Source code
Revision control
Copy as Markdown
Other Tools
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1709836178 0
# Thu Mar 07 18:29:38 2024 +0000
# Node ID 2b9ab7e6c5a1630b497fe1543634cbaebdc395f8
# Parent f9c20c064d639a146ffa09ec832aee6dff44643d
This allows us to maintain the same access to our process when the integrity
level on our access token is dropped.
diff --git a/sandbox/win/src/target_services.cc b/sandbox/win/src/target_services.cc
--- a/sandbox/win/src/target_services.cc
+++ b/sandbox/win/src/target_services.cc
@@ -117,16 +117,24 @@ DWORD SetTokenIntegrityLevel(HANDLE toke
bool SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
absl::optional<DWORD> rid = GetIntegrityLevelRid(integrity_level);
if (!rid) {
// No mandatory level specified, we don't change it.
return true;
}
+ // Set integrity level for our process ACL, so we retain access to it.
+ // We ignore failures because this is not a security measure, but some
+ // functionality may fail later in the process.
+ DWORD rv = SetObjectIntegrityLabel(::GetCurrentProcess(),
+ base::win::SecurityObjectType::kKernel,
+ 0, integrity_level);
+ DCHECK(rv == ERROR_SUCCESS);
+
absl::optional<base::win::AccessToken> token =
base::win::AccessToken::FromCurrentProcess(/*impersonation=*/false,
TOKEN_ADJUST_DEFAULT);
if (!token) {
return false;
}
return token->SetIntegrityLevel(*rid);
}