Don't modify the alternate winstation DACL

Turns out the DACL won't apply in most cases, and may run some
risk of bad interactions with third-party software. It's also
mostly redundant given the existing job and desktop restrictions.

BUG=346586
R=cpu
TBR=cpu

Review URL: https://codereview.chromium.org/186483005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@255338 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 1 insertions, 13 deletions

diff --git a/sandbox/win/src/window.cc b/sandbox/win/src/window.cc
index a448b59f..b8d6358 100644
--- a/sandbox/win/src/window.cc
+++ b/sandbox/win/src/window.cc
@@ -48,20 +48,8 @@ ResultCode CreateAltWindowStation(HWINSTA* winsta) {
   *winsta = ::CreateWindowStationW(NULL, 0, WINSTA_ALL_ACCESS, &attributes);
   LocalFree(attributes.lpSecurityDescriptor);
 
-  if (*winsta) {
-    // Replace the DACL on the new Winstation with a reduced privilege version.
-    // We can soft fail on this for now, as it's just an extra mitigation.
-    static const ACCESS_MASK kWinstaDenyMask = DELETE | WRITE_DAC |
-                                               WRITE_OWNER |
-                                               WINSTA_ACCESSCLIPBOARD |
-                                               WINSTA_CREATEDESKTOP |
-                                               WINSTA_ENUMDESKTOPS |
-                                               WINSTA_ENUMERATE |
-                                               WINSTA_EXITWINDOWS;
-    AddKnownSidToObject(*winsta, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid),
-                        DENY_ACCESS, kWinstaDenyMask);
+  if (*winsta)
     return SBOX_ALL_OK;
-  }
 
   return SBOX_ERROR_CANNOT_CREATE_WINSTATION;
 }