On utility/ppapi processes, cfgmgr32.dll opens a to this handle and then will...

On utility/ppapi processes, cfgmgr32.dll opens a to this handle and then will raise an exception on exit if FLG_ENABLE_HANDLE_EXCEPTIONS is set in gflags.  This flag is set on Windows 10 builds.

BUG=452613

Review URL: https://codereview.chromium.org/893263003

Cr-Commit-Position: refs/heads/master@{#314497}

content/common/sandbox_win.cc

@@ -343,7 +343,8 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   return true;
 }
 
-bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
+bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy,
+                                  std::string& type_str) {
   sandbox::ResultCode result;
   // Renderers need to share events with plugins.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
@@ -353,8 +354,11 @@ bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
     return false;
 
   // Win8+ adds a device DeviceApi that we don't need.
-  if (base::win::GetVersion() > base::win::VERSION_WIN7)
+  // Only close this handle on renderer processes.  See crbug.com/452613.
+  if (base::win::GetVersion() > base::win::VERSION_WIN7 &&
+      type_str == switches::kRendererProcess) {
     result = policy->AddKernelObjectToClose(L"File", L"\\Device\\DeviceApi");
+  }
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
@@ -649,7 +653,8 @@ base::Process StartSandboxedProcess(
   if (delegate)
     delegate->PreSandbox(&disable_default_policy, &exposed_dir);
 
-  if (!disable_default_policy && !AddPolicyForSandboxedProcess(policy))
+  if (!disable_default_policy &&
+      !AddPolicyForSandboxedProcess(policy, type_str))
     return base::Process();
 
   if (type_str == switches::kRendererProcess) {