DLP: Add SCREEN_SHARE restriction to DataLeakPreventionRulesList policy.

This restriction will control access to the confidential content by
websites/extensions using 3P Web/Extensions Screen Casting API, e.g.:
1) https://www.w3.org/TR/screen-capture/
2) https://developer.chrome.com/extensions/desktopCapture
3) https://developer.chrome.com/extensions/tabCapture
These API are mostly used for screen share, e.g.Google Meet, or
3P screen capture extensions, e.g.Screencastify.

Bug: 1134566
Change-Id: I25dbf7b8a548c5884f81cf0d1d37308b000a8863
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2514206
Commit-Queue: Sergey Poromov <poromov@chromium.org>
Reviewed-by: Aya Elsayed <ayaelattar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#823969}

chrome/browser/chromeos/policy/dlp/dlp_content_manager.cc

@@ -187,7 +187,9 @@ DlpContentRestrictionSet DlpContentManager::GetRestrictionSetForURL(
                          {DlpRulesManager::Restriction::kPrivacyScreen,
                           DlpContentRestriction::kPrivacyScreen},
                          {DlpRulesManager::Restriction::kPrinting,
-                          DlpContentRestriction::kPrint}});
+                          DlpContentRestriction::kPrint},
+                         {DlpRulesManager::Restriction::kScreenShare,
+                          DlpContentRestriction::kScreenShare}});
 
   for (const auto& restriction : *kRestrictionsList) {
     if (dlp_rules_manager->IsRestricted(url, restriction.first) ==

chrome/browser/chromeos/policy/dlp/dlp_content_manager_browsertest.cc

@@ -33,6 +33,8 @@ const DlpContentRestrictionSet kPrivacyScreenEnforced(
 const DlpContentRestrictionSet kPrintRestricted(DlpContentRestriction::kPrint);
 const DlpContentRestrictionSet kVideoCaptureRestricted(
     DlpContentRestriction::kVideoCapture);
+const DlpContentRestrictionSet kScreenShareRestricted(
+    DlpContentRestriction::kScreenShare);
 }  // namespace
 
 class DlpContentManagerBrowserTest : public InProcessBrowserTest {
@@ -240,6 +242,7 @@ IN_PROC_BROWSER_TEST_F(DlpContentManagerPolicyBrowserTest,
   const std::string kUrl1 = "https://example1.com";
   const std::string kUrl2 = "https://example2.com";
   const std::string kUrl3 = "https://example3.com";
+  const std::string kUrl4 = "https://example4.com";
 
   base::Value rules(base::Value::Type::LIST);
 
@@ -276,6 +279,17 @@ IN_PROC_BROWSER_TEST_F(DlpContentManagerPolicyBrowserTest,
       /*dst_components=*/base::Value(base::Value::Type::LIST),
       std::move(restrictions3)));
 
+  base::Value src_urls4(base::Value::Type::LIST);
+  src_urls4.Append(kUrl4);
+  base::Value restrictions4(base::Value::Type::LIST);
+  restrictions4.Append(dlp_test_util::CreateRestrictionWithLevel(
+      dlp::kScreenShareRestriction, dlp::kBlockLevel));
+  rules.Append(dlp_test_util::CreateRule(
+      "rule #4", "Block", std::move(src_urls4),
+      /*dst_urls=*/base::Value(base::Value::Type::LIST),
+      /*dst_components=*/base::Value(base::Value::Type::LIST),
+      std::move(restrictions4)));
+
   PolicyMap policies;
   policies.Set(key::kDataLeakPreventionRulesList, POLICY_LEVEL_MANDATORY,
                POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD, std::move(rules),
@@ -291,6 +305,8 @@ IN_PROC_BROWSER_TEST_F(DlpContentManagerPolicyBrowserTest,
             DlpContentManager::Get()->GetRestrictionSetForURL(GURL(kUrl2)));
   EXPECT_EQ(kPrintRestricted,
             DlpContentManager::Get()->GetRestrictionSetForURL(GURL(kUrl3)));
+  EXPECT_EQ(kScreenShareRestricted,
+            DlpContentManager::Get()->GetRestrictionSetForURL(GURL(kUrl4)));
   EXPECT_EQ(
       DlpContentRestrictionSet(),
       DlpContentManager::Get()->GetRestrictionSetForURL(GURL(kAllowedUrl)));

chrome/browser/chromeos/policy/dlp/dlp_rules_manager.cc

@@ -32,6 +32,7 @@ const char kClipboardRestriction[] = "CLIPBOARD";
 const char kScreenshotRestriction[] = "SCREENSHOT";
 const char kPrintingRestriction[] = "PRINTING";
 const char kPrivacyScreenRestriction[] = "PRIVACY_SCREEN";
+const char kScreenShareRestriction[] = "SCREEN_SHARE";
 
