Allow Camera app to be disabled.

Temporary allow Camera component app to be disabled by policy as it's widely used by enterprises. The proper long-term fix should be to introduce CameraEnabled policy and then remove this fix. Camera app id: hfhhnacclhffhdffklopdkcgdhifgngh Bug: 993418 Test: Manual, configured ExtensionInstallBlacklist policy to include Change-Id: I9af2d6303d023b61b1af461f51533ffb25b00422 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1789312 Commit-Queue: Sergey Poromov <poromov@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#699735}

Allow Camera app to be disabled.
Temporary allow Camera component app to be disabled by policy as it's widely used by enterprises. The proper long-term fix should be to introduce CameraEnabled policy and then remove this fix. Camera app id: hfhhnacclhffhdffklopdkcgdhifgngh Bug: 993418 Test: Manual, configured ExtensionInstallBlacklist policy to include Change-Id: I9af2d6303d023b61b1af461f51533ffb25b00422 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1789312 Commit-Queue: Sergey Poromov <poromov@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#699735}
e46d4e42 · Sergey Poromov · Commit Bot · cdf6b796 · e46d4e42 · e46d4e42
Commit e46d4e42 authored Sep 25, 2019 by Sergey Poromov Committed by Commit Bot Sep 25, 2019
3 changed files
--- a/chrome/browser/extensions/standard_management_policy_provider.cc
+++ b/chrome/browser/extensions/standard_management_policy_provider.cc
@@ -10,6 +10,7 @@
 #include "base/strings/string16.h"
 #include "base/strings/utf_string_conversions.h"
 #include "chrome/browser/extensions/extension_management.h"
+#include "extensions/common/constants.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/manifest.h"
 #include "extensions/strings/grit/extensions_strings.h"
@@ -74,9 +75,15 @@ std::string
 bool StandardManagementPolicyProvider::UserMayLoad(
    const Extension* extension,
    base::string16* error) const {
-  // Component extensions are always allowed.
+  // Component extensions are always allowed, besides the camera app that can be
-  if (Manifest::IsComponentLocation(extension->location()))
+  // disabled by extension policy. This is a temporary solution until there's a
+  // dedicated policy to disable the camera, at which point the special check in
+  // the 'if' statement should be removed.
+  // TODO(http://crbug.com/1002935)
+  if (Manifest::IsComponentLocation(extension->location()) &&
+      extension->id() != extension_misc::kCameraAppId) {
    return true;
+  }
  // Shared modules are always allowed too: they only contain resources that
  // are used by other extensions. The extension that depends on the shared

