KACS

A Security Identifier (SID) is a variable-length binary value that uniquely identifies a principal -- a user, group, service, machine, or well-known entity. SIDs are the fundamental identity primitive in KACS. They appear in tokens (as identity), in Security Descriptors (as access rules), and as references throughout the system.

§2.1.1 Binary format

A SID is encoded as a contiguous binary structure (MS-DTYP section 2.4.2):

The total size of a SID in bytes is 8 + (4 × SubAuthorityCount). The minimum size is 8 bytes (zero sub-authorities). The maximum size is 68 bytes (15 sub-authorities).

The last sub-authority in a SID is the Relative Identifier (RID) -- the portion that distinguishes individual principals within a domain.

§2.1.2 String format

SIDs are represented in string form as:

S-1-{authority}-{sub1}-{sub2}-...-{subN}

Where:

• S is a literal prefix.
• 1 is the revision number.
• {authority} is the IdentifierAuthority. If the upper 2 bytes are zero, this is the decimal representation of the lower 4 bytes. Otherwise, it is a hexadecimal representation prefixed with 0x.
• Each {subN} is the decimal representation of the corresponding 32-bit sub-authority.

§2.1.3 Comparison

Two SIDs are equal if and only if their binary representations are byte-for-byte identical. Comparison MUST be performed on the binary encoding, not the string form. There is no case sensitivity, normalization, or equivalence relation -- equality is exact binary match.

§2.1.4 SID_AND_ATTRIBUTES

Groups, restricted SIDs, device groups, and confinement capabilities are stored as SID_AND_ATTRIBUTES structures -- a SID paired with a 32-bit attributes field.

The following attribute flags are defined:

A group participates in allow-ACE matching only if SE_GROUP_ENABLED is set and SE_GROUP_USE_FOR_DENY_ONLY is not set. A group participates in deny-ACE matching if SE_GROUP_ENABLED is set OR SE_GROUP_USE_FOR_DENY_ONLY is set.

The following SIDs have fixed values and well-defined meanings. An implementation MUST recognize these SIDs and apply the semantics described in this specification wherever they are referenced.

§2.2.1 Universal authorities

§2.2.2 Creator authorities

§2.2.3 NT Authority (S-1-5)

§2.2.4 Logon SIDs

§2.2.5 BUILTIN domain (S-1-5-32)

§2.2.6 Domain SIDs (S-1-5-21)

Domain-specific SIDs follow the pattern S-1-5-21-{DA1}-{DA2}-{DA3}-{RID}, where the three domain authority sub-authorities identify the domain and the RID identifies the principal within that domain.

§2.2.7 Mandatory integrity labels (S-1-16)

Integrity levels form a strict total order: System > High > Medium > Low > Untrusted. MIC compares the caller's level against the object's label using this ordering.

§2.2.8 Process trust labels (S-1-19)

Trust labels encode two dimensions in the SID: the first sub-authority is the PIP type axis and the second is the trust axis (higher = more trusted). Dominance requires both dimensions to be greater than or equal.

KACS currently standardizes these PIP type values:

• 0 = None
• 512 = Protected
• 1024 = Isolated

These values are standardized labels, not a closed enum for AccessCheck. Other numeric type values remain valid and are compared numerically by the same dominance rule.

§2.2.9 Confinement SIDs (S-1-15)

§2.2.10 Capability SIDs (S-1-15-3)

Capability SIDs 4--7 (picturesLibrary, videosLibrary, musicLibrary, documentsLibrary) are reserved. Their SID values MUST NOT be redefined.

Derived capabilities use 8 sub-authorities computed from the SHA-256 hash of the capability name: S-1-15-3-{h0}-{h1}-{h2}-{h3}-{h4}-{h5}-{h6}-{h7}. The same name always produces the same SID.

§2.2.11 Service SIDs

Service SIDs follow the pattern SERVICE\{service_name} (e.g., SERVICE\jellyfin, SERVICE\loregd) and are added as a group in the service's token. The token's primary user SID is the account the service runs as (typically SYSTEM, LocalService, or NetworkService); the service SID enables per-service access control -- a file's DACL can grant access to SERVICE\jellyfin specifically, rather than to the broad account the service runs under.

