Fix for running Chrome under a service token.

sandbox/win/src/restricted_token_unittest.cc

Index: sandbox/win/src/restricted_token_unittest.cc
diff --git a/sandbox/win/src/restricted_token_unittest.cc b/sandbox/win/src/restricted_token_unittest.cc
index b0647dc3d6f25f85eaf2607ef5603a8196f65c23..391432e5d308d1b231d4b6772a1591fcb7a0c6b9 100644
--- a/sandbox/win/src/restricted_token_unittest.cc
+++ b/sandbox/win/src/restricted_token_unittest.cc
@@ -640,4 +640,23 @@ TEST(RestrictedTokenTest, DoubleInit) {
   ASSERT_EQ(static_cast<DWORD>(ERROR_ALREADY_INITIALIZED), token.Init(NULL));
 }
 
+TEST(RestrictedTokenTest, LockdownDefaultDaclNoLogonSid) {
+  ATL::CAccessToken anonymous_token;
+  ASSERT_TRUE(::ImpersonateAnonymousToken(::GetCurrentThread()));
+  ASSERT_TRUE(anonymous_token.GetThreadToken(TOKEN_ALL_ACCESS));
+  ::RevertToSelf();
+  ATL::CSid logon_sid;
+  // Verify that the anonymous token doesn't have the logon sid.
+  ASSERT_FALSE(anonymous_token.GetLogonSid(&logon_sid));
+
+  RestrictedToken token;
+  ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),

[Will Harris, 2016/06/13 16:22:36]

nit, apparently the latest coding standard for casting like this is to use c++11
brace initialization

DWORD{ERROR_SUCCESS}

https://google.github.io/styleguide/cppguide.html#Casting

+            token.Init(anonymous_token.GetHandle()));
+  token.SetLockdownDefaultDacl();
+
+  base::win::ScopedHandle handle;
+  ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
+            token.GetRestrictedToken(&handle));
+}
+
 }  // namespace sandbox