DLP: Add logging.

Until proper DLP reporting is ready we need to log when
DLP blocks some user action to provide more transparency
for the admins.

Bug: 1166600
Change-Id: Iff4ae86bd3c172266723ef7e88290fa1fa47c386
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2628291Reviewed-by: Aya Elsayed <ayaelattar@chromium.org>
Commit-Queue: Sergey Poromov <poromov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#843505}

chrome/browser/chromeos/policy/dlp/data_transfer_dlp_controller.cc

@@ -5,6 +5,7 @@
 #include "chrome/browser/chromeos/policy/dlp/data_transfer_dlp_controller.h"
 
 #include "base/notreached.h"
+#include "base/syslog_logging.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager_factory.h"
 #include "chrome/browser/profiles/profile_manager.h"
@@ -119,6 +120,7 @@ bool DataTransferDlpController::IsClipboardReadAllowed(
     notify_on_paste = false;
 
   if (level == DlpRulesManager::Level::kBlock && notify_on_paste) {
+    SYSLOG(INFO) << "DLP blocked paste from clipboard";
     DoNotifyBlockedPaste(data_src, data_dst);
   }
 
@@ -133,6 +135,7 @@ bool DataTransferDlpController::IsDragDropAllowed(
       IsDataTransferAllowed(dlp_rules_manager_, data_src, data_dst);
 
   if (level == DlpRulesManager::Level::kBlock && is_drop) {
+    SYSLOG(INFO) << "DLP blocked drop of dragged data";
     DoNotifyBlockedPaste(data_src, data_dst);
   }
 

chrome/browser/chromeos/policy/dlp/dlp_content_manager.cc

@@ -11,6 +11,7 @@
 #include "base/bind.h"
 #include "base/containers/contains.h"
 #include "base/stl_util.h"
+#include "base/syslog_logging.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_notification_helper.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
@@ -62,12 +63,20 @@ DlpContentRestrictionSet DlpContentManager::GetOnScreenPresentRestrictions()
 
 bool DlpContentManager::IsScreenshotRestricted(
     const ScreenshotArea& area) const {
-  return IsAreaRestricted(area, DlpContentRestriction::kScreenshot);
+  const bool restricted =
+      IsAreaRestricted(area, DlpContentRestriction::kScreenshot);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked taking a screenshot";
+  return restricted;
 }
 
 bool DlpContentManager::IsVideoCaptureRestricted(
     const ScreenshotArea& area) const {
-  return IsAreaRestricted(area, DlpContentRestriction::kVideoCapture);
+  const bool restricted =
+      IsAreaRestricted(area, DlpContentRestriction::kVideoCapture);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked taking a video capture";
+  return restricted;
 }
 
 bool DlpContentManager::IsPrintingRestricted(
@@ -79,15 +88,21 @@ bool DlpContentManager::IsPrintingRestricted(
   web_contents =
       guest_view ? guest_view->embedder_web_contents() : web_contents;
 
-  return GetConfidentialRestrictions(web_contents)
-      .HasRestriction(DlpContentRestriction::kPrint);
+  const bool restricted = GetConfidentialRestrictions(web_contents)
+                              .HasRestriction(DlpContentRestriction::kPrint);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked printing";
+  return restricted;
 }
 
 bool DlpContentManager::IsScreenCaptureRestricted(
     const content::DesktopMediaID& media_id) const {
   if (media_id.type == content::DesktopMediaID::Type::TYPE_SCREEN) {
-    return GetOnScreenPresentRestrictions().HasRestriction(
+    const bool restricted = GetOnScreenPresentRestrictions().HasRestriction(
         DlpContentRestriction::kScreenShare);
+    if (restricted)
+      SYSLOG(INFO) << "DLP blocked screen sharing";
+    return restricted;
   }
 
   content::WebContents* web_contents =
@@ -97,8 +112,12 @@ bool DlpContentManager::IsScreenCaptureRestricted(
               media_id.web_contents_id.main_render_frame_id));
 
   if (media_id.type == content::DesktopMediaID::Type::TYPE_WEB_CONTENTS) {
-    return GetConfidentialRestrictions(web_contents)
-        .HasRestriction(DlpContentRestriction::kScreenShare);
+    const bool restricted =
+        GetConfidentialRestrictions(web_contents)
+            .HasRestriction(DlpContentRestriction::kScreenShare);
+    if (restricted)
+      SYSLOG(INFO) << "DLP blocked screen sharing";
+    return restricted;
   }
 
