFeaturesServiceProviderDelegate::~FinchFeaturesServiceProviderDelegate() {}
 
 bool FinchFeaturesServiceProviderDelegate::IsCrostiniEnabled() {
-  return base::FeatureList::IsEnabled(features::kCrostini);
+  return base::FeatureList::IsEnabled(features::kCrostini) &&
+         virtual_machines::AreVirtualMachinesAllowedByPolicy();
 }
 
 }  // namespace chromeos

chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc

@@ -1032,6 +1032,16 @@ void DecodeGenericPolicies(const em::ChromeDeviceSettingsProto& policy,
           std::make_unique<base::Value>(container.site_per_process()), nullptr);
     }
   }
+
+  if (policy.has_virtual_machines_allowed()) {
+    const em::VirtualMachinesAllowedProto& container(
+        policy.virtual_machines_allowed());
+    policies->Set(
+        key::kVirtualMachinesAllowed, POLICY_LEVEL_MANDATORY,
+        POLICY_SCOPE_MACHINE, POLICY_SOURCE_CLOUD,
+        std::make_unique<base::Value>(container.virtual_machines_allowed()),
+        nullptr);
+  }
 }
 
 }  // namespace

chrome/browser/chromeos/settings/device_settings_provider.cc

@@ -113,6 +113,7 @@ const char* const kKnownSettings[] = {
     kUnaffiliatedArcAllowed,
     kUpdateDisabled,
     kVariationsRestrictParameter,
+    kVirtualMachinesAllowed,
 };
 
 void DecodeLoginPolicies(
@@ -628,6 +629,24 @@ void DecodeGenericPolicies(
                                   container.device_hostname_template());
     }
   }
+
+  if (policy.has_virtual_machines_allowed()) {
+    const em::VirtualMachinesAllowedProto& container(
+        policy.virtual_machines_allowed());
+    if (container.has_virtual_machines_allowed()) {
+      new_values_cache->SetValue(
+          kVirtualMachinesAllowed,
+          std::make_unique<base::Value>(container.virtual_machines_allowed()));
+    }
+  } else {
+    // If the policy is missing, default to false on enterprise-enrolled
+    // devices.
+    policy::BrowserPolicyConnectorChromeOS* connector =
+        g_browser_process->platform_part()->browser_policy_connector_chromeos();
+    if (connector->IsEnterpriseManaged()) {
+      new_values_cache->SetBoolean(kVirtualMachinesAllowed, false);
+    }
+  }
 }
 
 void DecodeLogUploadPolicies(const em::ChromeDeviceSettingsProto& policy,

chrome/browser/chromeos/virtual_machines/virtual_machines_util.cc

@@ -0,0 +1,22 @@
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/virtual_machines/virtual_machines_util.h"
+
+#include "chrome/browser/chromeos/settings/cros_settings.h"
+#include "chromeos/settings/cros_settings_names.h"
+
+namespace virtual_machines {
+
+bool AreVirtualMachinesAllowedByPolicy() {
+  bool virtual_machines_allowed;
+  if (chromeos::CrosSettings::Get()->GetBoolean(
+          chromeos::kVirtualMachinesAllowed, &virtual_machines_allowed)) {
+    return virtual_machines_allowed;
+  }
+  // If device policy is not set, allow virtual machines.
+  return true;
+}
+
+}  // namespace virtual_machines

chrome/browser/chromeos/virtual_machines/virtual_machines_util.h

@@ -0,0 +1,16 @@
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_VIRTUAL_MACHINES_VIRTUAL_MACHINES_UTIL_H_
+#define CHROME_BROWSER_CHROMEOS_VIRTUAL_MACHINES_VIRTUAL_MACHINES_UTIL_H_
+
+namespace virtual_machines {
+
+// Whether running virtual machines on Chrome OS are allowed
+// per enterprise policy.
+bool AreVirtualMachinesAllowedByPolicy();
+
+}  // namespace virtual_machines
+
+#endif  // CHROME_BROWSER_CHROMEOS_VIRTUAL_MACHINES_VIRTUAL_MACHINES_UTIL_H_

chrome/test/data/policy/policy_test_cases.json

@@ -3547,6 +3547,16 @@
     "note": "Chrome OS device policy used by session_manager only"
   },
 
