The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/251a3311605b4f065b84d26a150ff1a3feb4abd0

commit 251a3311605b4f065b84d26a150ff1a3feb4abd0
Author: James Forshaw <forshaw@chromium.org>
Date: Tue Sep 12 09:51:45 2017

Implemented changes to Sid class for AC support.

This CL implements changes to the sandbox Sid class to support the creation
of Capability Sid objects. It also contains a few refactoring efforts to
cleanup up older code.

Bug: 760977
Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
Change-Id: Id9c05b8017abb81896c1bc30f23599441812d1fd
Reviewed-on: https://chromium-review.googlesource.com/649026
Commit-Queue: James Forshaw <forshaw@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Penny MacNeil <pennymac@chromium.org>
Cr-Commit-Position: refs/heads/master@{#501229}
[modify] https://crrev.com/251a3311605b4f065b84d26a150ff1a3feb4abd0/sandbox/win/src/acl.cc
[modify] https://crrev.com/251a3311605b4f065b84d26a150ff1a3feb4abd0/sandbox/win/src/restricted_token.cc
[modify] https://crrev.com/251a3311605b4f065b84d26a150ff1a3feb4abd0/sandbox/win/src/sid.cc
[modify] https://crrev.com/251a3311605b4f065b84d26a150ff1a3feb4abd0/sandbox/win/src/sid.h
[modify] https://crrev.com/251a3311605b4f065b84d26a150ff1a3feb4abd0/sandbox/win/src/sid_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0393f247783b78fa6e134757c19838bc6ecad383

commit 0393f247783b78fa6e134757c19838bc6ecad383
Author: James Forshaw <forshaw@chromium.org>
Date: Tue Sep 12 17:03:52 2017

Revert "Implemented changes to Sid class for AC support."

This reverts commit 251a3311605b4f065b84d26a150ff1a3feb4abd0.

Reason for revert: People building with actual VS2015 according to the official instructions don't have the definitions for some of the AC functions. I'd argue they shouldn't be building with that but it seems that it's part of the official instructions. Reverting for now.

Original change's description:
> Implemented changes to Sid class for AC support.
> 
> This CL implements changes to the sandbox Sid class to support the creation
> of Capability Sid objects. It also contains a few refactoring efforts to
> cleanup up older code.
> 
> Bug: 760977
> Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
> Change-Id: Id9c05b8017abb81896c1bc30f23599441812d1fd
> Reviewed-on: https://chromium-review.googlesource.com/649026
> Commit-Queue: James Forshaw <forshaw@chromium.org>
> Reviewed-by: Will Harris <wfh@chromium.org>
> Reviewed-by: Penny MacNeil <pennymac@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#501229}

TBR=pennymac@chromium.org,forshaw@chromium.org,wfh@chromium.org

Change-Id: Icafd0c2281d8442562fc24c869ca88595277f065
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 760977
Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/663698
Reviewed-by: James Forshaw <forshaw@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#501316}
[modify] https://crrev.com/0393f247783b78fa6e134757c19838bc6ecad383/sandbox/win/src/acl.cc
[modify] https://crrev.com/0393f247783b78fa6e134757c19838bc6ecad383/sandbox/win/src/restricted_token.cc
[modify] https://crrev.com/0393f247783b78fa6e134757c19838bc6ecad383/sandbox/win/src/sid.cc
[modify] https://crrev.com/0393f247783b78fa6e134757c19838bc6ecad383/sandbox/win/src/sid.h
[modify] https://crrev.com/0393f247783b78fa6e134757c19838bc6ecad383/sandbox/win/src/sid_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb0b9d315f449c822f61de545a67b4c3b14c6e60

commit fb0b9d315f449c822f61de545a67b4c3b14c6e60
Author: Bruce Dawson <brucedawson@chromium.org>
Date: Wed Sep 27 21:21:32 2017

Require Creators Update SDK to build Chrome on Windows

There is an increasing need to use Windows features that only exist in
Windows 10 Creators Update or later. This is most conveniently done by
requiring that SDK. The packaged toolchain used by Google build machines
and Google employees has been using the Creators Update SDK for several
months - this CL only changes the requirement for those who are not
using the packaged toolchain. This update would have been done earlier
but several broken versions of the Creators Update SDK necessitated a
delay.

