01_add_back_user_restricted_level.patch

Enable keyboard shortcuts

# HG changeset patch

# User Bob Owen <bobowencode@gmail.com>

# Date 1730471667 0

#      Fri Nov 01 14:34:27 2024 +0000

Add back USER_RESTRICTED access token level

diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc

--- a/sandbox/win/src/restricted_token_utils.cc

+++ b/sandbox/win/src/restricted_token_utils.cc

@@ -112,16 +112,23 @@ std::optional<base::win::AccessToken> Cr

         restricted_token.AddRestrictingSid(*unique_restricted_sid);

       // This token has to be able to create objects in BNO, it needs the

       // current logon sid in the token to achieve this. You should also set the

       // process to be low integrity level so it can't access object created by

       // other processes.

       restricted_token.AddRestrictingSidLogonSession();

       break;

+    case USER_RESTRICTED:

+      restricted_token.AddUserSidForDenyOnly();

+      restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted);

+      if (unique_restricted_sid) {

+        restricted_token.AddRestrictingSid(*unique_restricted_sid);

+      }

+      break;

     case USER_LOCKDOWN:

       remove_traverse_privilege = true;

       restricted_token.AddUserSidForDenyOnly();

       restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull);

       if (unique_restricted_sid) {

         restricted_token.AddRestrictingSid(*unique_restricted_sid);

       break;

diff --git a/sandbox/win/src/security_level.h b/sandbox/win/src/security_level.h

--- a/sandbox/win/src/security_level.h

+++ b/sandbox/win/src/security_level.h

@@ -38,16 +38,18 @@ enum IntegrityLevel {

 // The Token level specifies a set of  security profiles designed to

 // provide the bulk of the security of sandbox.

//

 //  TokenLevel                 |Restricting   |Deny Only       |Privileges|

 //                             |Sids          |Sids            |          |

 // ----------------------------|--------------|----------------|----------|

 // USER_LOCKDOWN               | Null Sid     | All            | None     |

 // ----------------------------|--------------|----------------|----------|

+// USER_RESTRICTED             | RESTRICTED   | All            | Traverse |

+// ----------------------------|--------------|----------------|----------|

 // USER_LIMITED                | Users        | All except:    | Traverse |

 //                             | Everyone     | Users          |          |

 //                             | RESTRICTED   | Everyone       |          |

 //                             |              | Interactive    |          |

 // ----------------------------|--------------|----------------|----------|

 // USER_INTERACTIVE            | Users        | All except:    | Traverse |

 //                             | Everyone     | Users          |          |

 //                             | RESTRICTED   | Everyone       |          |

@@ -75,16 +77,17 @@ enum IntegrityLevel {

 // and on the broker token itself.

//

 // The LOCKDOWN level is designed to allow access to almost nothing that has

 // security associated with and they are the recommended levels to run sandboxed

 // code specially if there is a chance that the broker is process might be

 // started by a user that belongs to the Admins or power users groups.

 enum TokenLevel {

   USER_LOCKDOWN = 0,

+  USER_RESTRICTED,

   USER_LIMITED,

   USER_INTERACTIVE,

   USER_RESTRICTED_NON_ADMIN,

   USER_RESTRICTED_SAME_ACCESS,

   USER_UNPROTECTED,

   USER_LAST

};