2.5.3.3 MandatoryIntegrityCheck Algorithm Pseudocode
The Windows integrity mechanism extends the security architecture by defining a new ACE type to represent an integrity level in an object's security descriptor.<95> The new ACE represents the object integrity level. An integrity level is also assigned to the security access token when the access token is initialized. The integrity level in the access token represents a subject integrity level. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs an access check. The Access Check algorithm determines what access rights are allowed to a securable object. Windows restricts the allowed access rights depending on whether the subject's integrity level is equal to, higher than, or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access (under user control) that DACLs provide.
The MandatoryIntegrityCheck Algorithm examines the global Mandatory Integrity Check policy and applies the policy to the passed token and security descriptor of a securable object. It determines the set of access bits that can be granted by the DACL to a security principal.
-
--On entrance to the MandatoryIntegrityCheck Algorithm -- IN IntegrityLevelSID Mandatory Integrity SID of the Token -- IN AceIntegritySID Mandatory Integrity SID of the Security Descriptor of the securable object -- OUT MandatoryInformation MANDATORY_INFORMATION value, output of the MandatoryIntegrityCheck -- Algorithm describing the allowable bits for the caller -- Token Security Context for the calling security principal -- IN ObjectSecurityDescriptor SECURITY_DESCRIPTOR structure that is assigned to the object Dim Boolean TokenDominates -- TokenDominates value indicating that the IntegrityLevelSID is higher than the AceIntegritySID Dim TOKEN_MANDATORY_POLICY TokenPolicy Set TokenPolicy to Token.MandatoryPolicy field Dim SYSTEM_MANDATORY_LABEL_ACE ObjectIntegrityACE -- Find the Manadatory ACE of ObjectSecurityDescriptor in the Sacl Call FindAceByType WITH ObjectSecurityDescriptor.Sacl, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0 RETURNING MandatoryACE, FoundIndex Set ObjectIntegrityACE = MandatoryACE Dim ACCESS_MASK ObjectIntegrityAceMask --Set ObjectIntegrityAceMask to the Access Mask field of the --SYSTEM_MANDATORY_LABEL_ACE of the ObjectSecurityDescriptor Set ObjectIntegrityAceMask to MandatoryACE.Mask IF TokenPolicy.Policy EQUAL TOKEN_MANDATORY_POLICY_OFF OR TokenPolicy.Policy EQUAL TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN THEN Set MandatoryInformation.AllowedAccess to GENERIC_ALL Return success END IF Dim PACE_HEADER ACE Set ACE to the ObjectSecurityDescriptor SACL of the SYSTEM_MANDATORY_LABEL_ACE Dim ACCESS_MASK AceMask Set AceMask to zero IF (ACE.AceFlags does not contain INHERIT_ONLY_ACE) THEN Set AceMask to ObjectIntegrityAceMask Set AceIntegritySID to the SID whose first DWORD is given by ObjectIntegrityACE SidStart ELSE Set AceMask to SYSTEM_MANDATORY_LABEL_NO_WRITE_UP --The DefaultMandatorySID is derived from policy managed in an --implementation-specific manner. The SID for ML_MEDIUM is used by --Windows S-1-16-8192. Set AceIntegritySID to DefaultMandatorySID END IF IF CALL CompareSid (IntegrityLevelSID, AceIntegritySID,)returns TRUE THEN Set TokenDominates to TRUE ELSE CALL SidDominates (IntegrityLevelSID, AceIntegritySID) IF SidDominates returns TRUE THEN Set TokenDominates to TRUE ELSE Set TokenDominates to FALSE END IF END IF IF TokenPolicy EQUAL TOKEN_MANDATORY_POLICY_NO_WRITE_UP THEN Add GENERIC_READ to MandatoryInformation.AllowedAccess Add GENERIC_EXECUTE to MandatoryInformation.AllowedAccess IF TokenDominates is TRUE THEN Add GENERIC_WRITE to MandatoryInformation.AllowedAccess END IF END IF IF TokenDominates is FALSE THEN IF AceMask & SYSTEM_MANDATORY_LABEL_NO_READ_UP THEN Remove GENERIC_READ from MandatoryInformation.AllowedAccess END IF IF AceMask & SYSTEM_MANDATORY_LABEL_NO_WRITE_UP THEN Remove GENERIC_WRITE from MandatoryInformation.AllowedAccess END IF IF AceMask & SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP THEN Remove GENERIC_EXECUTE from MandatoryInformation.AllowedAccess END IF END IF -- SeRelabelPrivilege see [MS-LSAD] 3.1.1.2.1 Privilege Data Model IF Token.Privileges contains SeRelabelPrivilege THEN Add WRITE_OWNER to MandatoryInformation.AllowedAccess END IF --------------------------- BOOLEAN CompareSid ( SID Sid1, SID Sid2 ) -- On entrance, both sid1 and sid2 MUST be SIDs representing integrity levels IF Sid1 Revision does not equal Sid2 Revision return (false); END IF Dim integer SidLength = 0; SidLength = (8 + (4 *(Sid1 SubAuthorityCount))) -- Compare the Sidlength bytes of Sid1 to Sidlength bytes of Sid2 -- Return TRUE if Sid1 equals Sid2 return(!memcmp( Sid1, Sid2, SidLength))