[NTOS:SE] Implement job case in PsImpersonateClient. CORE-8787

2024-06-26 07:51:52 +00:00 · 2020-05-11 08:41:38 +02:00 · 2020-05-11 08:41:38 +02:00 · db180c29c7
parent 2d7f71c5b8
commit db180c29c7
2 changed files with 36 additions and 2 deletions
--- a/ntoskrnl/ps/security.c
+++ b/ntoskrnl/ps/security.c
@ -615,6 +615,8 @@ PsImpersonateClient(IN PETHREAD Thread,
 {
    PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
    PTOKEN OldToken = NULL;
+    PEJOB Job;
+
    PAGED_CODE();
    PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);

@ -668,8 +670,32 @@ PsImpersonateClient(IN PETHREAD Thread,
            }
        }

-        /* Check if this is a job, which we don't support yet */
-        if (Thread->ThreadsProcess->Job) ASSERT(FALSE);
+        /* FIXME: If the process token can't impersonate, we need to make a copy instead */
+
+        /* Check if this is a job */
+        Job = Thread->ThreadsProcess->Job;
+        if (Job != NULL)
+        {
+            /* No admin allowed in this job */
+            if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN) &&
+                SeTokenIsAdmin(Token))
+            {
+                return STATUS_ACCESS_DENIED;
+            }
+
+            /* No restricted tokens allowed in this job */
+            if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN) &&
+                SeTokenIsRestricted(Token))
+            {
+                return STATUS_ACCESS_DENIED;
+            }
+
+            /* We don't support job filters yet */
+            if (Job->Filter != NULL)
+            {
+                ASSERT(Job->Filter == NULL);
+            }
+        }

        /* Lock thread security */
        PspLockThreadSecurityExclusive(Thread);
--- a/sdk/include/ndk/pstypes.h
+++ b/sdk/include/ndk/pstypes.h
@ -216,6 +216,14 @@ extern POBJECT_TYPE NTSYSAPI PsJobType;
 #define JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK    0x1000
 #define JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE      0x2000

+//
+// Job Security Limit Flags
+//
+#define JOB_OBJECT_SECURITY_NO_ADMIN            0x0001
+#define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN    0x0002
+#define JOB_OBJECT_SECURITY_ONLY_TOKEN          0x0004
+#define JOB_OBJECT_SECURITY_FILTER_TOKENS       0x0008
+
 //
 // Cross Thread Flags
 //