 const char kArc[] = "ARC";
 const char kCrostini[] = "CROSTINI";
@@ -54,7 +55,9 @@ DlpRulesManager::Restriction GetClassMapping(const std::string& restriction) {
             DlpRulesManager::Restriction::kScreenshot},
            {dlp::kPrintingRestriction, DlpRulesManager::Restriction::kPrinting},
            {dlp::kPrivacyScreenRestriction,
-            DlpRulesManager::Restriction::kPrivacyScreen}});
+            DlpRulesManager::Restriction::kPrivacyScreen},
+           {dlp::kScreenShareRestriction,
+            DlpRulesManager::Restriction::kScreenShare}});
 
   auto it = kRestrictionsMap->find(restriction);
   return (it == kRestrictionsMap->end())
@@ -167,7 +170,8 @@ DlpRulesManager::Level DlpRulesManager::IsRestricted(
   DCHECK(src_url_matcher_);
   DCHECK(restriction == Restriction::kPrinting ||
          restriction == Restriction::kPrivacyScreen ||
-         restriction == Restriction::kScreenshot);
+         restriction == Restriction::kScreenshot ||
+         restriction == Restriction::kScreenShare);
 
   const std::set<RuleId> source_rules_ids = MatchUrlAndGetRulesMapping(
       source, src_url_matcher_.get(), src_url_rules_mapping_);

chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h

@@ -24,6 +24,7 @@ extern const char kClipboardRestriction[];
 extern const char kScreenshotRestriction[];
 extern const char kPrintingRestriction[];
 extern const char kPrivacyScreenRestriction[];
+extern const char kScreenShareRestriction[];
 
 extern const char kArc[];
 extern const char kCrostini[];
@@ -50,7 +51,9 @@ class DlpRulesManager {
     kPrinting = 3,       // Restricts printing confidential screen content.
     kPrivacyScreen = 4,  // Enforces the Eprivacy screen when there's
                          // confidential content on the screen.
-    kMaxValue = kPrivacyScreen
+    kScreenShare = 5,    // Restricts screen sharing of confidential content
+                         // through 3P extensions/websites.
+    kMaxValue = kScreenShare
   };
 
   // A representation of destinations to which sharing confidential data is
@@ -91,7 +94,7 @@ class DlpRulesManager {
   // Returns the enforcement level for `restriction` given that data comes
   // from `source`. ALLOW is returned if no restrictions should be applied.
   // Requires `restriction` to be one of the following: screenshot, printing,
-  // privacy screen.
+  // privacy screen, screenshare.
   Level IsRestricted(const GURL& source, Restriction restriction) const;
 
   // Returns the enforcement level for `restriction` given that data comes

chrome/test/data/policy/policy_test_cases.json

@@ -8086,7 +8086,7 @@
           "DataLeakPreventionRulesList": [
             {
               "name": "Support agent work flows",
-              "description": "Allow copy and paste for work purposes but block screenshots and printing",
+              "description": "Allow copy and paste for work purposes but block screenshots, screen share and printing",
               "sources": {
                 "urls": [
                   "salesforce.com",
@@ -8122,6 +8122,10 @@
                 {
                   "class": "PRIVACY_SCREEN",
                   "level": "BLOCK"
+                },
+                {
+                  "class": "SCREEN_SHARE",
+                  "level": "BLOCK"
                 }
               ]
             }

components/policy/resources/policy_templates.json

@@ -23020,7 +23020,8 @@ If you disable this policy, web page scrolling to specific text fragments via UR
                       'CLIPBOARD',
                       'SCREENSHOT',
                       'PRINTING',
-                      'PRIVACY_SCREEN'
+                      'PRIVACY_SCREEN',
+                      'SCREEN_SHARE'
                     ]
                   },
                   'level': {
@@ -23045,7 +23046,7 @@ If you disable this policy, web page scrolling to specific text fragments via UR
       'example_value': [
         {
           'name': 'Support agent work flows',
-          'description': 'Allow copy and paste for work purposes but block screenshots and printing',
+          'description': 'Allow copy and paste for work purposes but block screenshots, screen share and printing',
           'sources': {
             'urls': [
               'salesforce.com',
@@ -23080,6 +23081,10 @@ If you disable this policy, web page scrolling to specific text fragments via UR
             {
               'class': 'PRIVACY_SCREEN',
               'level': 'BLOCK'
+            },
+            {
+              'class': 'SCREEN_SHARE',
+              'level': 'BLOCK'
             }
           ]
         },
@@ -23126,6 +23131,7 @@ If you disable this policy, web page scrolling to specific text fragments via UR
       - Control taking screenshots of any of the sources.
       - Control printing of any of the sources.
       - Control the privacy screen when any of the sources is visible.
+      - Control screen sharing of any of the sources.
 
       The restriction level can be set to BLOCK, ALLOW.
       - If the restriction is set to BLOCK, the action won't be allowed.