A support function, SidDominates, compares the mandatory integrity levels expressed in two SIDs. The function returns TRUE if the first SID dominates the second SID or is equal to the second SID, or FALSE if the first SID is subordinate to the second SID. This function can be used only on SIDs that encode integrity levels (the SID_IDENTIFIER_AUTHORITY field is SECURITY_MANDATORY_LABEL_AUTHORITY); any other use is unsupported.
Any plug-in replacement is required to use this exact algorithm, which is described using the pseudocode syntax as specified in [DALB].
BOOLEAN SidDominates( SID sid1, SID sid2) -- On entrance, both sid1 and sid2 MUST be SIDs representing integrity levels -- as specified in section 126.96.36.199. Use of any other SID is a logic error. -- On exit, a value of TRUE indicates that sid1 dominates or is equivalent to sid2. -- A value of FALSE indicates that sid1 is dominated by sid2. Dominance in -- this context is determination of the dominance of one integrity level over -- another in a manner as broadly described, for example, in the Biba Integrity Model. IF sid1 equals sid2 THEN Return TRUE END IF -- If Sid2 has more SubAuthorities than Sid1, Sid1 cannot dominate. IF sid2.SubAuthorityCount GREATER THAN sid1.SubAuthorityCount THEN Return FALSE END IF --on entry, index is zero and is incremented for each iteration of the loop. FOR each SubAuthority in sid1 IF sid1.SubAuthority[ index ] GREATER THAN or EQUAL TO sid2.SubAuthority[ index ] THEN Return TRUE END IF END FOR Return FALSE