Export (0) Print
Expand All

2.5.3.3 MandatoryIntegrityCheck Algorithm Pseudocode

The Windows integrity mechanism extends the security architecture by defining a new ACE type to represent an integrity level in an object's security descriptor.<79> The new ACE represents the object integrity level. An integrity level is also assigned to the security access token when the access token is initialized. The integrity level in the access token represents a subject integrity level. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs an access check. The Access Check algorithm determines what access rights are allowed to a securable object. Windows restricts the allowed access rights depending on whether the subject's integrity level is equal to, higher than, or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access (under user control) that DACLs provide.

The MandatoryIntegrityCheck Algorithm examines the global Mandatory Integrity Check policy and applies the policy to the passed token and security descriptor of a securable object. It determines the set of access bits that can be granted by the DACL to a security principal.

--On entrance to the MandatoryIntegrityCheck Algorithm
-- IN IntegrityLevelSID Mandatory Integrity SID of the Token
-- IN AceIntegritySID Mandatory Integrity SID of the Security Descriptor of the securable object
-- OUT MandatoryInformation MANDATORY_INFORMATION value, output of the MandatoryIntegrityCheck 
-- Algorithm describing the allowable bits for the caller
-- Token  Security Context for the calling security principal
-- IN ObjectSecurityDescriptor SECURITY_DESCRIPTOR structure that is assigned to the object

Dim Boolean TokenDominates 
-- TokenDominates value indicating that the IntegrityLevelSID is higher than the AceIntegritySID

Dim TOKEN_MANDATORY_POLICY TokenPolicy
Set TokenPolicy to Token.MandatoryPolicy field

Dim SYSTEM_MANDATORY_LABEL_ACE ObjectIntegrityACE
-- Find the Manadatory ACE of ObjectSecurityDescriptor in the Sacl
Call FindAceByType WITH ObjectSecurityDescriptor.Sacl,
      SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0
   RETURNING MandatoryACE, FoundIndex

Set ObjectIntegrityACE = MandatoryACE

Dim ACCESS_MASK ObjectIntegrityAceMask
--Set ObjectIntegrityAceMask to the Access Mask field of the 
--SYSTEM_MANDATORY_LABEL_ACE of the ObjectSecurityDescriptor 
Set ObjectIntegrityAceMask to MandatoryACE.Mask

IF TokenPolicy.Policy EQUAL  TOKEN_MANDATORY_POLICY_OFF OR 
    TokenPolicy.Policy EQUAL TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN THEN
    Set MandatoryInformation.AllowedAccess to GENERIC_ALL
    Return success
END IF

Dim PACE_HEADER ACE
Set ACE to the ObjectSecurityDescriptor SACL of the
    SYSTEM_MANDATORY_LABEL_ACE
Dim ACCESS_MASK AceMask 
Set AceMask to zero

IF (ACE.AceFlags does not contain INHERIT_ONLY_ACE) THEN
    Set AceMask to ObjectIntegrityAceMask      
    Set AceIntegritySID to the SID whose first DWORD is given by
       ObjectIntegrityACE SidStart
ELSE 
     Set AceMask to SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
     --The DefaultMandatorySID is derived from policy managed in an 
     --implementation-specific manner.  The SID for ML_MEDIUM is used by
     --Windows S-1-16-8192.
     Set AceIntegritySID to DefaultMandatorySID
END IF

IF CALL CompareSid (IntegrityLevelSID, AceIntegritySID,)returns TRUE 
THEN
    Set TokenDominates to TRUE
ELSE
    CALL SidDominates (IntegrityLevelSID, AceIntegritySID)
 
    IF SidDominates returns TRUE THEN
        Set TokenDominates to TRUE
    ELSE
        Set TokenDominates to FALSE
    END IF
END IF

IF TokenPolicy EQUAL TOKEN_MANDATORY_POLICY_NO_WRITE_UP THEN
    Add GENERIC_READ to MandatoryInformation.AllowedAccess
    Add GENERIC_EXECUTE to MandatoryInformation.AllowedAccess
    IF TokenDominates is TRUE THEN
        Add GENERIC_WRITE to MandatoryInformation.AllowedAccess
    END IF
END IF


IF TokenDominates is FALSE THEN
    IF AceMask & SYSTEM_MANDATORY_LABEL_NO_READ_UP THEN
        Remove GENERIC_READ from MandatoryInformation.AllowedAccess
    END IF
 
    IF AceMask & SYSTEM_MANDATORY_LABEL_NO_WRITE_UP THEN
        Remove GENERIC_WRITE from MandatoryInformation.AllowedAccess
    END IF
        
    IF AceMask & SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP THEN
        Remove GENERIC_EXECUTE from MandatoryInformation.AllowedAccess
    END IF
END IF

-- SeRelabelPrivilege see [MS-LSAD] 3.1.1.2.1 Privilege Data Model
IF Token.Privileges contains SeRelabelPrivilege THEN
    Add WRITE_OWNER to MandatoryInformation.AllowedAccess  
END IF

---------------------------
BOOLEAN CompareSid (
SID Sid1, 
SID Sid2 )

-- On entrance, both sid1 and sid2 MUST be SIDs representing integrity levels 

IF Sid1 Revision does not equal Sid2 Revision
   return (false);
END IF
   
Dim integer SidLength = 0;
SidLength = (8 + (4 *(Sid1 SubAuthorityCount)))

-- Compare the Sidlength bytes of Sid1 to Sidlength bytes of Sid2
-- Return TRUE if Sid1 equals Sid2
return(!memcmp( Sid1, Sid2, SidLength))
 
Show:
© 2014 Microsoft