The SID value is derived from the service name using a SHA-1 hash: the UTF-16LE encoding of the uppercased service name is hashed, and the 20-byte digest is split into five little-endian 32-bit sub-authorities: S-1-5-80-{h0}-{h1}-{h2}-{h3}-{h4}. The same service name always produces the same SID. This matches the Windows service SID derivation (MS-DTYP compatible).

A Security Descriptor (SD) defines the complete security policy for a protected object. Every protected object in Peios -- every file, registry key, IPC endpoint, service, token, and process -- MUST have exactly one Security Descriptor. An object MUST NOT carry multiple SDs; the SD is the single authoritative security policy for the object.

An SD has four components and a set of control flags:

• Owner SID — the principal that owns the object. The owner has implicit rights (READ_CONTROL and WRITE_DAC) unless suppressed by an OWNER RIGHTS ACE.

• Group SID — a primary group associated with the object. Stored and returned on query, used during CREATOR GROUP substitution during inheritance, but no access control decision depends on it directly.

• DACL (Discretionary Access Control List) — an ordered list of ACEs that define who is allowed or denied access. The object's owner controls the DACL (via WRITE_DAC).

• SACL (System Access Control List) — an ordered list of ACEs that define system-level policy. Despite the name, the SACL carries several distinct ACE types:

  • Audit ACEs — which access attempts to log.
  • Mandatory label ACE — the object's integrity level for MIC.
  • Resource attribute ACEs — name-value attributes for conditional ACE evaluation.
  • Scoped policy ID ACEs — references to central access policies.
  • Process trust label ACE — the object's PIP trust level.

  Modifying the SACL requires ACCESS_SYSTEM_SECURITY, which in turn requires SeSecurityPrivilege.

Both the DACL and SACL use the standard binary ACL format defined in the ACL Format section.

§3.1.1 Binary format

SDs use the self-relative binary format defined in MS-DTYP section 2.4.6. The format is a 20-byte header followed by the owner SID, group SID, SACL, and DACL at offsets specified in the header.

The self-relative format packs everything into a contiguous byte buffer with no pointers. This makes it suitable for storage (xattrs, database fields) and wire transmission (IPC, SMB).

KACS MUST use the self-relative format exclusively.

§3.1.2 Control flags

The SD's 16-bit Control field records metadata about the descriptor:

The architectural maximum SD size is 64 KB (constrained by the ACL header's 16-bit AclSize field).

The PROTECTED flags are operationally significant. Setting SE_DACL_PROTECTED prevents inheritance from parent objects -- the object keeps its current ACEs and stops accepting new inheritable ACEs from above.

§3.1.3 Null DACL vs empty DACL

The SE_DACL_PRESENT flag distinguishes two states with very different security consequences:

• Null DACL (SE_DACL_PRESENT not set) — no discretionary access control. AccessCheck grants all requested access to every caller. This SHOULD almost never be used.

• Empty DACL (SE_DACL_PRESENT set, zero ACEs) — AccessCheck grants no access to any caller (except the owner's implicit rights). An explicit statement that no principal has discretionary access.

Objects SHOULD always have a DACL. The SD creation algorithm ensures every new object receives one.

An Access Control List (ACL) is the binary container for ACEs. DACLs, SACLs, and CAAP policy ACL blobs all use the same standard binary ACL format.

§3.2.1 Binary format

An ACL begins with an 8-byte header followed by AceCount ACEs packed contiguously:

The ACE array begins immediately at offset 8. Each ACE is self-delimiting via its AceSize field. The parser walks the ACL by iterating exactly AceCount ACEs within the AclSize boundary.

§3.2.2 Parsing rules

• AclSize MUST be at least 8 bytes.
• AclSize MUST NOT exceed the containing buffer.
• The ACL body MUST contain exactly AceCount ACEs within the declared AclSize.
• Truncated ACEs, ACE overruns, or leftover bytes within AclSize are malformed.
• The architectural maximum ACL size is 64 KB because AclSize is a 16-bit field.

ACE structure, ACE-type definitions, and revision-versus-ACE-family rules are specified in the ACE Types section.

