Added impersonation of the anonymous token around CloseClipboard

This patch adds impersonation of the anonymous token around calls
to the CloseClipboard system call. On Windows 8+ the win32k driver
captures the access token of the caller and makes it available to
other users on the desktop through the system call
GetClipboardAccessToken. This introduces a risk of privilege
escalation in sandboxed processes. By performing the impersonation
then whenever Chrome writes data to the clipboard only the anonymous
token is available.

BUG=440693

Review URL: https://codereview.chromium.org/792413003

Cr-Commit-Position: refs/heads/master@{#308372}

ui/base/clipboard/clipboard_win.cc

@@ -35,6 +35,23 @@ namespace ui {
 
 namespace {
 
+// A scoper to impersonate the anonymous token and revert when leaving scope
+class AnonymousImpersonator {
+ public:
+  AnonymousImpersonator() {
+    must_revert_ = ::ImpersonateAnonymousToken(::GetCurrentThread());
+  }
+
+  ~AnonymousImpersonator() {
+    if (must_revert_)
+      ::RevertToSelf();
+  }
+
+ private:
+  BOOL must_revert_;
+  DISALLOW_COPY_AND_ASSIGN(AnonymousImpersonator);
+};
+
 // A scoper to manage acquiring and automatically releasing the clipboard.
 class ScopedClipboard {
  public:
@@ -84,6 +101,11 @@ class ScopedClipboard {
 
   void Release() {
     if (opened_) {
+      // Impersonate the anonymous token during the call to CloseClipboard
+      // This prevents Windows 8+ capturing the broker's access token which
+      // could be accessed by lower-privileges chrome processes leading to
+      // a risk of EoP
+      AnonymousImpersonator impersonator;
       ::CloseClipboard();
       opened_ = false;
     } else {