2.5.3.1.2 SidDominates

A support function, SidDominates, compares the mandatory integrity levels expressed in two SIDs. The function returns TRUE if the first SID dominates the second SID or is equal to the second SID, or FALSE if the first SID is subordinate to the second SID. This function can be used only on SIDs that encode integrity levels (the SID_IDENTIFIER_AUTHORITY field is SECURITY_MANDATORY_LABEL_AUTHORITY); any other use is unsupported.

Any plug-in replacement is required to use this exact algorithm, which is described using the pseudocode syntax as specified in [DALB].

 BOOLEAN
 SidDominates(
    SID sid1,
    SID sid2)
 -- On entrance, both sid1 and sid2 MUST be SIDs representing integrity levels 
 -- as specified in section 2.4.4.11. Use of any other SID is a logic error.
 -- On exit, a value of TRUE indicates that sid1 dominates or is equivalent to sid2.
 -- A value of FALSE indicates that sid1 is dominated by sid2. Dominance in 
 -- this context is determination of the dominance of one integrity level over
 -- another in a manner as broadly described, for example, in the Biba Integrity Model.
  
 IF sid1 equals sid2 THEN
     Return TRUE
 END IF
  
 -- If Sid2 has more SubAuthorities than Sid1, Sid1 cannot dominate.
 IF sid2.SubAuthorityCount GREATER THAN sid1.SubAuthorityCount THEN
     Return FALSE
 END IF
  
 --on entry, index is zero and is incremented for each iteration of the loop.
 FOR each SubAuthority in sid1
     IF sid1.SubAuthority[ index ] GREATER THAN or EQUAL TO sid2.SubAuthority[ index ] THEN
         Return TRUE
     END IF
 END FOR
  
 Return FALSE
  
Show: