2.4.4.13 SYSTEM_MANDATORY_LABEL_ACE
The SYSTEM_MANDATORY_LABEL_ACE structure defines an ACE for the SACL that specifies the mandatory access level and policy for a securable object.<55>
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Header |
|||||||||||||||||||||||||||||||
|
Mask |
|||||||||||||||||||||||||||||||
|
Sid (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by child objects.
Mask (4 bytes): An ACCESS_MASK structure that specifies the access policy for principals with a mandatory integrity level lower than the object associated with the SACL that contains this ACE.
-
Value
Meaning
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
0x00000001
A principal with a lower mandatory level than the object cannot write to the object.
SYSTEM_MANDATORY_LABEL_NO_READ_UP
0x00000002
A principal with a lower mandatory level than the object cannot read the object.
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
0x00000004
A principal with a lower mandatory level than the object cannot execute the object.
Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4. The identifier authority of the SID must be SECURITY_MANDATORY_LABEL_AUTHORITY. The RID of the SID specifies the mandatory integrity level of the object associated with the SACL that contains this ACE. The RID must be one of the following values.
-
Value
Meaning
0x00000000
Untrusted integrity level.
0x00001000
Low integrity level.
0x00002000
Medium integrity level.
0x00003000
High integrity level.
0x00004000
System integrity level.
0x00005000
Protected process integrity level.