[ros-diffs] [reactos] 01/01: [NTOS:SE] Implement job case in PsImpersonateClient. CORE-8787

17 May 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=db180c29c7be2794e18d5…

commit db180c29c7be2794e18d5dc0622495e5427bfe94
Author:     Thomas Faber &lt;thomas.faber(a)reactos.org&gt;
AuthorDate: Mon May 11 08:41:38 2020 +0200
Commit:     Thomas Faber &lt;thomas.faber(a)reactos.org&gt;
CommitDate: Sun May 17 16:05:00 2020 +0200

    [NTOS:SE] Implement job case in PsImpersonateClient. CORE-8787
---
 ntoskrnl/ps/security.c    | 30 ++++++++++++++++++++++++++++--
 sdk/include/ndk/pstypes.h |  8 ++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/ntoskrnl/ps/security.c b/ntoskrnl/ps/security.c
index 619ff56d247..0b3f97fbf06 100644
--- a/ntoskrnl/ps/security.c
+++ b/ntoskrnl/ps/security.c
@@ -615,6 +615,8 @@ PsImpersonateClient(IN PETHREAD Thread,
 {
     PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
     PTOKEN OldToken = NULL;
+    PEJOB Job;
+
     PAGED_CODE();
     PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
 
@@ -668,8 +670,32 @@ PsImpersonateClient(IN PETHREAD Thread,
             }
         }
 
-        /* Check if this is a job, which we don't support yet */
-        if (Thread->ThreadsProcess->Job) ASSERT(FALSE);
+        /* FIXME: If the process token can't impersonate, we need to make a copy
instead */
+
+        /* Check if this is a job */
+        Job = Thread->ThreadsProcess->Job;
+        if (Job != NULL)
+        {
+            /* No admin allowed in this job */
+            if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN)
&&
+                SeTokenIsAdmin(Token))
+            {
+                return STATUS_ACCESS_DENIED;
+            }
+
+            /* No restricted tokens allowed in this job */
+            if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN)
&&
+                SeTokenIsRestricted(Token))
+            {
+                return STATUS_ACCESS_DENIED;
+            }
+
+            /* We don't support job filters yet */
+            if (Job->Filter != NULL)
+            {
+                ASSERT(Job->Filter == NULL);
+            }
+        }
 
         /* Lock thread security */
         PspLockThreadSecurityExclusive(Thread);
diff --git a/sdk/include/ndk/pstypes.h b/sdk/include/ndk/pstypes.h
index 219b880368f..55839aca37a 100644
--- a/sdk/include/ndk/pstypes.h
+++ b/sdk/include/ndk/pstypes.h
@@ -216,6 +216,14 @@ extern POBJECT_TYPE NTSYSAPI PsJobType;
 #define JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK    0x1000
 #define JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE      0x2000
 
+//
+// Job Security Limit Flags
+//
+#define JOB_OBJECT_SECURITY_NO_ADMIN            0x0001
+#define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN    0x0002
+#define JOB_OBJECT_SECURITY_ONLY_TOKEN          0x0004
+#define JOB_OBJECT_SECURITY_FILTER_TOKENS       0x0008
+
 //
 // Cross Thread Flags
 //


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [reactos] 01/01: [NTOS:SE] Implement job case in PsImpersonateClient. CORE-8787