Fix for running Chrome under a service token.

sandbox/win/src/restricted_token_unittest.cc

Index: sandbox/win/src/restricted_token_unittest.cc
diff --git a/sandbox/win/src/restricted_token_unittest.cc b/sandbox/win/src/restricted_token_unittest.cc
index b0647dc3d6f25f85eaf2607ef5603a8196f65c23..9643fbe12217dc6bcd4adb19dc507319fa2df72a 100644
--- a/sandbox/win/src/restricted_token_unittest.cc
+++ b/sandbox/win/src/restricted_token_unittest.cc
@@ -640,4 +640,21 @@ TEST(RestrictedTokenTest, DoubleInit) {
   ASSERT_EQ(static_cast<DWORD>(ERROR_ALREADY_INITIALIZED), token.Init(NULL));
 }
 
+TEST(RestrictedTokenTest, LockdownDefaultDaclNoLogonSid) {
+  ATL::CAccessToken anonymous_token;
+  ASSERT_TRUE(::ImpersonateAnonymousToken(::GetCurrentThread()));
+  ASSERT_TRUE(anonymous_token.GetThreadToken(TOKEN_ALL_ACCESS));
+  ::RevertToSelf();
+  ATL::CSid logon_sid;
+  // Verify that the anonymous token doesn't have the logon sid.
+  ASSERT_FALSE(anonymous_token.GetLogonSid(&logon_sid));
+
+  RestrictedToken token;
+  ASSERT_EQ(DWORD{ERROR_SUCCESS}, token.Init(anonymous_token.GetHandle()));
+  token.SetLockdownDefaultDacl();
+
+  base::win::ScopedHandle handle;
+  ASSERT_EQ(DWORD{ERROR_SUCCESS}, token.GetRestrictedToken(&handle));
+}
+
 }  // namespace sandbox