Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

2.5.3.1.2 SidDominates

A support function, SidDominates, compares the mandatory integrity levels expressed in two SIDs. The function returns TRUE if the first SID dominates the second SID or is equal to the second SID, or FALSE if the first SID is subordinate to the second SID. This function can be used only on SIDs that encode integrity levels (the SID_IDENTIFIER_AUTHORITY field is SECURITY_MANDATORY_LABEL_AUTHORITY); any other use is unsupported.

Any plug-in replacement is required to use this exact algorithm, which is described using the pseudocode syntax as specified in [DALB].

BOOLEAN
SidDominates(
   SID sid1,
   SID sid2)
-- On entrance, both sid1 and sid2 MUST be SIDs representing integrity levels 
-- as specified in section 2.4.4.11. Use of any other SID is a logic error.
-- On exit, a value of TRUE indicates that sid1 dominates or is equivalent to sid2.
-- A value of FALSE indicates that sid1 is dominated by sid2. Dominance in 
-- this context is determination of the dominance of one integrity level over
-- another in a manner as broadly described, for example, in the Biba Integrity Model.

IF sid1 equals sid2 THEN
    Return TRUE
END IF

-- If Sid2 has more SubAuthorities than Sid1, Sid1 cannot dominate.
IF sid2.SubAuthorityCount GREATER THAN sid1.SubAuthorityCount THEN
    Return FALSE
END IF

--on entry, index is zero and is incremented for each iteration of the loop.
FOR each SubAuthority in sid1
    IF sid1.SubAuthority[ index ] GREATER THAN or EQUAL TO sid2.SubAuthority[ index ] THEN
        Return TRUE
    END IF
END FOR

Return FALSE
 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.