diff options
| author | cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-12 02:54:30 +0000 |
|---|---|---|
| committer | cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-12 02:54:30 +0000 |
| commit | d43a385b95751e8e85d68f41a979d575372b08e1 (patch) | |
| tree | 766f3815bd5a8ff54c3099b7c28fb93fb95b199d /sandbox | |
| parent | 9bfc63e0edac4526a7f08618b63284f00d5156f7 (diff) | |
| download | chromium_src-d43a385b95751e8e85d68f41a979d575372b08e1.zip chromium_src-d43a385b95751e8e85d68f41a979d575372b08e1.tar.gz chromium_src-d43a385b95751e8e85d68f41a979d575372b08e1.tar.bz2 | |
Try the SANDOX_INERT flag in CreateRestrictedToken
- It might help with the AppLocker problem. See bug below.
BUG=10576
TEST=existing tests suffice
Review URL: http://codereview.chromium.org/541018
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35990 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/src/restricted_token.cc | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sandbox/src/restricted_token.cc b/sandbox/src/restricted_token.cc index 09d255f..ed6279b 100644 --- a/sandbox/src/restricted_token.cc +++ b/sandbox/src/restricted_token.cc @@ -87,9 +87,13 @@ unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { BOOL result = TRUE; HANDLE new_token = NULL; + // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell + // if a token has ben restricted given the limiations of IsTokenRestricted() + // but it appears that in Windows 7 it hints the AppLocker subsystem to + // leave us alone. if (deny_size || restrict_size || privileges_size) { result = ::CreateRestrictedToken(effective_token_, - 0, // No flags. + SANDBOX_INERT, static_cast<DWORD>(deny_size), deny_only_array, static_cast<DWORD>(privileges_size), |