2.5.3.3 MandatoryIntegrityCheck Algorithm Pseudocode

The Windows integrity mechanism extends the security architecture by defining a new ACE type to represent an integrity level in an object's security descriptor.<95> The new ACE represents the object integrity level. An integrity level is also assigned to the security access token when the access token is initialized. The integrity level in the access token represents a subject integrity level. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs an access check. The Access Check algorithm determines what access rights are allowed to a securable object. Windows restricts the allowed access rights depending on whether the subject's integrity level is equal to, higher than, or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access (under user control) that DACLs provide.

The MandatoryIntegrityCheck Algorithm examines the global Mandatory Integrity Check policy and applies the policy to the passed token and security descriptor of a securable object. It determines the set of access bits that can be granted by the DACL to a security principal.

 --On entrance to the MandatoryIntegrityCheck Algorithm
 -- IN IntegrityLevelSID Mandatory Integrity SID of the Token
 -- IN AceIntegritySID Mandatory Integrity SID of the Security Descriptor of the securable object
 -- OUT MandatoryInformation MANDATORY_INFORMATION value, output of the MandatoryIntegrityCheck 
 -- Algorithm describing the allowable bits for the caller
 -- Token  Security Context for the calling security principal
 -- IN ObjectSecurityDescriptor SECURITY_DESCRIPTOR structure that is assigned to the object
  
 Dim Boolean TokenDominates 
 -- TokenDominates value indicating that the IntegrityLevelSID is higher than the AceIntegritySID
  
 Dim TOKEN_MANDATORY_POLICY TokenPolicy
 Set TokenPolicy to Token.MandatoryPolicy field
  
 Dim SYSTEM_MANDATORY_LABEL_ACE ObjectIntegrityACE
 -- Find the Manadatory ACE of ObjectSecurityDescriptor in the Sacl
 Call FindAceByType WITH ObjectSecurityDescriptor.Sacl,
       SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0
    RETURNING MandatoryACE, FoundIndex
  
 Set ObjectIntegrityACE = MandatoryACE
  
 Dim ACCESS_MASK ObjectIntegrityAceMask
 --Set ObjectIntegrityAceMask to the Access Mask field of the 
 --SYSTEM_MANDATORY_LABEL_ACE of the ObjectSecurityDescriptor 
 Set ObjectIntegrityAceMask to MandatoryACE.Mask
  
 IF TokenPolicy.Policy EQUAL  TOKEN_MANDATORY_POLICY_OFF OR 
     TokenPolicy.Policy EQUAL TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN THEN
     Set MandatoryInformation.AllowedAccess to GENERIC_ALL
     Return success
 END IF
  
 Dim PACE_HEADER ACE
 Set ACE to the ObjectSecurityDescriptor SACL of the
     SYSTEM_MANDATORY_LABEL_ACE
 Dim ACCESS_MASK AceMask 
 Set AceMask to zero
  
 IF (ACE.AceFlags does not contain INHERIT_ONLY_ACE) THEN
     Set AceMask to ObjectIntegrityAceMask      
     Set AceIntegritySID to the SID whose first DWORD is given by
        ObjectIntegrityACE SidStart
 ELSE 
      Set AceMask to SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
      --The DefaultMandatorySID is derived from policy managed in an 
      --implementation-specific manner.  The SID for ML_MEDIUM is used by
      --Windows S-1-16-8192.
      Set AceIntegritySID to DefaultMandatorySID
 END IF
  
 IF CALL CompareSid (IntegrityLevelSID, AceIntegritySID,)returns TRUE 
 THEN
     Set TokenDominates to TRUE
 ELSE
     CALL SidDominates (IntegrityLevelSID, AceIntegritySID)
  
     IF SidDominates returns TRUE THEN
         Set TokenDominates to TRUE
     ELSE
         Set TokenDominates to FALSE
     END IF
 END IF
  
 IF TokenPolicy EQUAL TOKEN_MANDATORY_POLICY_NO_WRITE_UP THEN
     Add GENERIC_READ to MandatoryInformation.AllowedAccess
     Add GENERIC_EXECUTE to MandatoryInformation.AllowedAccess
     IF TokenDominates is TRUE THEN
         Add GENERIC_WRITE to MandatoryInformation.AllowedAccess
     END IF
 END IF
  
  
 IF TokenDominates is FALSE THEN
     IF AceMask & SYSTEM_MANDATORY_LABEL_NO_READ_UP THEN
         Remove GENERIC_READ from MandatoryInformation.AllowedAccess
     END IF
  
     IF AceMask & SYSTEM_MANDATORY_LABEL_NO_WRITE_UP THEN
         Remove GENERIC_WRITE from MandatoryInformation.AllowedAccess
     END IF
         
     IF AceMask & SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP THEN
         Remove GENERIC_EXECUTE from MandatoryInformation.AllowedAccess
     END IF
 END IF
  
 -- SeRelabelPrivilege see [MS-LSAD] 3.1.1.2.1 Privilege Data Model
 IF Token.Privileges contains SeRelabelPrivilege THEN
     Add WRITE_OWNER to MandatoryInformation.AllowedAccess  
 END IF
  
 ---------------------------
 BOOLEAN CompareSid (
 SID Sid1, 
 SID Sid2 )
  
 -- On entrance, both sid1 and sid2 MUST be SIDs representing integrity levels 
  
 IF Sid1 Revision does not equal Sid2 Revision
    return (false);
 END IF
    
 Dim integer SidLength = 0;
 SidLength = (8 + (4 *(Sid1 SubAuthorityCount)))
  
 -- Compare the Sidlength bytes of Sid1 to Sidlength bytes of Sid2
 -- Return TRUE if Sid1 equals Sid2
 return(!memcmp( Sid1, Sid2, SidLength))