Adding method to create process using LowBox token in sandbox code.

sandbox/win/src/sandbox_policy_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
-#include <sddl.h>
-
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/filesystem_dispatcher.h"
 #include "sandbox/win/src/filesystem_policy.h"
 #include "sandbox/win/src/handle_dispatcher.h"
 #include "sandbox/win/src/handle_policy.h"
 #include "sandbox/win/src/job.h"
@@ skipping 284 matching lines @@
 ResultCode PolicyBase::SetDelayedIntegrityLevel(
     IntegrityLevel integrity_level) {
   delayed_integrity_level_ = integrity_level;
   return SBOX_ALL_OK;
 }
 
 ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) {
   if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
     return SBOX_ALL_OK;
 
-  // Windows refuses to work with an impersonation token for a process inside
-  // an AppContainer. If the caller wants to use a more privileged initial
-  // token, or if the lockdown level will prevent the process from starting,
-  // we have to fail the operation.
-  if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
-    return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
-
   DCHECK(!appcontainer_list_.get());
   appcontainer_list_.reset(new AppContainerAttributes);
   ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_);
   if (rv != SBOX_ALL_OK)
     return rv;
 
   return SBOX_ALL_OK;
 }
 
 ResultCode PolicyBase::SetCapability(const wchar_t* sid) {
@@ skipping 140 matching lines @@
                                      SE_WINDOW_OBJECT,
                                      L"",
                                      GetIntegrityLevelString(integrity_level_));
     if (ERROR_SUCCESS != result)
       return SBOX_ERROR_GENERIC;
 
     alternate_desktop_integrity_level_label_ = integrity_level_;
   }
 
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
-    // Windows refuses to work with an impersonation token. See SetAppContainer
-    // implementation for more details.
-    if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
-      return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
+    NtCreateLowBoxToken CreateLowBox = NULL;
+    ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox);
 
-    *initial = INVALID_HANDLE_VALUE;
-    return SBOX_ALL_OK;
+    HANDLE token_lowbox = NULL;
+    const SECURITY_CAPABILITIES& capabilities =
+        appcontainer_list_->GetCapabilities();
+
+    OBJECT_ATTRIBUTES obj_attr;
+    InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
+
+    NTSTATUS status = CreateLowBox(&token_lowbox,
+                                   *lockdown,
+                                   TOKEN_ALL_ACCESS,
+                                   &obj_attr,
+                                   capabilities.AppContainerSid,
+                                   capabilities.CapabilityCount,
+                                   capabilities.Capabilities,
+                                   0,
+                                   NULL);
+    if (!NT_SUCCESS(status)) {
+      return SBOX_ERROR_GENERIC;
+    }
+    DCHECK(token_lowbox);
+    ::CloseHandle(*lockdown);
+    *lockdown = token_lowbox;
   }
 
   // Create the 'better' token. We use this token as the one that the main
   // thread uses when booting up the process. It should contain most of
   // what we need (before reaching main( ))
   result = CreateRestrictedToken(initial, initial_level_,
                                  integrity_level_, IMPERSONATION);
   if (ERROR_SUCCESS != result) {
     ::CloseHandle(*lockdown);
     return SBOX_ERROR_GENERIC;
@@ skipping 243 matching lines @@
       break;
     }
 
     default: { return SBOX_ERROR_UNSUPPORTED; }
   }
 
   return SBOX_ALL_OK;
 }
 
 }  // namespace sandbox