Adding method to create process using LowBox token in sandbox code.

sandbox/win/src/sandbox_policy_base.cc

Index: sandbox/win/src/sandbox_policy_base.cc
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index d3c920e6429c0e7119a34d423747ec921113603e..bb7dff6da9bfa9e4648aafd73cb7af30d9a0a410 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -310,13 +310,6 @@ ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) {
   if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
     return SBOX_ALL_OK;
 
-  // Windows refuses to work with an impersonation token for a process inside
-  // an AppContainer. If the caller wants to use a more privileged initial
-  // token, or if the lockdown level will prevent the process from starting,
-  // we have to fail the operation.
-  if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
-    return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
-
   DCHECK(!appcontainer_list_.get());
   appcontainer_list_.reset(new AppContainerAttributes);
   ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_);
@@ -477,13 +470,30 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
   }
 
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
-    // Windows refuses to work with an impersonation token. See SetAppContainer
-    // implementation for more details.
-    if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
-      return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
-
-    *initial = INVALID_HANDLE_VALUE;
-    return SBOX_ALL_OK;
+    NtCreateLowBoxToken CreateLowBox = NULL;
+    ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox);
+
+    HANDLE token_lowbox = NULL;
+    const SECURITY_CAPABILITIES& capabilities =
+        appcontainer_list_->GetCapabilities();
+
+    OBJECT_ATTRIBUTES obj_attr;
+    InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
+
+    NTSTATUS status = CreateLowBox(&token_lowbox,
+                                   *lockdown,
+                                   TOKEN_ALL_ACCESS,

[rvargas (doing something else), 2015/02/21 01:01:22]

Just curious, any idea what this does?

[Shrikant Kelkar, 2015/02/21 02:32:41]

Not sure, but guess is that it will open and return new lowbox token with that
access.

[rvargas (doing something else), 2015/02/24 01:01:49]

Do we need ALL_ACCESS?

+                                   &obj_attr,
+                                   capabilities.AppContainerSid,
+                                   capabilities.CapabilityCount,
+                                   capabilities.Capabilities,
+                                   0,
+                                   NULL);
+    if (!NT_SUCCESS(status) && token_lowbox == NULL) {

[rvargas (doing something else), 2015/02/21 01:01:22]

|| !token_lowbox?. An && implies that if the function fails the contract is that
there is no garbage in an out argument (which may be true, but is not the nt
contract).

In fact, I'd remove token_lowbox from the if, and DCHECK that is not null (if
anything) on success.

[Shrikant Kelkar, 2015/02/21 02:32:41]

Done.

+      return SBOX_ERROR_GENERIC;
+    }
+    ::CloseHandle(*lockdown);
+    *lockdown = token_lowbox;
   }
 
   // Create the 'better' token. We use this token as the one that the main