This change was triggered by crrev.com/c/649026 which had to be reverted
due to its dependence on the Creators Update SDK. This change will let
that change be relanded. Requiring the Creators Update SDK will also
allow ENABLE_HDR_DETECTION to be unconditionally defined.

After this change developers will get an informative error message if
they do not have the Creators Update SDK or later installed.

Note that Chrome, of course, still needs to *run* on versions of Windows
before Windows 10 Creators Update - this just covers *build*
requirements.

Bug: 760977
Change-Id: Ice36177e25cedb80555a3ebedaf9f710cafb1a88
Reviewed-on: https://chromium-review.googlesource.com/666023
Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504773}
[modify] https://crrev.com/fb0b9d315f449c822f61de545a67b4c3b14c6e60/base/win/windows_version.cc
[modify] https://crrev.com/fb0b9d315f449c822f61de545a67b4c3b14c6e60/build/toolchain/win/setup_toolchain.py
[modify] https://crrev.com/fb0b9d315f449c822f61de545a67b4c3b14c6e60/tools/gn/visual_studio_writer.cc
[modify] https://crrev.com/fb0b9d315f449c822f61de545a67b4c3b14c6e60/tools/gn/visual_studio_writer_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eba36b241ed357ca5d78047ae80495af3a2c37e3

commit eba36b241ed357ca5d78047ae80495af3a2c37e3
Author: James Forshaw <forshaw@chromium.org>
Date: Fri Sep 29 18:40:52 2017

Reland "Implemented changes to Sid class for AC support."

This is a reland of 251a3311605b4f065b84d26a150ff1a3feb4abd0, possible now
that the Creators Update SDK (10.0.15036) is now required when building
Chrome.

Original change's description:
> Implemented changes to Sid class for AC support.
> 
> This CL implements changes to the sandbox Sid class to support the creation
> of Capability Sid objects. It also contains a few refactoring efforts to
> cleanup up older code.
> 
> Bug: 760977
> Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
> Change-Id: Id9c05b8017abb81896c1bc30f23599441812d1fd
> Reviewed-on: https://chromium-review.googlesource.com/649026
> Commit-Queue: James Forshaw <forshaw@chromium.org>
> Reviewed-by: Will Harris <wfh@chromium.org>
> Reviewed-by: Penny MacNeil <pennymac@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#501229}

Bug: 760977
Change-Id: I4d3f61190f8f34bc638cf2c48646bfc66a6508af
Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/691114
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#505430}
[modify] https://crrev.com/eba36b241ed357ca5d78047ae80495af3a2c37e3/sandbox/win/src/acl.cc
[modify] https://crrev.com/eba36b241ed357ca5d78047ae80495af3a2c37e3/sandbox/win/src/restricted_token.cc
[modify] https://crrev.com/eba36b241ed357ca5d78047ae80495af3a2c37e3/sandbox/win/src/sid.cc
[modify] https://crrev.com/eba36b241ed357ca5d78047ae80495af3a2c37e3/sandbox/win/src/sid.h
[modify] https://crrev.com/eba36b241ed357ca5d78047ae80495af3a2c37e3/sandbox/win/src/sid_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0b19fc1ae5bdf0b1bc020051a52097ed9e8d46a4

commit 0b19fc1ae5bdf0b1bc020051a52097ed9e8d46a4
Author: James Forshaw <forshaw@chromium.org>
Date: Thu Oct 12 13:34:56 2017

Additional features for Sid class.

This CL adds some additional features to the Sid class including getting
a Sid from a list of sub-authorities and getting the ALL RESTRICTED
PACKAGES sid. It also makes the PSID constructor explicit because it was
possible to accidentally create a SID from an opaque pointer.

Bug: 760977
Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
Change-Id: I48d4f9924b5cc11162e21b1369a132e41d283398
Reviewed-on: https://chromium-review.googlesource.com/712157
Commit-Queue: James Forshaw <forshaw@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508337}
[modify] https://crrev.com/0b19fc1ae5bdf0b1bc020051a52097ed9e8d46a4/sandbox/win/src/acl.cc
[modify] https://crrev.com/0b19fc1ae5bdf0b1bc020051a52097ed9e8d46a4/sandbox/win/src/sid.cc
[modify] https://crrev.com/0b19fc1ae5bdf0b1bc020051a52097ed9e8d46a4/sandbox/win/src/sid.h
[modify] https://crrev.com/0b19fc1ae5bdf0b1bc020051a52097ed9e8d46a4/sandbox/win/src/sid_unittest.cc
[modify] https://crrev.com/0b19fc1ae5bdf0b1bc020051a52097ed9e8d46a4/sandbox/win/src/win_utils.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/47311f434c10a86d2e86a4820ac2658782e7bfc9

commit 47311f434c10a86d2e86a4820ac2658782e7bfc9
Author: James Forshaw <forshaw@chromium.org>
Date: Fri Oct 13 17:53:36 2017

Fix known capabilities on Win8.

