ONC-provided trust roots should be available in kiosk and AD user sessions |
||||||||
Issue descriptionThis line of code is overly restrictive: https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/user_network_configuration_updater_factory.cc?rcl=c4cb0d38f0bd26578120775e9c09be813b5215c0&l=75 We should probably only exclude certs from public sessions (and possibly add a comment that we should remove that restriction entirely when we fix https://bugs.chromium.org/p/chromium/issues/detail?id=572103)
,
Apr 26 2017
Can you clarify Kiosk/AD user scenarios? In particular, where I'm going is that if we're talking about concurrent profiles, there's risk. If there's only one of these active at a time, that risk is minimized. I just want to make sure we get that part absolutely right, as the failure mode is not pretty due to NSS's internal global shared structures :)
,
Apr 26 2017
,
Apr 27 2017
Kiosk does not have concurrent users - the sign-in screen is skipped and the policy-configured kiosk app is displayed. AD: I'm not sure - but would https://cs.chromium.org/chromium/src/chrome/browser/chromeos/login/users/multi_profile_user_controller.cc?rcl=6ad875d22992e6bf124245d186ac9e19fdfafb96&l=148 and https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/policy_cert_service.cc?rcl=6ad875d22992e6bf124245d186ac9e19fdfafb96&l=78 not reduce the multi-profile risk? After all, regular users are also allowed for multi-profile at the moment, so I don't understand the difference. Thank you!
,
Apr 27 2017
It's a moot point since we aren't supporting multi-login for AD users. In theory it should be OK as Pavol says because the security/privacy surface is identical between AD and Gaia users, but we can skip that conversation since there's no multi-login.
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9258f1b1b8e234f289aaf7bd2031c208ecca58ce commit 9258f1b1b8e234f289aaf7bd2031c208ecca58ce Author: pmarko <pmarko@chromium.org> Date: Thu May 18 19:29:38 2017 Enable policy-imported root CA certificates for kiosk and AD sessions This CL enables root CA certificates pushed through user ONC policy for kiosk and AD sessions. They are not enabled for public sessions. BUG= 715460 Review-Url: https://codereview.chromium.org/2862003002 Cr-Commit-Position: refs/heads/master@{#472901} [modify] https://crrev.com/9258f1b1b8e234f289aaf7bd2031c208ecca58ce/chrome/browser/chromeos/policy/user_network_configuration_updater_factory.cc [modify] https://crrev.com/9258f1b1b8e234f289aaf7bd2031c208ecca58ce/chrome/browser/chromeos/policy/user_network_configuration_updater_factory.h [add] https://crrev.com/9258f1b1b8e234f289aaf7bd2031c208ecca58ce/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc [modify] https://crrev.com/9258f1b1b8e234f289aaf7bd2031c208ecca58ce/chrome/test/BUILD.gn [add] https://crrev.com/9258f1b1b8e234f289aaf7bd2031c208ecca58ce/chromeos/test/data/network/ok_cert.pem [add] https://crrev.com/9258f1b1b8e234f289aaf7bd2031c208ecca58ce/chromeos/test/data/network/root-ca-cert.onc
,
May 19 2017
,
Jul 6 2017
,
Aug 1 2017
,
Jan 22 2018
,
Apr 2 2018
,
Apr 2 2018
,
Apr 19 2018
verified user is able to push certificates using ONC policy veyron tiger on M66 10452.69.0
,
Apr 23 2018
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by pmarko@chromium.org
, Apr 26 2017