DLP: Add logging.

Until proper DLP reporting is ready we need to log when DLP blocks some user action to provide more transparency for the admins. Bug: 1166600 Change-Id: Iff4ae86bd3c172266723ef7e88290fa1fa47c386 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2628291Reviewed-by: Aya Elsayed <ayaelattar@chromium.org> Commit-Queue: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#843505}

DLP: Add logging.
Until proper DLP reporting is ready we need to log when DLP blocks some user action to provide more transparency for the admins. Bug: 1166600 Change-Id: Iff4ae86bd3c172266723ef7e88290fa1fa47c386 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2628291Reviewed-by: Aya Elsayed <ayaelattar@chromium.org> Commit-Queue: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#843505}
97adba47 · Sergey Poromov · Chromium LUCI CQ · 4d7c834b · 97adba47 · 97adba47
Commit 97adba47 authored Jan 14, 2021 by Sergey Poromov Committed by Chromium LUCI CQ Jan 14, 2021
2 changed files
--- a/chrome/browser/chromeos/policy/dlp/data_transfer_dlp_controller.cc
+++ b/chrome/browser/chromeos/policy/dlp/data_transfer_dlp_controller.cc
@@ -5,6 +5,7 @@
 #include "chrome/browser/chromeos/policy/dlp/data_transfer_dlp_controller.h"
 #include "base/notreached.h"
+#include "base/syslog_logging.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager_factory.h"
 #include "chrome/browser/profiles/profile_manager.h"
@@ -119,6 +120,7 @@ bool DataTransferDlpController::IsClipboardReadAllowed(
    notify_on_paste = false;
  if (level == DlpRulesManager::Level::kBlock && notify_on_paste) {
+    SYSLOG(INFO) << "DLP blocked paste from clipboard";
    DoNotifyBlockedPaste(data_src, data_dst);
  }
@@ -133,6 +135,7 @@ bool DataTransferDlpController::IsDragDropAllowed(
      IsDataTransferAllowed(dlp_rules_manager_, data_src, data_dst);
  if (level == DlpRulesManager::Level::kBlock && is_drop) {
+    SYSLOG(INFO) << "DLP blocked drop of dragged data";
    DoNotifyBlockedPaste(data_src, data_dst);
  }

