Adding method to create process using LowBox token in sandbox code.

sandbox/win/src/app_container.h

Index: sandbox/win/src/app_container.h
diff --git a/sandbox/win/src/app_container.h b/sandbox/win/src/app_container.h
index 8125d706fb4addab8d9b43a5db37d723dd9cfaae..82bce0004ff9c4171ffe5d7b644cae1ec02c399f 100644
--- a/sandbox/win/src/app_container.h
+++ b/sandbox/win/src/app_container.h
@@ -32,16 +32,12 @@ class AppContainerAttributes {
   ResultCode SetAppContainer(const base::string16& app_container_sid,
                              const std::vector<base::string16>& capabilities);
 
-  // Updates the proc_thred attribute list of the provided startup_information
-  // with the app container related data.
-  // WARNING: startup_information just points back to our internal memory, so
-  // the lifetime of this object has to be greater than the lifetime of the
-  // provided startup_information.
-  ResultCode ShareForStartup(

[rvargas (doing something else), 2015/02/27 20:16:34]

I know I asked you to remove this, but after talking with cpu yesterday we
concluded it was better to keep the old code as it was, at least for a while
(especially after the realization that the lowbox token is not really related
with a regular AppContainer).

How about we separate the two concepts so that:

SetAppContainer() is needed for a normal AppContainer
HasAppcontainer() returns true for that normal AppContainer (and false for
lowbox)

SetLowBox(app_container_sid) is what we use for the lowbox path
HasLowBox() as named

GetCapabilities() works for both cases.

----------

This means that TargetPolicy gains a new method besides SetAppContainer:
SetLowBox(sid)... and we enforce that lowbox and appcontainer policies are
mutually exclusive.

Another option would be not to add SetLowBox() and instead redefine TokenLevel
to have something below USER_LOCKDOWN... that seems actually cleaner but a
little more dangerous so we can just leave that for later.

-      base::win::StartupInformation* startup_information) const;
-
   bool HasAppContainer() const;
 
+  // Returns security capabilities structure, which is populated when you call
+  // SetAppContainer.
+  const SECURITY_CAPABILITIES& GetCapabilities() const;
+
  private:
   SECURITY_CAPABILITIES capabilities_;
   std::vector<SID_AND_ATTRIBUTES> attributes_;