sandbox/src/restricted_token.cc - Issue 541018: Try the SANDOX_INERT flag in CreateRestrictedToken... - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(1038)

My Issues | Starred Open | Closed | All

Unified Diff: sandbox/src/restricted_token.cc

Issue 541018: Try the SANDOX_INERT flag in CreateRestrictedToken... (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/

Patch Set: Created 10 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: sandbox/src/restricted_token.cc

===================================================================

--- sandbox/src/restricted_token.cc (revision 35541)

+++ sandbox/src/restricted_token.cc (working copy)

@@ -87,9 +87,13 @@

BOOL result = TRUE;

HANDLE new_token = NULL;

+ // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell

+ // if a token has ben restricted given the limiations of IsTokenRestricted()

+ // but it appears that in Windows 7 it hints the AppLocker subsystem to

+ // leave us alone.

if (deny_size || restrict_size || privileges_size) {

result = ::CreateRestrictedToken(effective_token_,

- 0, // No flags.

+ SANDBOX_INERT,

static_cast<DWORD>(deny_size),

deny_only_array,

static_cast<DWORD>(privileges_size),

« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698