Every ACE carries an access mask -- a 32-bit integer where each bit represents a specific right. The same 32-bit layout is used in three contexts: the ACE's mask (what the rule grants or denies), the requested access (what the caller asks for), and the granted access (what AccessCheck returns).

§3.3.1 Bit layout

The 32 bits are divided into four regions:

§3.3.1.1 Object-specific rights (bits 0--15)

Defined by the object type. Different object types assign different meanings to these bits. A file uses bits for read, write, append, execute; a registry key uses bits for query value, set value, create subkey; a token uses bits for query, duplicate, impersonate. Each subsystem defines its own mapping.

§3.3.1.2 Standard rights (bits 16--20)

Common to all object types:

§3.3.1.3 Special rights (bits 24--25)

§3.3.1.4 Generic rights (bits 28--31)

Abstract rights mapped to object-specific rights before evaluation:

§3.3.1.5 Reserved bits

Bits 21--23 and 26--27 are reserved and MUST NOT be set in desired access masks or ACE masks. If encountered in stored ACEs, they are preserved during round-trip serialization but ignored during evaluation.

§3.3.2 Generic mapping

Generic rights exist because SDs need to be portable across object types. A central access policy might say "allow GENERIC_READ on all objects" -- and GENERIC_READ means different specific bits for files versus registry keys.

Each object type defines a GenericMapping table:

Generic mapping happens once, at request time. AccessCheck MUST map any generic bits in the desired mask to object-specific bits using the object type's GenericMapping table, then clear the generic bits. The DACL walk operates exclusively on specific and standard bits.

An Access Control Entry (ACE) is a single rule in an ACL. Each ACE has a header, an access mask, and a principal SID, with optional extensions for object-type and conditional ACEs.

§3.4.1 ACE header

Every ACE begins with a 4-byte header:

§3.4.2 ACE body layouts

The ACE header is followed by a type-specific body. Every multibyte integer in the body is little-endian.

§3.4.2.1 Single-SID ACE family

The following ACE types share the same binary layout:

• ACCESS_ALLOWED_ACE
• ACCESS_DENIED_ACE
• SYSTEM_AUDIT_ACE
• SYSTEM_ALARM_ACE
• SYSTEM_MANDATORY_LABEL_ACE
• SYSTEM_SCOPED_POLICY_ID_ACE
• SYSTEM_PROCESS_TRUST_LABEL_ACE

Layout:

Parsing rules:

• AceSize MUST be at least 16 bytes (header + mask + minimum SID).
• The SID MUST consume the remainder of the ACE exactly.

§3.4.2.2 Object ACE family

The following ACE types share the object-ACE binary layout:

• ACCESS_ALLOWED_OBJECT_ACE
• ACCESS_DENIED_OBJECT_ACE
• SYSTEM_AUDIT_OBJECT_ACE
• SYSTEM_ALARM_OBJECT_ACE

Layout:

Object ACE flags:

Parsing rules:

• AceSize MUST be large enough to contain the header, mask, flags, all GUIDs selected by Flags, and a complete SID.
• Unknown bits in Flags MUST be ignored.
• If neither GUID-presence bit is set, the ACE has no GUID fields and behaves like the corresponding basic ACE.
• GUID fields are opaque 16-byte values at this layer. Their interpretation is defined by the Object ACEs section.

§3.4.2.3 Callback ACE family

The following ACE types extend the corresponding non-callback ACE layout by appending ApplicationData at the end of the ACE:

• ACCESS_ALLOWED_CALLBACK_ACE
• ACCESS_DENIED_CALLBACK_ACE
• SYSTEM_AUDIT_CALLBACK_ACE
• SYSTEM_ALARM_CALLBACK_ACE
• ACCESS_ALLOWED_CALLBACK_OBJECT_ACE
• ACCESS_DENIED_CALLBACK_OBJECT_ACE
• SYSTEM_AUDIT_CALLBACK_OBJECT_ACE
• SYSTEM_ALARM_CALLBACK_OBJECT_ACE

For non-object callback ACEs, the body layout is:

For callback object ACEs, the body layout is:

Parsing rules:

• The SID begins after the fixed fields and any optional GUIDs, exactly as in the corresponding non-callback ACE family.
• ApplicationData MAY be empty. Semantics for empty or malformed callback payloads are defined by the relevant subsystem.
• For conditional ACEs, ApplicationData carries the conditional expression bytecode defined in the Conditional ACE Bytecode Reference.

