Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(120)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/src/restricted_token.cc

Issue 550029: Merge 35990 - Try the SANDOX_INERT flag in CreateRestrictedToken... (Closed) Base URL: svn://svn.chromium.org/chrome/branches/249/src/
Patch Set: Created 10 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/src/restricted_token.cc
===================================================================
--- sandbox/src/restricted_token.cc (revision 36130)
+++ sandbox/src/restricted_token.cc (working copy)
@@ -87,9 +87,13 @@
BOOL result = TRUE;
HANDLE new_token = NULL;
+ // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell
+ // if a token has ben restricted given the limiations of IsTokenRestricted()
+ // but it appears that in Windows 7 it hints the AppLocker subsystem to
+ // leave us alone.
if (deny_size || restrict_size || privileges_size) {
result = ::CreateRestrictedToken(effective_token_,
- 0, // No flags.
+ SANDBOX_INERT,
static_cast<DWORD>(deny_size),
deny_only_array,
static_cast<DWORD>(privileges_size),
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698