AddIntegrityLabelToBoundaryDescriptor function

Adds a new required security identifier (SID) to the specified boundary descriptor.

Syntax

BOOL AddIntegrityLabelToBoundaryDescriptor(
  HANDLE *BoundaryDescriptor,
  PSID   IntegrityLabel
);

Parameters

BoundaryDescriptor

A handle to the boundary descriptor. The CreateBoundaryDescriptor function returns this handle.

IntegrityLabel

A pointer to a SID structure that represents the mandatory integrity level for the namespace. Use one of the following RID values to create the SID:

SECURITY_MANDATORY_UNTRUSTED_RID SECURITY_MANDATORY_LOW_RID SECURITY_MANDATORY_MEDIUM_RID SECURITY_MANDATORY_SYSTEM_RID SECURITY_MANDATORY_PROTECTED_PROCESS_RID For more information, see Well-Known SIDs.

Return Value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

A process can create a private namespace only with an integrity level that is equal to or lower than the current integrity level of the process. Therefore, a high integrity-level process can create a high, medium or low integrity-level namespace. A medium integrity-level process can create only a medium or low integrity-level namespace.

A process would usually specify a namespace at the same integrity level as the process for protection against squatting attacks by lower integrity-level processes.

The security descriptor that the creator places on the namespace determines who can open the namespace. So a low or medium integrity-level process could be given permission to open a high integrity level namespace if the security descriptor of the namespace permits it.

To compile an application that uses this function, define _WIN32_WINNT as 0x0601 or later.

Requirements

   
Minimum supported client Windows 7 [desktop apps only]
Minimum supported server Windows Server 2008 R2 [desktop apps only]
Target Platform Windows
Header winbase.h (include Windows.h)
Library Kernel32.lib
DLL Kernel32.dll

See Also

CreateBoundaryDescriptor