§3.4.2.4 Resource attribute ACE

SYSTEM_RESOURCE_ATTRIBUTE_ACE uses the single-SID ACE prefix followed by trailing application data:

Parsing rules:

• The SID MUST be Everyone.
• ApplicationData MUST contain exactly one claim entry using the Claim Attribute Format section.

§3.4.3 DACL ACE types

§3.4.3.1 Basic ACEs

§3.4.3.2 Object-type ACEs

Extend basic ACEs with one or two GUIDs that scope the rule to a specific property or object class. Used for Active Directory access control.

The ObjectType GUID identifies the property or property set the ACE applies to. The InheritedObjectType GUID restricts inheritance to child objects of a specific class. Either or both GUIDs MAY be absent (indicated by a flags field), in which case the ACE behaves like a basic ACE for that dimension.

§3.4.3.3 Conditional ACEs

Extend basic and object-type ACEs with a conditional expression. The ACE only takes effect if the expression evaluates to TRUE against the caller's token attributes and the object's resource attributes.

§3.4.4 SACL ACE types

§3.4.4.1 Audit ACEs

Trigger audit log entries when matching access attempts occur. The AceFlags field carries SUCCESSFUL_ACCESS_ACE_FLAG (0x40) and/or FAILED_ACCESS_ACE_FLAG (0x80).

§3.4.4.2 Alarm ACEs (continuous auditing)

§3.4.4.3 Mandatory label ACE

Defines the object's integrity level for MIC. At most one per SACL. The SID encodes the integrity level. The access mask encodes the MIC policy (which operations are blocked for non-dominant callers).

§3.4.4.4 Resource attribute ACE

Attaches name-value attributes to the object for conditional ACE evaluation. The ACE's SID is always Everyone (S-1-1-0).

§3.4.4.5 Scoped policy ID ACE

References a central access policy by SID. During AccessCheck, the referenced policy's rules are evaluated in addition to the object's own DACL.

§3.4.4.6 Process trust label ACE

Defines the object's PIP trust level. The SID encodes the PIP type and trust level. The access mask specifies the exact rights that non-dominant callers are allowed.

§3.4.5 Reserved ACE type

§3.4.6 ACL revision

ACLs carry a revision number that constrains which ACE types MAY appear:

• ACL_REVISION (0x02) — basic ACE types (0x00, 0x01, 0x02, 0x03), mandatory label (0x11), resource attribute (0x12), scoped policy (0x13), and process trust label (0x14).
• ACL_REVISION_DS (0x04) — additionally permits object-type ACEs (0x05--0x08), callback ACEs (0x09--0x0C, 0x0D--0x10). Required for Active Directory access control.

When creating new ACLs, the revision MUST be set to the minimum required by the ACE types present. When parsing ACLs, KACS MUST NOT reject an ACL based on revision-vs-ACE-type mismatch — accept permissively, write correctly.

Unrecognized ACE types (not listed above) MUST be silently skipped during evaluation and preserved byte-for-byte during round-trip serialization. The ACE's raw bytes (from AceType through AceType + AceSize) are stored opaquely and written back unchanged. ACEs with AceSize not a multiple of 4 MUST be rejected (the containing ACL is malformed).

The order of ACEs in a DACL determines the outcome of AccessCheck. AccessCheck walks the DACL from first ACE to last, and the first-writer-wins principle means each bit is decided at most once. ACE ordering is semantically load-bearing.

§3.5.1 Canonical ordering

Tools that author SDs SHOULD produce canonically-ordered DACLs. KACS MUST NOT reject non-canonical DACLs -- it evaluates whatever order it receives -- but non-canonical ordering can produce results that contradict administrative intent.

The canonical order is:

1. Explicit deny ACEs — deny rules placed directly on this object (not inherited).
2. Explicit allow ACEs — allow rules placed directly on this object.
3. Inherited deny ACEs — deny rules inherited from parent objects (nearest parent first).
4. Inherited allow ACEs — allow rules inherited from parent objects.

Within each category, object-type ACEs (those scoped to a specific property GUID) SHOULD be ordered after whole-object ACEs.

