Clarify MGS permission warning flags

Adjusting Managed Guest Session (MGS) permission warning flags according to consensus between commercial and privacy teams. Due to privacy concerns, removing whitelisting for permissions that provide direct access to user data. Further, to reduce scope, removing unnecessarry whitelisting for permissions of the following categories: * private/internal * lacking public documentation * non-stable channel or otherwise experimental or deprecated * inapplicable to MGS, e.g. kiosk-specific permissions Bug: 1015378 Change-Id: Id677c8639d94cc1b6478d5bf9b469648d202ce04 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2124266 Commit-Queue: Thiemo Nagel <tnagel@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#754964}

Clarify MGS permission warning flags
Adjusting Managed Guest Session (MGS) permission warning flags according to consensus between commercial and privacy teams. Due to privacy concerns, removing whitelisting for permissions that provide direct access to user data. Further, to reduce scope, removing unnecessarry whitelisting for permissions of the following categories: * private/internal * lacking public documentation * non-stable channel or otherwise experimental or deprecated * inapplicable to MGS, e.g. kiosk-specific permissions Bug: 1015378 Change-Id: Id677c8639d94cc1b6478d5bf9b469648d202ce04 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2124266 Commit-Queue: Thiemo Nagel <tnagel@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#754964}
5eb1c0d8 · Thiemo Nagel · Commit Bot · c5055b1e · 5eb1c0d8 · 5eb1c0d8
Commit 5eb1c0d8 authored Mar 31, 2020 by Thiemo Nagel Committed by Commit Bot Mar 31, 2020
7 changed files
--- a/chrome/common/apps/platform_apps/chrome_apps_api_permissions.cc
+++ b/chrome/common/apps/platform_apps/chrome_apps_api_permissions.cc
@@ -26,27 +26,18 @@ constexpr extensions::APIPermissionInfo::InitInfo permissions_to_register[] = {
     extensions::APIPermissionInfo::
         kFlagDoesNotRequireManagedSessionFullLoginWarning},
    {extensions::APIPermission::kFirstRunPrivate, "firstRunPrivate",
-     extensions::APIPermissionInfo::kFlagCannotBeOptional |
-         extensions::APIPermissionInfo::
-             kFlagDoesNotRequireManagedSessionFullLoginWarning},
+     extensions::APIPermissionInfo::kFlagCannotBeOptional},
    {extensions::APIPermission::kMusicManagerPrivate, "musicManagerPrivate",
-     extensions::APIPermissionInfo::kFlagCannotBeOptional |
-         extensions::APIPermissionInfo::
-             kFlagDoesNotRequireManagedSessionFullLoginWarning},
+     extensions::APIPermissionInfo::kFlagCannotBeOptional},
    {extensions::APIPermission::kMediaGalleries, "mediaGalleries",
-     extensions::APIPermissionInfo::
-         kFlagDoesNotRequireManagedSessionFullLoginWarning,
+     extensions::APIPermissionInfo::kFlagNone,
     &CreateAPIPermission<chrome_apps::MediaGalleriesPermission>},
    {extensions::APIPermission::kPointerLock, "pointerLock",
     extensions::APIPermissionInfo::
         kFlagDoesNotRequireManagedSessionFullLoginWarning},
-    {extensions::APIPermission::kSyncFileSystem, "syncFileSystem",
-     extensions::APIPermissionInfo::
-         kFlagDoesNotRequireManagedSessionFullLoginWarning},
+    {extensions::APIPermission::kSyncFileSystem, "syncFileSystem"},
    {extensions::APIPermission::kWebstoreWidgetPrivate, "webstoreWidgetPrivate",
-     extensions::APIPermissionInfo::kFlagCannotBeOptional |
-         extensions::APIPermissionInfo::
-             kFlagDoesNotRequireManagedSessionFullLoginWarning},
+     extensions::APIPermissionInfo::kFlagCannotBeOptional},
 };

 }  // namespace

--- a/chrome/common/extensions/manifest_handlers/ui_overrides_handler.cc
+++ b/chrome/common/extensions/manifest_handlers/ui_overrides_handler.cc
@@ -86,8 +86,6 @@ class UIOverridesHandler::ManifestPermissionImpl : public ManifestPermission {

  bool RequiresManagementUIWarning() const override { return false; }

-  bool RequiresManagedSessionFullLoginWarning() const override { return false; }
-
 private:
  bool override_bookmarks_ui_permission_;
 };

--- a/chrome/common/extensions/permissions/chrome_api_permissions.cc
+++ b/chrome/common/extensions/permissions/chrome_api_permissions.cc
--- a/extensions/common/api/bluetooth/bluetooth_manifest_permission.cc
+++ b/extensions/common/api/bluetooth/bluetooth_manifest_permission.cc
@@ -195,9 +195,4 @@ bool BluetoothManifestPermission::RequiresManagementUIWarning() const {
  return false;
 }

-bool BluetoothManifestPermission::RequiresManagedSessionFullLoginWarning()
-    const {
-  return false;
-}
-
 }  // namespace extensions
--- a/extensions/common/api/bluetooth/bluetooth_manifest_permission.h
+++ b/extensions/common/api/bluetooth/bluetooth_manifest_permission.h
@@ -54,7 +54,6 @@ class BluetoothManifestPermission : public ManifestPermission {
  std::unique_ptr<ManifestPermission> Intersect(
      const ManifestPermission* rhs) const override;
  bool RequiresManagementUIWarning() const override;
-  bool RequiresManagedSessionFullLoginWarning() const override;

  const BluetoothUuidSet& uuids() const {
    return uuids_;

--- a/extensions/common/manifest_handlers/automation.cc
+++ b/extensions/common/manifest_handlers/automation.cc
@@ -66,8 +66,6 @@ class AutomationManifestPermission : public ManifestPermission {

  bool RequiresManagementUIWarning() const override;

-  bool RequiresManagedSessionFullLoginWarning() const override;
-
 private:
  std::unique_ptr<const AutomationInfo> automation_info_;
 };
@@ -166,11 +164,6 @@ bool AutomationManifestPermission::RequiresManagementUIWarning() const {
  return automation_info_->desktop || !automation_info_->matches.is_empty();
 }

-bool AutomationManifestPermission::RequiresManagedSessionFullLoginWarning()
-    const {
-  return automation_info_->desktop || !automation_info_->matches.is_empty();
-}
-
 AutomationHandler::AutomationHandler() = default;

 AutomationHandler::~AutomationHandler() = default;

--- a/extensions/common/permissions/extensions_api_permissions.cc
+++ b/extensions/common/permissions/extensions_api_permissions.cc