[Extensions] Support withholding hosts during extension installation

This change adds logic to the extension installation flow that allows
for host permissions to be withheld by default if certain creation
flags are supplied.

Bug: 984069
Change-Id: I53aa71814b34bd19dc30a9b11b1dc5955bec1106
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1759408
Commit-Queue: Tim Judkins <tjudkins@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#705346}

chrome/browser/extensions/scripting_permissions_modifier.cc

@@ -35,10 +35,10 @@ bool CanWithholdFromExtension(const Extension& extension) {
                                                       extension.location());
 }
 
-// Iterates over |requested_permissions| and adds any permissions that should
-// be granted to |granted_permissions_out|. These include any non-host
+// Iterates over |requested_permissions| and returns a permission set of any
+// permissions that should be  granted. These include any non-host
 // permissions or host permissions that are present in
-// |runtime_granted_permissions|. |granted_permissions_out| may contain new
+// |runtime_granted_permissions|. The returned permission set may contain new
 // patterns not found in either |requested_permissions| or
 // |runtime_granted_permissions| in the case of overlapping host permissions
 // (such as *://*.google.com/* and https://*/*, which would intersect with
@@ -363,7 +363,16 @@ ScriptingPermissionsModifier::WithholdPermissionsIfNecessary(
   if (ShouldConsiderExtension(extension)) {
     base::Optional<bool> pref_value =
         extension_prefs.GetShouldWithholdPermissions(extension.id());
-    should_withhold = pref_value.has_value() && pref_value.value() == true;
+    if (pref_value.has_value()) {
+      should_withhold = pref_value.value();
+    } else {
+      should_withhold =
+          extension.creation_flags() & Extension::WITHHOLD_PERMISSIONS;
+    }
+  } else {
+    // The withhold creation flag should never have been set in cases where
+    // withholding isn't allowed.
+    DCHECK(!(extension.creation_flags() & Extension::WITHHOLD_PERMISSIONS));
   }
 
   should_withhold &= !permissions.effective_hosts().is_empty();
@@ -376,6 +385,11 @@ ScriptingPermissionsModifier::WithholdPermissionsIfNecessary(
   // permissions API.
   std::unique_ptr<const PermissionSet> runtime_granted_permissions =
       GetRuntimePermissionsFromPrefs(extension, extension_prefs);
+  // If there were no runtime granted permissions found in the prefs, default to
+  // a new empty set.
+  if (!runtime_granted_permissions) {
+    runtime_granted_permissions = std::make_unique<PermissionSet>();
+  }
   return PartitionHostPermissions(permissions, *runtime_granted_permissions);
 }
 

chrome/browser/extensions/scripting_permissions_modifier.h

@@ -99,8 +99,8 @@ class ScriptingPermissionsModifier {
   void RemoveAllGrantedHostPermissions();
 
   // Takes in a set of permissions and withholds any permissions that should not
-  // be granted for the given |extension|, populating |granted_permissions_out|
-  // with the set of all permissions that can be granted.
+  // be granted for the given |extension|, returning a permission set with all
+  // of the permissions that can be granted.
   // Note: we pass in |permissions| explicitly here, as this is used during
   // permission initialization, where the active permissions on the extension
   // may not be the permissions to compare against.

chrome/browser/ui/webui/extensions/extensions_internals_source.cc

@@ -116,6 +116,8 @@ base::Value CreationFlagsToList(int creation_flags) {
     flags_value.Append("WAS_INSTALLED_BY_OEM");
   if (creation_flags & extensions::Extension::MAY_BE_UNTRUSTED)
     flags_value.Append("MAY_BE_UNTRUSTED");
+  if (creation_flags & extensions::Extension::WITHHOLD_PERMISSIONS)
+    flags_value.Append("WITHHOLD_PERMISSIONS");
   return flags_value;
 }
 

extensions/browser/extension_prefs.cc

@@ -1997,6 +1997,8 @@ void ExtensionPrefs::PopulateExtensionInfoPrefs(
     extension_dict->SetBoolean(kPrefBlacklist, true);
   if (dnr_ruleset_checksum)
     extension_dict->SetInteger(kPrefDNRRulesetChecksum, *dnr_ruleset_checksum);
+  if (extension->creation_flags() & Extension::WITHHOLD_PERMISSIONS)
+    extension_dict->SetBoolean(kGrantExtensionAllHostPermissions, false);
 
   base::FilePath::StringType path = MakePathRelative(install_directory_,
                                                      extension->path());

extensions/common/extension.cc

@@ -126,7 +126,7 @@ bool IsManifestSupported(int manifest_version,
 
 }  // namespace
 
-const int Extension::kInitFromValueFlagBits = 14;
+const int Extension::kInitFromValueFlagBits = 15;
 
 const char Extension::kMimeType[] = "application/x-chrome-extension";
 

extensions/common/extension.h

@@ -140,6 +140,10 @@ class Extension : public base::RefCountedThreadSafe<Extension> {
     // instead of the usual |TYPE_EXTENSION|.
     FOR_LOGIN_SCREEN = 1 << 13,
 
+    // |WITHHOLD_PERMISSIONS| indicates that on installation the user indicated
+    // for permissions to be withheld from the extension by default.
+    WITHHOLD_PERMISSIONS = 1 << 14,
+
     // When adding new flags, make sure to update kInitFromValueFlagBits.
   };