This CL changes known capabilities to only reflect the pre-defined list
as supported on Windows 8. Windows 8 does not directly support named
capabilities although we could implement it using the SHA256 algorithm
if we wanted to. Also the DeriveCapabilitySids method isn't supported prior
to Windows 10 TH2 so instead this CL uses the underlying NTDLL function which
gives us support back to the first version of Windows 10.

Bug: 760977
Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
Change-Id: Iaedd6b7b38c332861a583af7d837e72af430ecf5
Reviewed-on: https://chromium-review.googlesource.com/718736
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508751}
[modify] https://crrev.com/47311f434c10a86d2e86a4820ac2658782e7bfc9/sandbox/win/src/nt_internals.h
[modify] https://crrev.com/47311f434c10a86d2e86a4820ac2658782e7bfc9/sandbox/win/src/sid.cc
[modify] https://crrev.com/47311f434c10a86d2e86a4820ac2658782e7bfc9/sandbox/win/src/sid.h
[modify] https://crrev.com/47311f434c10a86d2e86a4820ac2658782e7bfc9/sandbox/win/src/sid_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/84ca74dd869d40e9269de6b8b16f4d4c57e745a2

commit 84ca74dd869d40e9269de6b8b16f4d4c57e745a2
Author: James Forshaw <forshaw@chromium.org>
Date: Fri Oct 13 20:43:37 2017

Moved lowbox token creation to restricted token utilities.

This CL moves the creation of the LowBox token into a generic utility
function. This allows the implementation to be shared between the existing
LowBox implementation and the new AC implementation. I also added a utility
class to handle SECURITY_CAPABILITIES, there's no tests here for that, that'll
be added in the next CL.

Bug: 760977
Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
Change-Id: I8c8a17659e7110f3e8eff2d966bd5745027bc7b1
Reviewed-on: https://chromium-review.googlesource.com/712162
Commit-Queue: James Forshaw <forshaw@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508807}
[modify] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/BUILD.gn
[modify] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/restricted_token_unittest.cc
[modify] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/restricted_token_utils.cc
[modify] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/restricted_token_utils.h
[modify] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/sandbox_policy.h
[modify] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/sandbox_policy_base.cc
[modify] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/sandbox_policy_base.h
[add] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/security_capabilities.cc
[add] https://crrev.com/84ca74dd869d40e9269de6b8b16f4d4c57e745a2/sandbox/win/src/security_capabilities.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8501acdfe692273659767dbf1b1c5eef0e61400e

commit 8501acdfe692273659767dbf1b1c5eef0e61400e
Author: James Forshaw <forshaw@chromium.org>
Date: Tue Oct 17 20:57:55 2017

Added AppContainerProfile implementation

This CL contains the implementation of the AppContainerProfile and
associated tests.

Bug: 760977
Cq-Include-Trybots: master.tryserver.chromium.win:win10_chromium_x64_rel_ng
Change-Id: I40e8a5b858ca9ad1f0aa28f9165fbb6bbb1485a8
Reviewed-on: https://chromium-review.googlesource.com/712176
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509526}
[modify] https://crrev.com/8501acdfe692273659767dbf1b1c5eef0e61400e/sandbox/win/BUILD.gn
[add] https://crrev.com/8501acdfe692273659767dbf1b1c5eef0e61400e/sandbox/win/src/app_container_profile.cc
[add] https://crrev.com/8501acdfe692273659767dbf1b1c5eef0e61400e/sandbox/win/src/app_container_profile.h
[add] https://crrev.com/8501acdfe692273659767dbf1b1c5eef0e61400e/sandbox/win/src/app_container_unittest.cc
[modify] https://crrev.com/8501acdfe692273659767dbf1b1c5eef0e61400e/sandbox/win/src/security_capabilities.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0abf534c10c933af38575329f5fb2270e7829328

commit 0abf534c10c933af38575329f5fb2270e7829328
Author: James Forshaw <forshaw@chromium.org>
Date: Thu Nov 30 15:11:58 2017

Added impersonation capabilities.

