Added a new process mitigation to harden process token IL policy.

sandbox/win/src/process_mitigations.cc

Index: sandbox/win/src/process_mitigations.cc
diff --git a/sandbox/win/src/process_mitigations.cc b/sandbox/win/src/process_mitigations.cc
index 80e428483052b606211c977572ea57bb13d9255b..904365d79bb98a7f801362538dee918571b39848 100644
--- a/sandbox/win/src/process_mitigations.cc
+++ b/sandbox/win/src/process_mitigations.cc
@@ -8,6 +8,7 @@
 
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/nt_internals.h"
+#include "sandbox/win/src/restricted_token_utils.h"
 #include "sandbox/win/src/win_utils.h"
 
 namespace {
@@ -59,6 +60,13 @@ bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) {
     }
   }
 
+  if (version >= base::win::VERSION_VISTA &&

[cpu_(ooo_6.6-7.5), 2014/12/18 21:05:36]

if you don't mind start at win7. we have very poor coverage for vista and the
fallout is usually directly to me.

[forshaw, 2014/12/19 08:30:00]

Done.

+      (flags & MITIGATION_HARDEN_TOKEN_IL_POLICY)) {
+      DWORD error = HardenProcessIntegrityLevelPolicy();
+      if ((error != ERROR_SUCCESS) && (error != ERROR_ACCESS_DENIED))
+        return false;
+  }
+
 #if !defined(_WIN64)  // DEP is always enabled on 64-bit.
   if (flags & MITIGATION_DEP) {
     DWORD dep_flags = PROCESS_DEP_ENABLE;
@@ -309,7 +317,8 @@ bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) {
                      MITIGATION_BOTTOM_UP_ASLR |
                      MITIGATION_STRICT_HANDLE_CHECKS |
                      MITIGATION_EXTENSION_DLL_DISABLE |
-                     MITIGATION_DLL_SEARCH_ORDER));
+                     MITIGATION_DLL_SEARCH_ORDER |
+                     MITIGATION_HARDEN_TOKEN_IL_POLICY));
 }
 
 bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) {