Added a policy option to restrict the default DACL for tokens.

sandbox/win/src/acl.h

Index: sandbox/win/src/acl.h
diff --git a/sandbox/win/src/acl.h b/sandbox/win/src/acl.h
index b5021e7be8655cbebad04e6f007e69f00fef0bee..503fc5168cec9e16ebd26365043af19e843c13e2 100644
--- a/sandbox/win/src/acl.h
+++ b/sandbox/win/src/acl.h
@@ -24,10 +24,24 @@ bool GetDefaultDacl(
 bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MODE access_mode,
                   ACCESS_MASK access, ACL** new_dacl);
 
-// Adds and ACE represented by |sid| and |access| to the default dacl present
+// Adds an ACE represented by |sid| and |access| to the default dacl present
 // in the token.
 bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access);
 
+// Adds an ACE represented by |sid| and |access| with |access_mode| to the
+// default dacl present in the token.
+bool AddSidToDefaultDacl(HANDLE token,

[Will Harris, 2016/03/27 01:20:05]

are there really that many users of AddSidToDefaultDacl that they can't just
always use the four parameter function?

[forshaw, 2016/03/28 16:40:31]

Done.

+                         const Sid& sid,
+                         ACCESS_MODE access_mode,
+                         ACCESS_MASK access);
+
+// Adds a deny ACE represented by |sid| and |access| to the default dacl
+// present in the token.
+bool AddDenySidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access);
+
+// Revokes access to the logon SID for the default dacl present in the token.
+bool RevokeLogonSidFromDefaultDacl(HANDLE token);
+
 // Adds an ACE represented by the user sid and |access| to the default dacl
 // present in the token.
 bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access);