Bug 1829197 - Add support for deleting PKCS #11 modules via policy. r…

…=keeler,fluent-reviewers,flod Differential Revision: https://phabricator.services.mozilla.com/D176078
mozilla · Apr 24, 2023 · d8e47b1 · d8e47b1
1 parent e6baacb
commit d8e47b1
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 3 deletions.
diff --git a/browser/components/enterprisepolicies/Policies.sys.mjs b/browser/components/enterprisepolicies/Policies.sys.mjs
@@ -2151,10 +2151,31 @@ export var Policies = {
 
   SecurityDevices: {
     onProfileAfterChange(manager, param) {
-      let securityDevices = param;
       let pkcs11db = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
         Ci.nsIPKCS11ModuleDB
       );
+      let securityDevices;
+      if (param.Add || param.Delete) {
+        // We're using the new syntax.
+        securityDevices = param.Add;
+        if (param.Delete) {
+          for (let deviceName of param.Delete) {
+            try {
+              pkcs11db.deleteModule(deviceName);
+            } catch (e) {
+              // Ignoring errors here since it might stick around in policy
+              // after removing. Alternative would be to listModules and
+              // make sure it's there before removing, but that seems
+              // like unnecessary work.
+            }
+          }
+        }
+      } else {
+        securityDevices = param;
+      }
+      if (!securityDevices) {
+        return;
+      }
       for (let deviceName in securityDevices) {
         let foundModule = false;
         for (let module of pkcs11db.listModules()) {

diff --git a/browser/components/enterprisepolicies/content/aboutPolicies.js b/browser/components/enterprisepolicies/content/aboutPolicies.js
@@ -294,6 +294,7 @@ function generateDocumentation() {
     Permissions: "Permissions2",
     SanitizeOnShutdown: "SanitizeOnShutdown2",
     WindowsSSO: "Windows10SSO",
+    SecurityDevices: "SecurityDevices2",
   };
 
   for (let policyName in schema.properties) {

diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json
@@ -1278,6 +1278,20 @@
       "type": "object",
       "patternProperties": {
         "^.*$": { "type": "string" }
+      },
+      "properties": {
+        "Add": {
+          "type": "object",
+          "patternProperties": {
+            "^.*$": { "type": "string" }
+          }
+        },
+        "Delete": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
       }
     },
 

diff --git a/browser/locales/en-US/browser/policies/policies-descriptions.ftl b/browser/locales/en-US/browser/policies/policies-descriptions.ftl
@@ -196,8 +196,8 @@ policy-SearchEngines = Configure search engine settings. This policy is only ava
 
 policy-SearchSuggestEnabled = Enable or disable search suggestions.
 
-# For more information, see https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Installation
-policy-SecurityDevices = Install PKCS #11 modules.
+# For more information, see https://wikipedia.org/wiki/PKCS_11
+policy-SecurityDevices2 = Add or delete PKCS #11 modules.
 
 policy-ShowHomeButton = Show the home button on the toolbar.