1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
|
// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef LIBBRILLO_POLICY_DEVICE_POLICY_H_
#define LIBBRILLO_POLICY_DEVICE_POLICY_H_
#include <stdint.h>
#include <set>
#include <string>
#include <vector>
#include <base/macros.h>
#include <base/time/time.h>
#pragma GCC visibility push(default)
namespace policy {
// This class holds device settings that are to be enforced across all users.
// It is also responsible for loading the policy blob from disk and verifying
// the signature against the owner's key.
//
// This class defines the interface for querying device policy on ChromeOS.
// The implementation is hidden in DevicePolicyImpl to prevent protobuf
// definition from leaking into the libraries using this interface.
class DevicePolicy {
public:
// Identifiers of a USB device or device family.
struct UsbDeviceId {
// USB Vendor Identifier (aka idVendor).
uint16_t vendor_id;
// USB Product Identifier (aka idProduct).
uint16_t product_id;
};
// Time interval represented by two |day_of_week| and |time| pairs. The start
// of the interval is inclusive and the end is exclusive. The time represented
// by those pairs will be interpreted to be in the local timezone. Because of
// this, there exists the possibility of intervals being repeated or skipped
// in a day with daylight savings transitions, this is expected behavior.
struct WeeklyTimeInterval {
// Value is from 1 to 7 (1 = Monday, 2 = Tuesday, etc.). All values outside
// this range are invalid and will be discarded.
int start_day_of_week;
// Time since the start of the day. This value will be interpreted to be in
// the system's current timezone when used for range checking.
base::TimeDelta start_time;
int end_day_of_week;
base::TimeDelta end_time;
};
DevicePolicy();
virtual ~DevicePolicy();
// Load device policy off of disk into |policy_|.
// Returns true unless there is a policy on disk and loading it fails.
virtual bool LoadPolicy() = 0;
// Writes the value of the DevicePolicyRefreshRate policy in |rate|. Returns
// true on success.
virtual bool GetPolicyRefreshRate(int* rate) const = 0;
// Writes the value of the UserWhitelist policy in |user_whitelist|. Returns
// true on success.
virtual bool GetUserWhitelist(
std::vector<std::string>* user_whitelist) const = 0;
// Writes the value of the GuestModeEnabled policy in |guest_mode_enabled|.
// Returns true on success.
virtual bool GetGuestModeEnabled(bool* guest_mode_enabled) const = 0;
// Writes the value of the CameraEnabled policy in |camera_enabled|. Returns
// true on success.
virtual bool GetCameraEnabled(bool* camera_enabled) const = 0;
// Writes the value of the ShowUserNamesOnSignIn policy in |show_user_names|.
// Returns true on success.
virtual bool GetShowUserNames(bool* show_user_names) const = 0;
// Writes the value of the DataRoamingEnabled policy in |data_roaming_enabled|
// Returns true on success.
virtual bool GetDataRoamingEnabled(bool* data_roaming_enabled) const = 0;
// Writes the value of the AllowNewUsers policy in |allow_new_users|. Returns
// true on success.
virtual bool GetAllowNewUsers(bool* allow_new_users) const = 0;
// Writes the value of MetricEnabled policy in |metrics_enabled|. Returns true
// on success.
virtual bool GetMetricsEnabled(bool* metrics_enabled) const = 0;
// Writes the value of ReportVersionInfo policy in |report_version_info|.
// Returns true on success.
virtual bool GetReportVersionInfo(bool* report_version_info) const = 0;
// Writes the value of ReportActivityTimes policy in |report_activity_times|.
// Returns true on success.
virtual bool GetReportActivityTimes(bool* report_activity_times) const = 0;
// Writes the value of ReportBootMode policy in |report_boot_mode|. Returns
// true on success.
virtual bool GetReportBootMode(bool* report_boot_mode) const = 0;
// Writes the value of the EphemeralUsersEnabled policy in
// |ephemeral_users_enabled|. Returns true on success.
virtual bool GetEphemeralUsersEnabled(
bool* ephemeral_users_enabled) const = 0;
// Writes the value of the release channel policy in |release_channel|.
// Returns true on success.
virtual bool GetReleaseChannel(std::string* release_channel) const = 0;
// Writes the value of the release_channel_delegated policy in
// |release_channel_delegated|. Returns true on success.
virtual bool GetReleaseChannelDelegated(
bool* release_channel_delegated) const = 0;
// Writes the value of the update_disabled policy in |update_disabled|.