Added support for an additional set of capability sids that are used for
the impersonation token in a new sandboxed process.

Bug: 760977
Change-Id: Iaf07e21011cbd13091b213d8b989f2132717c862
Reviewed-on: https://chromium-review.googlesource.com/797923
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#520546}
[modify] https://crrev.com/0abf534c10c933af38575329f5fb2270e7829328/sandbox/win/src/app_container_profile.cc
[modify] https://crrev.com/0abf534c10c933af38575329f5fb2270e7829328/sandbox/win/src/app_container_profile.h
[modify] https://crrev.com/0abf534c10c933af38575329f5fb2270e7829328/sandbox/win/src/app_container_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b8c94b96e65efba286cf232b7610369ae3818baa

commit b8c94b96e65efba286cf232b7610369ae3818baa
Author: James Forshaw <forshaw@chromium.org>
Date: Thu Dec 21 09:33:32 2017

Added AppContainerProfile support to policy.

This CL addeds the AppContainerProfile support to the sandbox policy code
so that new AppContainer processes can be created.

Bug: 760977
Change-Id: Ida8028ba6146df71defe0a4072ecaea29c04f246
Reviewed-on: https://chromium-review.googlesource.com/804195
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#525657}
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/src/app_container_test.cc
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/src/broker_services.cc
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/src/sandbox_policy.h
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/src/sandbox_policy_base.cc
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/src/sandbox_policy_base.h
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/src/target_process.cc
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/src/target_process.h
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/tests/common/controller.cc
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/tests/common/controller.h
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/tests/common/test_utils.cc
[modify] https://crrev.com/b8c94b96e65efba286cf232b7610369ae3818baa/sandbox/win/tests/common/test_utils.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b3ed17839d4177142aeab4a832f42ad21d18da3f

commit b3ed17839d4177142aeab4a832f42ad21d18da3f
Author: Balazs Engedy <engedy@chromium.org>
Date: Thu Dec 21 10:02:34 2017

Revert "Added AppContainerProfile support to policy."

This reverts commit b8c94b96e65efba286cf232b7610369ae3818baa.

Reason for revert: Broke compile on Win x64.

https://logs.chromium.org/v/?s=chromium%2Fbb%2Fchromium%2FWin_x64%2F17524%2F%2B%2Frecipes%2Fsteps%2Fcompile%2F0%2Fstdout

Original change's description:
> Added AppContainerProfile support to policy.
> 
> This CL addeds the AppContainerProfile support to the sandbox policy code
> so that new AppContainer processes can be created.
> 
> Bug: 760977
> Change-Id: Ida8028ba6146df71defe0a4072ecaea29c04f246
> Reviewed-on: https://chromium-review.googlesource.com/804195
> Reviewed-by: Will Harris <wfh@chromium.org>
> Commit-Queue: James Forshaw <forshaw@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#525657}

TBR=forshaw@chromium.org,wfh@chromium.org

Change-Id: Ica5369ae3c27bbf1f4d6c69ab2fce1b38062ec29
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 760977
Reviewed-on: https://chromium-review.googlesource.com/839300
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Commit-Queue: Balazs Engedy <engedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#525658}
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/src/app_container_test.cc
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/src/broker_services.cc
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/src/sandbox_policy.h
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/src/sandbox_policy_base.cc
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/src/sandbox_policy_base.h
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/src/target_process.cc
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/src/target_process.h
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/tests/common/controller.cc
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/tests/common/controller.h
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/tests/common/test_utils.cc
[modify] https://crrev.com/b3ed17839d4177142aeab4a832f42ad21d18da3f/sandbox/win/tests/common/test_utils.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f

commit 0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f
Author: James Forshaw <forshaw@chromium.org>
Date: Fri Dec 22 08:57:00 2017

Reland "Added AppContainerProfile support to policy."