   DCHECK_EQ(media_id.type, content::DesktopMediaID::Type::TYPE_WINDOW);
@@ -110,6 +129,7 @@ bool DlpContentManager::IsScreenCaptureRestricted(
     aura::Window* web_contents_window = entry.first->GetNativeView();
     if (entry.second.HasRestriction(DlpContentRestriction::kScreenShare) &&
         window->Contains(web_contents_window)) {
+      SYSLOG(INFO) << "DLP blocked screen sharing";
       return true;
     }
   }
@@ -132,10 +152,13 @@ void DlpContentManager::OnVideoCaptureStopped() {
 }
 
 bool DlpContentManager::IsCaptureModeInitRestricted() const {
-  return GetOnScreenPresentRestrictions().HasRestriction(
-             DlpContentRestriction::kScreenshot) ||
-         GetOnScreenPresentRestrictions().HasRestriction(
-             DlpContentRestriction::kVideoCapture);
+  const bool restricted = GetOnScreenPresentRestrictions().HasRestriction(
+                              DlpContentRestriction::kScreenshot) ||
+                          GetOnScreenPresentRestrictions().HasRestriction(
+                              DlpContentRestriction::kVideoCapture);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked taking a screen capture";
+  return restricted;
 }
 
 void DlpContentManager::OnScreenCaptureStarted(
@@ -307,6 +330,7 @@ void DlpContentManager::OnScreenRestrictionsChanged(
                DlpContentRestriction::kPrivacyScreen)));
   if (added_restrictions.HasRestriction(
           DlpContentRestriction::kPrivacyScreen)) {
+    SYSLOG(INFO) << "DLP enforced privacy screen";
     ash::PrivacyScreenDlpHelper::Get()->SetEnforced(true);
   }
 
@@ -323,6 +347,7 @@ void DlpContentManager::OnScreenRestrictionsChanged(
 void DlpContentManager::MaybeRemovePrivacyScreenEnforcement() const {
   if (!GetOnScreenPresentRestrictions().HasRestriction(
           DlpContentRestriction::kPrivacyScreen)) {
+    SYSLOG(INFO) << "DLP removed enforcement of privacy screen";
     ash::PrivacyScreenDlpHelper::Get()->SetEnforced(false);
   }
 }
@@ -387,8 +412,10 @@ void DlpContentManager::CheckRunningVideoCapture() {
     return;
   if (IsAreaRestricted(*running_video_capture_area_,
                        DlpContentRestriction::kVideoCapture)) {
-    if (ash::features::IsCaptureModeEnabled())
+    if (ash::features::IsCaptureModeEnabled()) {
+      SYSLOG(INFO) << "DLP interrupted screen recording";
       ChromeCaptureModeDelegate::Get()->InterruptVideoRecordingIfAny();
+    }
     running_video_capture_area_.reset();
   }
 }
@@ -428,6 +455,8 @@ void DlpContentManager::CheckRunningScreenCaptures() {
   for (auto& capture : running_screen_captures_) {
     bool is_allowed = !IsScreenCaptureRestricted(capture.media_id);
     if (is_allowed != capture.is_running) {
+      SYSLOG(INFO) << "DLP " << (is_allowed ? "resumed" : "paused")
+                   << " running screen share";
       capture.state_change_callback.Run(
           capture.media_id, capture.is_running
                                 ? blink::mojom::MediaStreamStateChange::PAUSE