--- a/chrome/browser/policy/extension_policy_browsertest.cc
+++ b/chrome/browser/policy/extension_policy_browsertest.cc
@@ -2,9 +2,11 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
+#include "base/run_loop.h"
 #include "base/test/bind_test_util.h"
 #include "build/build_config.h"
 #include "chrome/browser/background/background_contents_service.h"
+#include "chrome/browser/extensions/component_loader.h"
 #include "chrome/browser/extensions/crx_installer.h"
 #include "chrome/browser/extensions/extension_management_constants.h"
 #include "chrome/browser/extensions/extension_management_test_util.h"
@@ -35,6 +37,7 @@
 #include "extensions/browser/notification_types.h"
 #include "extensions/browser/scoped_ignore_content_verifier_for_test.h"
 #include "extensions/browser/test_extension_registry_observer.h"
+#include "extensions/common/constants.h"
 #include "extensions/common/features/feature_channel.h"
 #include "extensions/common/manifest_handlers/shared_module_info.h"
 #include "extensions/common/value_builder.h"
@@ -194,6 +197,52 @@ class ExtensionPolicyTest : public PolicyTest {
 }  // namespace
+#if defined(OS_CHROMEOS)
+// Check that component extension can't be blacklisted, besides the camera app
+// that can be disabled by extension policy. This is a temporary solution until
+// there's a dedicated policy to disable the camera, at which point the special
+// check should be removed.
+// TODO(http://crbug.com/1002935)
+IN_PROC_BROWSER_TEST_F(ExtensionPolicyTest,
+                       ExtensionInstallBlacklistComponentApps) {
+  extensions::ExtensionPrefs* extension_prefs =
+      extensions::ExtensionPrefs::Get(browser()->profile());
+  // Load all component extensions.
+  extensions::ComponentLoader::EnableBackgroundExtensionsForTesting();
+  extension_service()->component_loader()->AddDefaultComponentExtensions(false);
+  base::RunLoop().RunUntilIdle();
+  extensions::ExtensionRegistry* registry = extension_registry();
+  ASSERT_TRUE(
+      registry->enabled_extensions().GetByID(extension_misc::kCameraAppId));
+  ASSERT_TRUE(
+      registry->enabled_extensions().GetByID(extensions::kWebStoreAppId));
+  const size_t enabled_count = registry->enabled_extensions().size();
+  // Verify that only Camera app can be blacklisted.
+  base::ListValue blacklist;
+  blacklist.AppendString(extension_misc::kCameraAppId);
+  blacklist.AppendString(extensions::kWebStoreAppId);
+  PolicyMap policies;
+  policies.Set(key::kExtensionInstallBlacklist, POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD,
+               blacklist.CreateDeepCopy(), nullptr);
+  UpdateProviderPolicy(policies);
+  ASSERT_FALSE(
+      registry->enabled_extensions().GetByID(extension_misc::kCameraAppId));
+  ASSERT_TRUE(
+      registry->disabled_extensions().GetByID(extension_misc::kCameraAppId));
+  EXPECT_EQ(1u, registry->disabled_extensions().size());
+  EXPECT_EQ(extensions::disable_reason::DISABLE_BLOCKED_BY_POLICY,
+            extension_prefs->GetDisableReasons(extension_misc::kCameraAppId));
+  ASSERT_TRUE(
+      registry->enabled_extensions().GetByID(extensions::kWebStoreAppId));
+  EXPECT_EQ(enabled_count - 1, registry->enabled_extensions().size());
+}
+#endif  // defined(OS_CHROMEOS)
 IN_PROC_BROWSER_TEST_F(ExtensionPolicyTest,
                       ExtensionInstallBlacklistSelective) {
  // Verifies that blacklisted extensions can't be installed.

--- a/extensions/browser/extension_prefs.cc
+++ b/extensions/browser/extension_prefs.cc
@@ -31,6 +31,7 @@
 #include "extensions/browser/extension_system.h"
 #include "extensions/browser/install_flag.h"
 #include "extensions/browser/pref_names.h"
+#include "extensions/common/constants.h"
 #include "extensions/common/manifest.h"
 #include "extensions/common/permissions/permission_set.h"
 #include "extensions/common/permissions/permissions_info.h"
@@ -804,12 +805,20 @@ void ExtensionPrefs::ClearInapplicableDisableReasonsForComponentExtension(
      disable_reason::DISABLE_UNSUPPORTED_REQUIREMENT |
      disable_reason::DISABLE_CORRUPTED;
+  // Allow the camera app to be disabled by extension policy. This is a
+  // temporary solution until there's a dedicated policy to disable the
+  // camera, at which point this should be removed.
+  // TODO(http://crbug.com/1002935)
+  int allowed_disable_reasons = kAllowDisableReasons;
+  if (component_extension_id == extension_misc::kCameraAppId)
+    allowed_disable_reasons |= disable_reason::DISABLE_BLOCKED_BY_POLICY;
  // Some disable reasons incorrectly cause component extensions to never
  // activate on load. See https://crbug.com/946839 for more details on why we
  // do this.
  ModifyDisableReasons(
      component_extension_id,
-      kAllowDisableReasons & GetDisableReasons(component_extension_id),
+      allowed_disable_reasons & GetDisableReasons(component_extension_id),
      DISABLE_REASON_REPLACE);
 }