This is a reland of b8c94b96e65efba286cf232b7610369ae3818baa
Original change's description:
> Added AppContainerProfile support to policy.
> 
> This CL addeds the AppContainerProfile support to the sandbox policy code
> so that new AppContainer processes can be created.
> 
> Bug: 760977
> Change-Id: Ida8028ba6146df71defe0a4072ecaea29c04f246
> Reviewed-on: https://chromium-review.googlesource.com/804195
> Reviewed-by: Will Harris <wfh@chromium.org>
> Commit-Queue: James Forshaw <forshaw@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#525657}

Bug: 760977
Change-Id: I53fe426d76c24997b762135b88f6b5c84e32e9b8
Reviewed-on: https://chromium-review.googlesource.com/841082
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#525961}
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/src/app_container_test.cc
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/src/broker_services.cc
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/src/sandbox_policy.h
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/src/sandbox_policy_base.cc
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/src/sandbox_policy_base.h
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/src/target_process.cc
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/src/target_process.h
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/tests/common/controller.cc
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/tests/common/controller.h
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/tests/common/test_utils.cc
[modify] https://crrev.com/0c42dd04b3c81f44f1894a6c4da18fb50e8d5c7f/sandbox/win/tests/common/test_utils.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/edec191b14134554835fbfee2c34324f0850808a

commit edec191b14134554835fbfee2c34324f0850808a
Author: James Forshaw <forshaw@chromium.org>
Date: Sat Jan 20 00:27:45 2018

Copy DACL when duplicating LowBox token.

This CL fixes an issue when creating an impersonation LowBox token. The
new token's DACL is taken from the current caller's default DACL which
results in the an AC process not being able to open the token. This can
lead to weird bugs during the bootstrapping of a process.

Bug: 760977
Change-Id: Iac970feb2444f5aa6027838ce38bb88a3633caaa
Reviewed-on: https://chromium-review.googlesource.com/873920
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#530685}
[modify] https://crrev.com/edec191b14134554835fbfee2c34324f0850808a/sandbox/win/src/restricted_token_unittest.cc
[modify] https://crrev.com/edec191b14134554835fbfee2c34324f0850808a/sandbox/win/src/restricted_token_utils.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/afd5ef7aaa84de16d6ec7d22815eb0174f653504

commit afd5ef7aaa84de16d6ec7d22815eb0174f653504
Author: James Forshaw <forshaw@chromium.org>
Date: Mon Jan 29 18:00:20 2018

Map generic access mask during access check.

Map any generic access rights during the AC access check. Also fixes
a bug in the test code which preventing testing of generic access masks.

Bug: 760977
Change-Id: Iec729a40a25c187b758f61e3128930e7f4bfb02d
Reviewed-on: https://chromium-review.googlesource.com/890454
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532487}
[modify] https://crrev.com/afd5ef7aaa84de16d6ec7d22815eb0174f653504/sandbox/win/src/app_container_profile.cc
[modify] https://crrev.com/afd5ef7aaa84de16d6ec7d22815eb0174f653504/sandbox/win/src/app_container_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd2a42e483b8a096e4a06859baa6f8009ef2907b

commit fd2a42e483b8a096e4a06859baa6f8009ef2907b
Author: James Forshaw <forshaw@chromium.org>
Date: Tue Feb 06 19:43:25 2018

Convert process mitigations to delayed form.

Due to a bug in CreateProcess when enabling an AppContainer profile and
setting process mitigations at the same time CreateProcess will fail
with ERROR_INVALID_PARAMETER. This is due to CreateProcess internally
enabling some mitigations such as force image relocation. To try and
preserve the set mitigations we convert all possible to delayed
mitigations instead. This CL also fixes a typo in a member variable name.

Bug: 760977
Change-Id: I45f65c5ba5bab83270fcf113fbc6fbae66caa7a0
Reviewed-on: https://chromium-review.googlesource.com/902047
Reviewed-by: Penny MacNeil <pennymac@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534754}
[modify] https://crrev.com/fd2a42e483b8a096e4a06859baa6f8009ef2907b/sandbox/win/src/app_container_test.cc
[modify] https://crrev.com/fd2a42e483b8a096e4a06859baa6f8009ef2907b/sandbox/win/src/process_mitigations.cc
[modify] https://crrev.com/fd2a42e483b8a096e4a06859baa6f8009ef2907b/sandbox/win/src/process_mitigations.h
[modify] https://crrev.com/fd2a42e483b8a096e4a06859baa6f8009ef2907b/sandbox/win/src/sandbox_policy_base.cc
[modify] https://crrev.com/fd2a42e483b8a096e4a06859baa6f8009ef2907b/sandbox/win/src/sandbox_policy_base.h