GitLab

This CL modifies the DACL for the primary LowBox token to allow the
initial privileged impersonation token to open a handle to it. This
is necessary as the Windows kernel implements a feature which prevents
Low IL tokens accessing any securable resource which has a package SID
as part of the DACL. Without the change opening the primary process
token fails during warmup which causes numerous unexpected behaviors
such as the process crashing.

Bug: 1000447
Change-Id: I76ac6eecae08d8de6f2130e5841b50a17b3739e3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1783728Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#697354}