Index: sandbox/src/restricted_token.cc |
=================================================================== |
--- sandbox/src/restricted_token.cc (revision 35541) |
+++ sandbox/src/restricted_token.cc (working copy) |
@@ -87,9 +87,13 @@ |
BOOL result = TRUE; |
HANDLE new_token = NULL; |
+ // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell |
+ // if a token has ben restricted given the limiations of IsTokenRestricted() |
+ // but it appears that in Windows 7 it hints the AppLocker subsystem to |
+ // leave us alone. |
if (deny_size || restrict_size || privileges_size) { |
result = ::CreateRestrictedToken(effective_token_, |
- 0, // No flags. |
+ SANDBOX_INERT, |
static_cast<DWORD>(deny_size), |
deny_only_array, |
static_cast<DWORD>(privileges_size), |