Appendix A: SDDL for Mandatory Labels
The SDDL is a convenient way to represent access permissions in a string format. SDDL defines ACE strings and SID strings to represent fields of access control entries. You can use the ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions to convert the mandatory label ACE from a binary to a string format and back.
The definitions for SDDL strings are in the header file, sddl.h.
The SDDL string for a mandatory label ACE is defined as follows:
#define SDDL_MANDATORY_LABEL TEXT("ML") // Integrity label
The SDDL strings for the mandatory label policy flags, which are in the access mask, are the following:
#define SDDL_NO_WRITE_UP TEXT("NW")
#define SDDL_NO_READ_UP TEXT("NR")
#define SDDL_NO_EXECUTE_UP TEXT("NX")
The SDDL SID strings for the integrity levels are the following:
#define SDDL_ML_LOW TEXT("LW")
#define SDDL_ML_MEDIUM TEXT("ME")
#define SDDL_ML_HIGH TEXT("HI")
#define SDDL_ML_SYSTEM TEXT("SI")
An example of the SDDL for a mandatory label ACE in a SACL that specifies NO_WRITE_UP policy for low integrity level is the following: S:(ML;;NW;;;LW).
You can use SDDL strings with the ConvertStringSecurityDescriptorToSecurityDescriptor function to initialize a security descriptor with an explicit mandatory label that can be used as the security attributes parameter when creating a new object, such as a file, using CreateFile.
Note
When using ConvertSecurityDescriptorToStringSecurityDescriptor, specify the new security information flag, LABEL_SECURITY_INFORMATION, in order to convert an explicit mandatory label into the SDDL string equivalent. Without the LABEL_SECURITY_INFORMATION flag, a mandatory label, if it exists, will not show up in the SACL portion of the string.