Added a policy option to restrict the default DACL for tokens.

sandbox/win/src/restricted_token.h

Index: sandbox/win/src/restricted_token.h
diff --git a/sandbox/win/src/restricted_token.h b/sandbox/win/src/restricted_token.h
index d302f86da6b190a86ac43ac992ecc4160941333d..584cd3ad6dbb65123a2985574cabba63cd7721eb 100644
--- a/sandbox/win/src/restricted_token.h
+++ b/sandbox/win/src/restricted_token.h
@@ -168,6 +168,10 @@ class RestrictedToken {
   // level cannot be higher than your current integrity level.
   DWORD SetIntegrityLevel(IntegrityLevel integrity_level);
 
+  // Set a flag which indicates the created token should have a locked down
+  // default DACL when created.
+  void SetLockdownDefaultDacl();
+
  private:
   // The list of restricting sids in the restricted token.
   std::vector<Sid> sids_to_restrict_;
@@ -181,6 +185,8 @@ class RestrictedToken {
   IntegrityLevel integrity_level_;
   // Tells if the object is initialized or not (if Init() has been called)
   bool init_;
+  // Lockdown the default DACL when creating new tokens.
+  bool lockdown_default_dacl_;
 
   DISALLOW_COPY_AND_ASSIGN(RestrictedToken);
 };