Bug 1553249: Only set the Win32k disable policy for the RDD process w…

…hen running on Win8+; r=bobowen

Differential Revision: https://phabricator.services.mozilla.com/D36239

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -792,7 +792,9 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
       sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
       sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
 
-  if (sRddWin32kDisable) {
+  // On Windows 7, where Win32k lockdown is not supported, the Chromium
+  // sandbox does something weird that breaks COM instantiation.
+  if (sRddWin32kDisable && IsWin8OrLater()) {
     mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
     result =
         mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,