Sandbox: Make CreateRestrictedToken return a ScopedHandle.

sandbox/win/src/sandbox_policy_base.cc

Index: sandbox/win/src/sandbox_policy_base.cc
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index fcc4a7c651acd5f600279d2e2290f77bf05aa0c9..12f72d5b6ed8aa8e09913fc991bdf094e68d5b03 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -550,14 +550,11 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
 
   // Create the 'naked' token. This will be the permanent token associated
   // with the process and therefore with any thread that is not impersonating.
-  HANDLE temp_handle;
-  DWORD result = CreateRestrictedToken(&temp_handle, lockdown_level_,
-                                       integrity_level_, PRIMARY);
+  DWORD result = CreateRestrictedToken(lockdown_level_,  integrity_level_,
+                                       PRIMARY, lockdown);
   if (ERROR_SUCCESS != result)
     return SBOX_ERROR_GENERIC;
 
-  lockdown->Set(temp_handle);
-
   // If we're launching on the alternate desktop we need to make sure the
   // integrity label on the object is no higher than the sandboxed process's
   // integrity level. So, we lower the label on the desktop process if it's
@@ -622,12 +619,11 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
   // Create the 'better' token. We use this token as the one that the main
   // thread uses when booting up the process. It should contain most of
   // what we need (before reaching main( ))
-  result = CreateRestrictedToken(&temp_handle, initial_level_,
-                                 integrity_level_, IMPERSONATION);
+  result = CreateRestrictedToken(initial_level_, integrity_level_,
+                                 IMPERSONATION, initial);
   if (ERROR_SUCCESS != result)
     return SBOX_ERROR_GENERIC;
 
-  initial->Set(temp_handle);
   return SBOX_ALL_OK;
 }