This ordering guarantees: explicit rules override inherited rules, denials override allows at the same level, and whole-object rules override property-scoped rules.

§3.5.2 SACL ordering

SACLs do not have a canonical ordering requirement. Audit ACEs are evaluated independently (each matching ACE generates its own audit event). The mandatory label ACE, resource attribute ACEs, and scoped policy ID ACEs are located by type scan, not by position.

Security Descriptors propagate structurally. When a file is created in a directory, the directory's inheritable ACEs flow down to the new file's SD. This automatic propagation is inheritance.

Inheritance applies to objects with a container/child relationship: directories contain files and subdirectories, registry keys contain subkeys and values. Objects without a container parent (standalone IPC endpoints, tokens, processes) do not inherit.

§3.6.1 Inheritance flags

Four flags in the ACE header's AceFlags field control propagation:

A fifth flag records provenance:

§3.6.2 Common flag combinations

§3.6.3 CREATOR OWNER and CREATOR GROUP

Two well-known SIDs receive special treatment during inheritance:

• CREATOR OWNER (S-1-3-0) — when an ACE with this SID is inherited by a child object, the SID is replaced with the owner SID of the new object (as determined by the owner computation above).

• CREATOR GROUP (S-1-3-1) — replaced with the primary group SID of the creating principal.

Substitution happens at inheritance time. The resulting ACE on the child contains the resolved SID, not the placeholder.

§3.6.4 InheritedObjectType filtering

Object ACEs (ACCESS_ALLOWED_OBJECT_ACE, ACCESS_DENIED_OBJECT_ACE, etc.) MAY carry an InheritedObjectType GUID. This GUID scopes inheritance to children of a specific class.

The inheritance algorithm accepts an optional child_class_guid parameter — the class GUID of the object being created. When processing each inheritable ACE from the parent:

• If the ACE is an object ACE with an InheritedObjectType GUID set, AND child_class_guid is provided, AND the two GUIDs do not match: skip the ACE (do not inherit it).
• If the ACE has no InheritedObjectType GUID, or child_class_guid is null: inherit normally.

When child_class_guid is null (the common case for files and registry keys), InheritedObjectType filtering does not engage — all inheritable ACEs propagate as if the GUID were absent.

§3.6.5 Inheritance algorithm

When a new object is created, its SD is computed from up to four sources:

1. Parent SD — provides inheritable ACEs.
2. Creator SD — an explicit SD provided by the caller (if any).
3. Creator token — provides the default owner, primary group, and default DACL.
4. Child class GUID — optional. Filters inheritable object ACEs by InheritedObjectType. Null for files and unclassed registry keys.

§3.6.5.1 Owner

If the creator SD specifies an owner, use it. Otherwise, use the token's owner SID.

§3.6.5.2 Group

If the creator SD specifies a group, use it. Otherwise, use the token's primary group SID.

§3.6.5.3 DACL

The DACL is computed by merging explicit ACEs from the creator SD with inheritable ACEs from the parent SD:

• If no creator SD is supplied and the parent has inheritable ACEs: the new object's DACL consists entirely of inherited ACEs from the parent.

• If no creator SD is supplied and the parent has no inheritable ACEs: the new object's DACL is the token's default DACL.

• If a creator SD is supplied but has no DACL (SE_DACL_PRESENT not set): the new object's DACL is computed as if no creator SD was supplied (inherit from parent, or fall back to the token's default DACL).

• If a creator SD is supplied with a DACL (SE_DACL_PRESENT set):

  • Explicit ACEs from the creator SD are preserved.
  • If the creator SD's DACL is not protected (SE_DACL_PROTECTED not set) and SE_DACL_AUTO_INHERIT_REQ is set on the creator SD: inheritable ACEs from the parent are appended after the explicit ACEs. If SE_DACL_AUTO_INHERIT_REQ is not set, only the creator's explicit ACEs are used (no parent inheritance).
  • If the creator SD's DACL is protected: parent inheritance is blocked. Only the creator's explicit ACEs are used.

