Added a policy option to restrict the default DACL for tokens.

sandbox/win/src/restricted_token_utils.h

Index: sandbox/win/src/restricted_token_utils.h
diff --git a/sandbox/win/src/restricted_token_utils.h b/sandbox/win/src/restricted_token_utils.h
index b4e4fded95604b1167b3bad6d3c206478cb129c3..1e312909bea464f75bde153d68cdfb7615d28efe 100644
--- a/sandbox/win/src/restricted_token_utils.h
+++ b/sandbox/win/src/restricted_token_utils.h
@@ -30,12 +30,16 @@ enum TokenType {
 // |integrity level| on Vista only.
 // |token| is the output value containing the handle of the newly created
 // restricted token.
+// |lockdown_default_dacl| indicates the token's default DACL should be locked
+// down to restrict what other process can open kernel resources created while
+// running under the token.
 // If the function succeeds, the return value is ERROR_SUCCESS. If the
 // function fails, the return value is the win32 error code corresponding to
 // the error.
 DWORD CreateRestrictedToken(TokenLevel security_level,
                             IntegrityLevel integrity_level,
                             TokenType token_type,
+                            bool lockdown_default_dacl,
                             base::win::ScopedHandle* token);
 
 // Sets the integrity label on a object handle.