Index: sandbox/win/src/broker_services.cc |
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc |
index 8fa7f0d655168a5427287a72228c8f036c4646e4..8a29f9ba6aa7d3e39a1a58dff899881448649f83 100644 |
--- a/sandbox/win/src/broker_services.cc |
+++ b/sandbox/win/src/broker_services.cc |
@@ -349,6 +349,9 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, |
// This downcast is safe as long as we control CreatePolicy() |
PolicyBase* policy_base = static_cast<PolicyBase*>(policy); |
+ if (policy_base->GetAppContainer() && policy_base->GetLowBoxSid()) |
+ return SBOX_ERROR_BAD_PARAMS; |
+ |
// Construct the tokens and the job object that we are going to associate |
// with the soon to be created target process. |
HANDLE initial_token_temp; |
@@ -482,6 +485,7 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, |
thread_pool_); |
DWORD win_result = target->Create(exe_path, command_line, inherit_handles, |
+ policy_base->GetLowBoxSid() ? true : false, |
startup_info, &process_info); |
if (ERROR_SUCCESS != win_result) |
return SpawnCleanup(target, win_result); |