Reported via Chromium security dev alias.

OS: Windows 10

I found an issue with Chromium sandbox when AppLocker is running, it's not something critical but maybe worth improving.

If you want to spawn a target with following tokens SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, sandbox::USER_LOCKDOWN) and the broker is running as elevated admin while AppLocker is active, spawning the target will fail with error ERROR_ACCESS_DISABLED_BY_POLICY.

Windows 7 introduced a flag SANDBOX_INERT (added to sandbox after this bug issue https://bugs.chromium.org/p/chromium/issues/detail?id=10576) which should tell AppLocker to not check this process against set rules. This worked until Microsoft issued a KB2532445 (http://support.microsoft.com/kb/2532445) which enables this flag only for users LocalSystem and TrustedInstaller. Windows 10 RTM has this KB already build it.

The problem is that while creating the process AppLocker verifies the rules against lockdown token which has no rights, not even read access to group Everyone and therefore it blocks the creation of the process. This can be easily tested on Windows 10 Enterprise (probably even Windows 7 with the mentioned KB, but I haven't tested that) where you enable AppLocker, create default rules and try to launch Chrome as admin (yes yes stupid idea). Chrome won't display any error message just an empty windows without any tabs and spawning a tab won't do anything.

If you set the tokens to SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, sandbox::USER_LIMITED) everything works, that's because USER_LIMITED has access to Everyone which is enough for default rules.

Shouldn't Chrome at least display a message that spawning a target failed or something in this case?

And maybe a mention in some documentation that this can happen would be nice so others won't waste their time on this as me :)