Adding method to create process using LowBox token in sandbox code.

sandbox/win/src/sid.cc

Index: sandbox/win/src/sid.cc
diff --git a/sandbox/win/src/sid.cc b/sandbox/win/src/sid.cc
index 261605d547b99cf303913e72943125f71991dee6..8bd817320cb3bc7e3454630bc19ea10d6d4d1a77 100644
--- a/sandbox/win/src/sid.cc
+++ b/sandbox/win/src/sid.cc
@@ -4,15 +4,20 @@
 
 #include "sandbox/win/src/sid.h"
 
+#include <objbase.h>
+#include <sddl.h>
+
 #include "base/logging.h"
 
 namespace sandbox {
 
-Sid::Sid(const SID *sid) {
+Sid::Sid(const SID *sid)
+    : unique_sub_auth_sid_(NULL) {

[forshaw, 2015/02/23 13:32:29]

unique_sub_auth_sid_ never actually used.

[Shrikant Kelkar, 2015/02/23 17:54:01]

Done.

   ::CopySid(SECURITY_MAX_SID_SIZE, sid_, const_cast<SID*>(sid));

[forshaw, 2015/02/23 13:32:29]

nit: Obviously the original code didn't check the return of CopySid but should
we are least check it using a DCHECK?

[Shrikant Kelkar, 2015/02/23 17:54:01]

Done.

 };
 
-Sid::Sid(WELL_KNOWN_SID_TYPE type) {
+Sid::Sid(WELL_KNOWN_SID_TYPE type)
+    : unique_sub_auth_sid_(NULL) {
   DWORD size_sid = SECURITY_MAX_SID_SIZE;
   BOOL result = ::CreateWellKnownSid(type, NULL, sid_, &size_sid);
   DCHECK(result);
@@ -23,4 +28,29 @@ const SID *Sid::GetPSID() const {
   return reinterpret_cast<SID*>(const_cast<BYTE*>(sid_));
 }
 
+void Sid::GenerateUniqueSubAuthoritySid(std::wstring* unique_sid) {

[forshaw, 2015/02/23 13:32:29]

nit: Would it not make more sense to return the wstring rather than via a
pointer?

[Shrikant Kelkar, 2015/02/23 17:54:01]

Done.

+  SID_IDENTIFIER_AUTHORITY authority = SECURITY_APP_PACKAGE_AUTHORITY;
+  GUID guid = { 0 };
+  ::CoCreateGuid(&guid);

[forshaw, 2015/02/23 13:32:29]

Not sure I like creating random SIDs too much, the domain of GUID generation and
SIDs is not the same and I guess there might be the odd time that they collide.
I think it's very unlikely to occur but I personally think it would be better to
pre-generate a fixed SID (which we can document) then add a some sort of unique
RID to that. 

[Shrikant Kelkar, 2015/02/23 17:54:01]

Yes, I see your point, will discuss with other reviewers and will try to get a
common resolve.

+  unsigned long* guid_long = reinterpret_cast<unsigned long*>(&guid);
+  PSID sid = NULL;
+  DWORD sub_auth = *GetSidSubAuthority(reinterpret_cast<SID*>(sid_), 0);
+  ::AllocateAndInitializeSid(&authority,
+                             8,
+                             sub_auth,
+                             guid_long[0],
+                             guid_long[1],
+                             guid_long[2],
+                             guid_long[3],
+                             1,
+                             1,
+                             1,
+                             &sid);
+  LPWSTR sid_string = NULL;
+  ::ConvertSidToStringSid(sid, &sid_string);
+  *unique_sid = sid_string;
+  ::FreeSid(sid);
+  ::LocalFree(sid_string);
+}
+
 }  // namespace sandbox