[NTOS:SE] Implement job case in PsImpersonateClient. CORE-8787

ntoskrnl/ps/security.c

@@ -615,6 +615,8 @@ PsImpersonateClient(IN PETHREAD Thread,
 {
     PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
     PTOKEN OldToken = NULL;
+    PEJOB Job;
+
     PAGED_CODE();
     PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
 
@@ -668,8 +670,32 @@ PsImpersonateClient(IN PETHREAD Thread,
             }
         }
 
-        /* Check if this is a job, which we don't support yet */
+        /* FIXME: If the process token can't impersonate, we need to make a copy instead */
-        if (Thread->ThreadsProcess->Job) ASSERT(FALSE);
+
+        /* Check if this is a job */
+        Job = Thread->ThreadsProcess->Job;
+        if (Job != NULL)
+        {
+            /* No admin allowed in this job */
+            if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN) &&
+                SeTokenIsAdmin(Token))
+            {
+                return STATUS_ACCESS_DENIED;
+            }
+
+            /* No restricted tokens allowed in this job */
+            if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN) &&
+                SeTokenIsRestricted(Token))
+            {
+                return STATUS_ACCESS_DENIED;
+            }
+
+            /* We don't support job filters yet */
+            if (Job->Filter != NULL)
+            {
+                ASSERT(Job->Filter == NULL);
+            }
+        }
 
         /* Lock thread security */
         PspLockThreadSecurityExclusive(Thread);

sdk/include/ndk/pstypes.h

@@ -216,6 +216,14 @@ extern POBJECT_TYPE NTSYSAPI PsJobType;
 #define JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK    0x1000
 #define JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE      0x2000
 
+//
+// Job Security Limit Flags
+//
+#define JOB_OBJECT_SECURITY_NO_ADMIN            0x0001
+#define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN    0x0002
+#define JOB_OBJECT_SECURITY_ONLY_TOKEN          0x0004
+#define JOB_OBJECT_SECURITY_FILTER_TOKENS       0x0008
+
 //
 // Cross Thread Flags
 //