Sandbox policy and intercepts for the MITIGATION_WIN32K_DISABLE policy for renderer processes.

content/common/sandbox_win.cc

Index: content/common/sandbox_win.cc
diff --git a/content/common/sandbox_win.cc b/content/common/sandbox_win.cc
index 9432d2493081bd9839fa838b814c095c69366cde..18b30e2963cd5afc568bc839868238037fd4146b 100644
--- a/content/common/sandbox_win.cc
+++ b/content/common/sandbox_win.cc
@@ -333,7 +333,6 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
 #endif  // NDEBUG
 
   AddGenericDllEvictionPolicy(policy);
-
   return true;
 }
 
@@ -614,8 +613,13 @@ base::ProcessHandle StartSandboxedProcess(
      type_str == switches::kRendererProcess &&
      browser_command_line.HasSwitch(
         switches::kEnableWin32kRendererLockDown)) {
-   mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
- }
+    if (policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
+                        sandbox::TargetPolicy::FAKE_USER_GDI_INIT,
+                        NULL) != sandbox::SBOX_ALL_OK) {
+      return 0;
+    }
+    mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
+  }
 
   if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return 0;