51_add_USER_LOCKDOWN_WITH_TRAVERSE.patch

Enable keyboard shortcuts

Author: Bob Owen <bobowencode@gmail.com>

Add USER_LOCKDOWN_WITH_TRAVERSE access token level.

diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc

index cb8d18a1a832..1dc7fd219f88 100644

--- a/sandbox/win/src/restricted_token_utils.cc

+++ b/sandbox/win/src/restricted_token_utils.cc

@@ -137,16 +137,26 @@ absl::optional<base::win::AccessToken> CreateRestrictedToken(

         restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted);

         if (unique_restricted_sid) {

           restricted_token.AddRestrictingSid(*unique_restricted_sid);

       } else {

         restricted_token.AddUserSidForDenyOnly();

       break;

+    case USER_LOCKDOWN_WITH_TRAVERSE:

+      if (use_restricting_sids) {

+        restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull);

+        if (unique_restricted_sid) {

+          restricted_token.AddRestrictingSid(*unique_restricted_sid);

+        }

+      } else {

+        restricted_token.AddUserSidForDenyOnly();

+      }

+      break;

     case USER_LOCKDOWN:

       remove_traverse_privilege = true;

       if (use_restricting_sids) {

         restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull);

         if (unique_restricted_sid) {

           restricted_token.AddRestrictingSid(*unique_restricted_sid);

       } else {

diff --git a/sandbox/win/src/security_level.h b/sandbox/win/src/security_level.h

index f9110600a11a..a86c4576f6e8 100644

--- a/sandbox/win/src/security_level.h

+++ b/sandbox/win/src/security_level.h

@@ -38,16 +38,18 @@ enum IntegrityLevel {

 // The Token level specifies a set of  security profiles designed to

 // provide the bulk of the security of sandbox.

//

 //  TokenLevel                 |Restricting   |Deny Only       |Privileges|

 //                             |Sids          |Sids            |          |

 // ----------------------------|--------------|----------------|----------|

 // USER_LOCKDOWN               | Null Sid     | All            | None     |

 // ----------------------------|--------------|----------------|----------|

+// USER_LOCKDOWN_WITH_TRAVERSE | Null Sid     | All            | Traverse |

+// ----------------------------|--------------|----------------|----------|

 // USER_RESTRICTED             | RESTRICTED   | All            | Traverse |

 // ----------------------------|--------------|----------------|----------|

 // USER_LIMITED                | Users        | All except:    | Traverse |

 //                             | Everyone     | Users          |          |

 //                             | RESTRICTED   | Everyone       |          |

 //                             |              | Interactive    |          |

 // ----------------------------|--------------|----------------|----------|

 // USER_INTERACTIVE            | Users        | All except:    | Traverse |

@@ -77,16 +79,17 @@ enum IntegrityLevel {

 // and on the broker token itself.

//

 // The LOCKDOWN level is designed to allow access to almost nothing that has

 // security associated with and they are the recommended levels to run sandboxed

 // code specially if there is a chance that the broker is process might be

 // started by a user that belongs to the Admins or power users groups.

 enum TokenLevel {

   USER_LOCKDOWN = 0,

+  USER_LOCKDOWN_WITH_TRAVERSE,

   USER_RESTRICTED,

   USER_LIMITED,

   USER_INTERACTIVE,

   USER_RESTRICTED_NON_ADMIN,

   USER_RESTRICTED_SAME_ACCESS,

   USER_UNPROTECTED,

   USER_LAST

};