다음을 통해 공유


2.4.4.13 SYSTEM_MANDATORY_LABEL_ACE

The SYSTEM_MANDATORY_LABEL_ACE structure defines an ACE for the SACL that specifies the mandatory access level and policy for a securable object.<55>


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Header

Mask

Sid (variable)

...

Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by child objects.

Mask (4 bytes): An ACCESS_MASK structure that specifies the access policy for principals with a mandatory integrity level lower than the object associated with the SACL that contains this ACE.

Value

Meaning

SYSTEM_MANDATORY_LABEL_NO_WRITE_UP

0x00000001

A principal with a lower mandatory level than the object cannot write to the object.

SYSTEM_MANDATORY_LABEL_NO_READ_UP

0x00000002

A principal with a lower mandatory level than the object cannot read the object.

SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP

0x00000004

A principal with a lower mandatory level than the object cannot execute the object.

Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4. The identifier authority of the SID must be SECURITY_MANDATORY_LABEL_AUTHORITY. The RID of the SID specifies the mandatory integrity level of the object associated with the SACL that contains this ACE. The RID must be one of the following values.

Value

Meaning

0x00000000

Untrusted integrity level.

0x00001000

Low integrity level.

0x00002000

Medium integrity level.

0x00003000

High integrity level.

0x00004000

System integrity level.

0x00005000

Protected process integrity level.