Sandbox: Add support for file system policies that use implied device paths.

sandbox/win/src/filesystem_policy.cc

Index: sandbox/win/src/filesystem_policy.cc
diff --git a/sandbox/win/src/filesystem_policy.cc b/sandbox/win/src/filesystem_policy.cc
index 1ce21c8c20bffa55bc16471cd76a4f563c795a1a..1daf11b46eae5f6290f30d8f207e72faa7c2993b 100644
--- a/sandbox/win/src/filesystem_policy.cc
+++ b/sandbox/win/src/filesystem_policy.cc
@@ -8,6 +8,7 @@
 
 #include "base/logging.h"
 #include "base/win/scoped_handle.h"
+#include "base/win/windows_version.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_engine_opcodes.h"
 #include "sandbox/win/src/policy_params.h"
@@ -78,9 +79,7 @@ bool FileSystemPolicy::GenerateRules(const wchar_t* name,
     return false;
   }
 
-  // Don't do any pre-processing if the name starts like the the native
-  // object manager style.
-  if (0 != _wcsnicmp(mod_name.c_str(), kNTObjManPrefix, kNTObjManPrefixLen)) {
+  if (base::win::GetVersion() >= base::win::VERSION_WIN7) {
     // TODO(cpu) bug 32224: This prefix add is a hack because we don't have the
     // infrastructure to normalize names. In any case we need to escape the
     // question marks.
@@ -90,8 +89,14 @@ bool FileSystemPolicy::GenerateRules(const wchar_t* name,
       return false;
     }
 
-    mod_name = FixNTPrefixForMatch(mod_name);
-    name = mod_name.c_str();
+    if (_wcsnicmp(mod_name.c_str(), kNTDevicePrefix, kNTDevicePrefixLen)) {
+      mod_name = FixNTPrefixForMatch(mod_name);
+      name = mod_name.c_str();
+    }
+  } else if (!_wcsnicmp(mod_name.c_str(), kNTDevicePrefix,
+                        kNTDevicePrefixLen)) {
+    // Device paths in policy are not supported before Windows 7.
+    return false;
   }
 
   EvalResult result = ASK_BROKER;