diff options
| -rw-r--r-- | sandbox/src/restricted_token.cc | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sandbox/src/restricted_token.cc b/sandbox/src/restricted_token.cc index 09d255f..ed6279b 100644 --- a/sandbox/src/restricted_token.cc +++ b/sandbox/src/restricted_token.cc @@ -87,9 +87,13 @@ unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { BOOL result = TRUE; HANDLE new_token = NULL; + // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell + // if a token has ben restricted given the limiations of IsTokenRestricted() + // but it appears that in Windows 7 it hints the AppLocker subsystem to + // leave us alone. if (deny_size || restrict_size || privileges_size) { result = ::CreateRestrictedToken(effective_token_, - 0, // No flags. + SANDBOX_INERT, static_cast<DWORD>(deny_size), deny_only_array, static_cast<DWORD>(privileges_size), |