+  "VirtualMachinesAllowed": {
+    "os": ["chromeos"],
+    "test_policy": {
+      "virtual_machines_allowed": false
+    },
+    "pref_mappings": [
+      { "pref": "cros.virtual_machines_allowed"}
+    ]
+  },
+
   "----- Chrome Frame policies -------------------------------------------": {},
 
   "ChromeFrameRendererSettings": {

chromeos/settings/cros_settings_names.cc

@@ -306,4 +306,8 @@ const char kUnaffiliatedArcAllowed[] = "cros.device.unaffiliated_arc_allowed";
 // as per RFC 1035, then no hostname will be used.
 const char kDeviceHostnameTemplate[] = "cros.network.hostname_template";
 
+// A boolean pref that indicates whether running virtual machines on Chrome OS
+// is allowed.
+const char kVirtualMachinesAllowed[] = "cros.device.virtual_machines_allowed";
+
 }  // namespace chromeos

chromeos/settings/cros_settings_names.h

@@ -139,6 +139,8 @@ CHROMEOS_EXPORT extern const char kUnaffiliatedArcAllowed[];
 
 CHROMEOS_EXPORT extern const char kDeviceHostnameTemplate[];
 
+CHROMEOS_EXPORT extern const char kVirtualMachinesAllowed[];
+
 }  // namespace chromeos
 
 #endif  // CHROMEOS_SETTINGS_CROS_SETTINGS_NAMES_H_

components/policy/proto/chrome_device_policy.proto

@@ -978,6 +978,11 @@ message DeviceLoginScreenSitePerProcessProto {
   optional bool site_per_process = 1;
 }
 
+// Setting to control if running virtual machines on Chrome OS is allowed.
+message VirtualMachinesAllowedProto {
+  optional bool virtual_machines_allowed = 1 [default = true];
+}
+
 message ChromeDeviceSettingsProto {
   reserved 61;
   optional DevicePolicyRefreshRateProto device_policy_refresh_rate = 1;
@@ -1064,4 +1069,5 @@ message ChromeDeviceSettingsProto {
       device_login_screen_isolate_origins = 67;
   optional DeviceLoginScreenSitePerProcessProto
       device_login_screen_site_per_process = 68;
+  optional VirtualMachinesAllowedProto virtual_machines_allowed = 69;
 }

components/policy/resources/policy_templates.json

@@ -146,7 +146,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 420
+#   For your editing convenience: highest ID currently used: 421
 #   And don't forget to also update the EnterprisePolicies enum of
 #   histograms.xml (run 'python tools/metrics/histograms/update_policies.py').
 #
@@ -11232,6 +11232,27 @@
 
       This policy setting can be used to control the time period, in milliseconds, over which a user is progressively informed that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> must be relaunched (or <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> must be restarted) for an update. Over this time period, the user will be repeatedly informed of the need for an update based on the setting of the <ph name="RELAUNCH_NOTIFICATION_POLICY_NAME">RelaunchNotification</ph> policy. If not set, the default period of 604800000 milliseconds (one week) is used.''',
     },
+    {
+      'name': 'VirtualMachinesAllowed',
+      'type': 'main',
+      'schema': { 'type': 'boolean' },
+      'supported_on': ['chrome_os:66-'],
+      'device_only': True,
+      'features': {
+        'dynamic_refresh': True,
+      },
+      'example_value': True,
+      'id': 421,
+      'caption': '''Allow devices to run virtual machines on Chrome OS''',
+      'tags': ['system-security'],
+      'desc': '''Allows you to control whether virtual machines are allowed to run on Chrome OS.
+
+      If the policy is set to True, the device is allowed to run virtual machines.
+      If the policy is set to False, the device will not be allowed to run virtual machines.
+      When this policy is changed to False, it applies to starting new virtual machines but does not shut down virtual machines which are already running.
+      When this policy is not set on a managed device, the device will not be allowed to run virtual machines.
+      Unmanaged devices are allowed to run virtual machines.''',
+    },
   ],
 
   'messages': {

tools/metrics/histograms/enums.xml

@@ -12529,6 +12529,7 @@ Called by update_net_error_codes.py.-->
   <int value="418" label="DeviceLoginScreenSitePerProcess"/>
   <int value="419" label="RelaunchNotification"/>
   <int value="420" label="RelaunchNotificationPeriod"/>
+  <int value="421" label="VirtualMachinesAllowed"/>
 </enum>
 
 <enum name="EnterprisePolicyInvalidations">