// Returns true on success.
virtual bool GetUpdateDisabled(bool* update_disabled) const = 0;
// Writes the value of the target_version_prefix policy in
// |target_version_prefix|. Returns true on success.
virtual bool GetTargetVersionPrefix(
std::string* target_version_prefix) const = 0;
// Writes the value of the rollback_to_target_version policy in
// |rollback_to_target_version|. |rollback_to_target_version| will be one of
// the values in AutoUpdateSettingsProto's RollbackToTargetVersion enum.
// Returns true on success.
virtual bool GetRollbackToTargetVersion(
int* rollback_to_target_version) const = 0;
// Writes the value of the rollback_allowed_milestones policy in
// |rollback_allowed_milestones|. Returns true on success.
virtual bool GetRollbackAllowedMilestones(
int* rollback_allowed_milestones) const = 0;
// Writes the value of the scatter_factor_in_seconds policy in
// |scatter_factor_in_seconds|. Returns true on success.
virtual bool GetScatterFactorInSeconds(
int64_t* scatter_factor_in_seconds) const = 0;
// Writes the connection types on which updates are allowed to
// |connection_types|. The identifiers returned are intended to be consistent
// with what the connection manager users: ethernet, wifi, wimax, bluetooth,
// cellular.
virtual bool GetAllowedConnectionTypesForUpdate(
std::set<std::string>* connection_types) const = 0;
// Writes the value of the OpenNetworkConfiguration policy in
// |open_network_configuration|. Returns true on success.
virtual bool GetOpenNetworkConfiguration(
std::string* open_network_configuration) const = 0;
// Writes the name of the device owner in |owner|. For enterprise enrolled
// devices, this will be an empty string.
// Returns true on success.
virtual bool GetOwner(std::string* owner) const = 0;
// Write the value of http_downloads_enabled policy in
// |http_downloads_enabled|. Returns true on success.
virtual bool GetHttpDownloadsEnabled(bool* http_downloads_enabled) const = 0;
// Writes the value of au_p2p_enabled policy in
// |au_p2p_enabled|. Returns true on success.
virtual bool GetAuP2PEnabled(bool* au_p2p_enabled) const = 0;
// Writes the value of allow_kiosk_app_control_chrome_version policy in
// |allow_kiosk_app_control_chrome_version|. Returns true on success.
virtual bool GetAllowKioskAppControlChromeVersion(
bool* allow_kiosk_app_control_chrome_version) const = 0;
// Writes the value of the UsbDetachableWhitelist policy in |usb_whitelist|.
// Returns true on success.
virtual bool GetUsbDetachableWhitelist(
std::vector<UsbDeviceId>* usb_whitelist) const = 0;
// Writes the value of the kiosk app id into |app_id_out|.
// Only succeeds if the device is in auto-launched kiosk mode.
virtual bool GetAutoLaunchedKioskAppId(std::string* app_id_out) const = 0;
// Returns true if the policy data indicates that the device is enterprise
// managed. Note that this potentially could be faked by an exploit, therefore
// InstallAttributesReader must be used when tamper-proof evidence of the
// management state is required.
virtual bool IsEnterpriseManaged() const = 0;
// Writes the value of the DeviceSecondFactorAuthentication policy in
// |mode_out|. |mode_out| is one of the values from
// DeviceSecondFactorAuthenticationProto's U2fMode enum (e.g. DISABLED,
// U2F or U2F_EXTENDED). Returns true on success.
virtual bool GetSecondFactorAuthenticationMode(int* mode_out) const = 0;
// Writes the valid time intervals to |intervals_out|. These
// intervals are taken from the disallowed time intervals field in the
// AutoUpdateSettingsProto. Returns true if the intervals in the proto are
// valid.
virtual bool GetDisallowedTimeIntervals(
std::vector<WeeklyTimeInterval>* intervals_out) const = 0;
// Writes the value of the DeviceUpdateStagingPercentOfFleetPerWeek policy to
// |staging_schedule_out|. Returns true on success.
// Values are expected to be mononically increasing in the range of [0, 100].
// Each value describes the percentage of the fleet that is expected to
// receive an update per week, e.g. [5, 20, 30, 100] means that 5% of devices
// should be updated in the first week, 20% should be updated in the second
// week, and so on.
virtual bool GetDeviceUpdateStagingSchedule(
std::vector<int> *staging_schedule_out) const = 0;
private:
// Verifies that the policy signature is correct.
virtual bool VerifyPolicySignature() = 0;
DISALLOW_COPY_AND_ASSIGN(DevicePolicy);
};
} // namespace policy
#pragma GCC visibility pop
#endif // LIBBRILLO_POLICY_DEVICE_POLICY_H_
|