--- a/chrome/browser/chromeos/policy/dlp/dlp_content_manager.cc
+++ b/chrome/browser/chromeos/policy/dlp/dlp_content_manager.cc
@@ -11,6 +11,7 @@
 #include "base/bind.h"
 #include "base/containers/contains.h"
 #include "base/stl_util.h"
+#include "base/syslog_logging.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_notification_helper.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
@@ -62,12 +63,20 @@ DlpContentRestrictionSet DlpContentManager::GetOnScreenPresentRestrictions()
 bool DlpContentManager::IsScreenshotRestricted(
    const ScreenshotArea& area) const {
-  return IsAreaRestricted(area, DlpContentRestriction::kScreenshot);
+  const bool restricted =
+      IsAreaRestricted(area, DlpContentRestriction::kScreenshot);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked taking a screenshot";
+  return restricted;
 }
 bool DlpContentManager::IsVideoCaptureRestricted(
    const ScreenshotArea& area) const {
-  return IsAreaRestricted(area, DlpContentRestriction::kVideoCapture);
+  const bool restricted =
+      IsAreaRestricted(area, DlpContentRestriction::kVideoCapture);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked taking a video capture";
+  return restricted;
 }
 bool DlpContentManager::IsPrintingRestricted(
@@ -79,15 +88,21 @@ bool DlpContentManager::IsPrintingRestricted(
  web_contents =
      guest_view ? guest_view->embedder_web_contents() : web_contents;
-  return GetConfidentialRestrictions(web_contents)
+  const bool restricted = GetConfidentialRestrictions(web_contents)
-      .HasRestriction(DlpContentRestriction::kPrint);
+                              .HasRestriction(DlpContentRestriction::kPrint);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked printing";
+  return restricted;
 }
 bool DlpContentManager::IsScreenCaptureRestricted(
    const content::DesktopMediaID& media_id) const {
  if (media_id.type == content::DesktopMediaID::Type::TYPE_SCREEN) {
-    return GetOnScreenPresentRestrictions().HasRestriction(
+    const bool restricted = GetOnScreenPresentRestrictions().HasRestriction(
        DlpContentRestriction::kScreenShare);
+    if (restricted)
+      SYSLOG(INFO) << "DLP blocked screen sharing";
+    return restricted;
  }
  content::WebContents* web_contents =
@@ -97,8 +112,12 @@ bool DlpContentManager::IsScreenCaptureRestricted(
              media_id.web_contents_id.main_render_frame_id));
  if (media_id.type == content::DesktopMediaID::Type::TYPE_WEB_CONTENTS) {
-    return GetConfidentialRestrictions(web_contents)
+    const bool restricted =
-        .HasRestriction(DlpContentRestriction::kScreenShare);
+        GetConfidentialRestrictions(web_contents)
+            .HasRestriction(DlpContentRestriction::kScreenShare);
+    if (restricted)
+      SYSLOG(INFO) << "DLP blocked screen sharing";
+    return restricted;
  }
  DCHECK_EQ(media_id.type, content::DesktopMediaID::Type::TYPE_WINDOW);
@@ -110,6 +129,7 @@ bool DlpContentManager::IsScreenCaptureRestricted(
    aura::Window* web_contents_window = entry.first->GetNativeView();
    if (entry.second.HasRestriction(DlpContentRestriction::kScreenShare) &&
        window->Contains(web_contents_window)) {
+      SYSLOG(INFO) << "DLP blocked screen sharing";
      return true;
    }
  }
@@ -132,10 +152,13 @@ void DlpContentManager::OnVideoCaptureStopped() {
 }
 bool DlpContentManager::IsCaptureModeInitRestricted() const {
-  return GetOnScreenPresentRestrictions().HasRestriction(
+  const bool restricted = GetOnScreenPresentRestrictions().HasRestriction(
-             DlpContentRestriction::kScreenshot) ||
+                              DlpContentRestriction::kScreenshot) ||
-         GetOnScreenPresentRestrictions().HasRestriction(
+                          GetOnScreenPresentRestrictions().HasRestriction(
-             DlpContentRestriction::kVideoCapture);
+                              DlpContentRestriction::kVideoCapture);
+  if (restricted)
+    SYSLOG(INFO) << "DLP blocked taking a screen capture";
+  return restricted;
 }
 void DlpContentManager::OnScreenCaptureStarted(
@@ -307,6 +330,7 @@ void DlpContentManager::OnScreenRestrictionsChanged(
               DlpContentRestriction::kPrivacyScreen)));
  if (added_restrictions.HasRestriction(
          DlpContentRestriction::kPrivacyScreen)) {
+    SYSLOG(INFO) << "DLP enforced privacy screen";
    ash::PrivacyScreenDlpHelper::Get()->SetEnforced(true);
  }
@@ -323,6 +347,7 @@ void DlpContentManager::OnScreenRestrictionsChanged(
 void DlpContentManager::MaybeRemovePrivacyScreenEnforcement() const {
  if (!GetOnScreenPresentRestrictions().HasRestriction(
          DlpContentRestriction::kPrivacyScreen)) {
+    SYSLOG(INFO) << "DLP removed enforcement of privacy screen";
    ash::PrivacyScreenDlpHelper::Get()->SetEnforced(false);
  }
 }
@@ -387,8 +412,10 @@ void DlpContentManager::CheckRunningVideoCapture() {
    return;
  if (IsAreaRestricted(*running_video_capture_area_,
                       DlpContentRestriction::kVideoCapture)) {
-    if (ash::features::IsCaptureModeEnabled())
+    if (ash::features::IsCaptureModeEnabled()) {
+      SYSLOG(INFO) << "DLP interrupted screen recording";
      ChromeCaptureModeDelegate::Get()->InterruptVideoRecordingIfAny();
+    }
    running_video_capture_area_.reset();
  }
 }
@@ -428,6 +455,8 @@ void DlpContentManager::CheckRunningScreenCaptures() {
  for (auto& capture : running_screen_captures_) {
    bool is_allowed = !IsScreenCaptureRestricted(capture.media_id);
    if (is_allowed != capture.is_running) {
+      SYSLOG(INFO) << "DLP " << (is_allowed ? "resumed" : "paused")
+                   << " running screen share";
      capture.state_change_callback.Run(
          capture.media_id, capture.is_running
                                ? blink::mojom::MediaStreamStateChange::PAUSE