cmake: win: Set LPAC ACLs required for sandbox support (fixes #3791)

cmake/cef_macros.cmake.in

@@ -271,6 +271,17 @@ macro(ADD_WINDOWS_MANIFEST manifest_path target extension)
     )
 endmacro()
 
+# Set LPAC ACLs required for Windows sandbox support.
+# See https://github.com/chromiumembedded/cef/issues/3791#issuecomment-2664128961
+macro(SET_LPAC_ACLS target)
+  add_custom_command(
+    TARGET ${target}
+    POST_BUILD
+    COMMAND "icacls" "${CEF_TARGET_OUT_DIR}" "/grant" "*S-1-15-2-2:(OI)(CI)(RX)"
+    COMMENT "Setting LPAC ACLs..."
+    )
+endmacro()
+
 endif(OS_WINDOWS)
 
 

tests/cefclient/CMakeLists.txt.in

@@ -317,4 +317,9 @@ if(OS_WINDOWS)
   # Copy CEF binary and resource files to the target output directory.
   COPY_FILES("${CEF_TARGET}" "${CEF_BINARY_FILES}" "${CEF_BINARY_DIR}" "${CEF_TARGET_OUT_DIR}")
   COPY_FILES("${CEF_TARGET}" "${CEF_RESOURCE_FILES}" "${CEF_RESOURCE_DIR}" "${CEF_TARGET_OUT_DIR}")
+
+  if(USE_SANDBOX)
+    # Set LPAC ACLs required for Windows sandbox support.
+    SET_LPAC_ACLS("${CEF_TARGET}")
+  endif()
 endif()

tests/cefsimple/CMakeLists.txt.in

@@ -212,4 +212,9 @@ if(OS_WINDOWS)
   # Copy binary and resource files to the target output directory.
   COPY_FILES("${CEF_TARGET}" "${CEF_BINARY_FILES}" "${CEF_BINARY_DIR}" "${CEF_TARGET_OUT_DIR}")
   COPY_FILES("${CEF_TARGET}" "${CEF_RESOURCE_FILES}" "${CEF_RESOURCE_DIR}" "${CEF_TARGET_OUT_DIR}")
+
+  if(USE_SANDBOX)
+    # Set LPAC ACLs required for Windows sandbox support.
+    SET_LPAC_ACLS("${CEF_TARGET}")
+  endif()
 endif()

tests/ceftests/CMakeLists.txt.in

@@ -260,4 +260,9 @@ if(OS_WINDOWS)
     "resources/"
     )
   COPY_RESOURCES("${CEF_TARGET}" "${UNITTESTS_DATA_RESOURCES_SRCS}" "${PREFIXES}" "${CMAKE_CURRENT_SOURCE_DIR}" "${CEF_TARGET_OUT_DIR}/ceftests_files")
+
+  if(USE_SANDBOX)
+    # Set LPAC ACLs required for Windows sandbox support.
+    SET_LPAC_ACLS("${CEF_TARGET}")
+  endif()
 endif()