Fix CIG intercepts on Windows 1903.

The section permission requested by the loader changed in 1903 so
one of the sanity checks in the intercept was failing.

BUG=990640,750886

Change-Id: I975f1225fc017cb9cd735e4632862451af8a0341
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1737042
Auto-Submit: Will Harris <wfh@chromium.org>
Reviewed-by: James Forshaw <forshaw@chromium.org>
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#684104}

sandbox/win/src/signed_interception.cc

@@ -33,8 +33,11 @@ TargetNtCreateSection(NtCreateSectionFunction orig_CreateSection,
   // Only intercept calls that match a particular signature.
   if (status != STATUS_INVALID_IMAGE_HASH)
     return status;
-  if (desired_access != (SECTION_QUERY | SECTION_MAP_WRITE | SECTION_MAP_READ |
-                         SECTION_MAP_EXECUTE))
+  // The section only needs to have SECTION_MAP_EXECUTE, but the permissions
+  // vary depending on the OS. Windows 1903 and higher requests (SECTION_QUERY |
+  // SECTION_MAP_READ | SECTION_MAP_EXECUTE) while previous OS versions also
+  // request SECTION_MAP_WRITE. Just check for EXECUTE.
+  if (!(desired_access & SECTION_MAP_EXECUTE))
     return status;
   if (object_attributes)
     return status;