In all cases, the resulting DACL is post-processed:

• If the DACL contains any inherited ACEs, set SE_DACL_AUTO_INHERITED on the new SD's control flags. If the DACL contains only explicit ACEs (no parent inheritance occurred), do not set this flag. The same applies to SE_SACL_AUTO_INHERITED for the SACL. These flags allow tools to distinguish auto-inherited DACLs from manually constructed ones.
• CREATOR OWNER / CREATOR GROUP SIDs are substituted with the actual owner and group. This substitution applies only to the ACE's primary SID field — NOT to SID literals inside ApplicationData (conditional expression bytecode). ApplicationData is preserved verbatim during inheritance. No transformation of any kind (SID substitution, generic mapping, offset adjustment) is applied to the bytecode. An implementation MUST NOT scan ApplicationData for CREATOR OWNER SIDs.
• Generic rights in all ACEs (both explicit and inherited) are mapped to object-specific rights via the object type's GenericMapping in the ACE's access mask. Generic rights inside ApplicationData bytecode are NOT mapped. This ensures no unresolved generic bits persist on stored ACE masks.
• The INHERITED_ACE flag is set on all ACEs that came from the parent.

§3.6.5.4 SE_SERVER_SECURITY — server ACE injection

When the creator SD has SE_SERVER_SECURITY set, the inheritance algorithm appends additional ACEs to ensure the server's own identity retains access to objects it creates on behalf of impersonating clients.

After computing the normal DACL (explicit + inherited ACEs), the algorithm:

1. Reads the caller's primary token (real_cred, not the impersonation token). This is the server's real identity — it is unaffected by impersonation.
2. Reads the primary token's default_dacl.
3. Appends each ACE from the server's default DACL to the new object's DACL. These server ACEs are placed after inherited ACEs. They do NOT have the INHERITED_ACE flag set (they are explicit grants from the server).
4. Generic rights in the server ACEs are mapped via the object type's GenericMapping.

If the caller is not impersonating, the primary token and effective token are the same. SE_SERVER_SECURITY still functions — the server ACEs are appended from the caller's own default DACL. This is harmless (the owner already has implicit rights) but not useful.

The intended use case: a file server (Samba) impersonates a client to create a file. The file's DACL is built from the client's perspective (parent inheritance, client as owner). SE_SERVER_SECURITY ensures the Samba service identity also appears in the DACL, so the service can access the file for future operations without relying on Administrator membership or carefully configured share directory ACLs.

§3.6.5.5 SACL

Computed identically to the DACL, substituting SACL for DACL throughout. The token has no "default SACL" — if no creator SACL is supplied and the parent has no inheritable SACL ACEs, the new object has no SACL. SE_SERVER_SECURITY does not apply to the SACL.

Resource attribute inheritance filtering. When a SYSTEM_RESOURCE_ATTRIBUTE_ACE from the parent is being inherited, the algorithm MUST check the CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE flag (0x0001) on the resource attribute inside the ACE. If the flag is set, the ACE is skipped — it does not propagate to the child. All other inheritable SACL ACEs (audit, mandatory label, scoped policy, resource attributes without NON_INHERITABLE) inherit normally.

§3.6.6 Size limit

If the computed SD (after merging explicit, inherited, and server ACEs) exceeds 64 KB when serialized to self-relative format, the creation MUST fail. The 64 KB limit is the maximum SD size — inheritance does not get an exception. A deeply nested directory tree with many inheritable ACEs can approach this limit.

§3.6.7 Eager evaluation

Inheritance is eager. The new object's SD is fully computed at creation time. There is no lazy inheritance — the kernel MUST NOT walk up the directory tree at access time to find inheritable ACEs.

A consequence of eager evaluation: modifying an inheritable ACE on a parent object does not automatically update existing children. Existing children retain the SD they were created with. Propagating the change to descendants is an explicit operation outside the scope of this specification. Children with SE_DACL_PROTECTED or SE_SACL_PROTECTED set MUST be skipped during any re-propagation.

Every SD has an owner. Ownership confers two implicit rights that AccessCheck grants regardless of what the DACL says:

• READ_CONTROL — the owner can always read the object's SD.
• WRITE_DAC — the owner can always modify the object's DACL.

These implicit grants are the "you can't lock yourself out" guarantee. Even if the DACL grants the owner nothing, the owner can read and rewrite the DACL to restore access.

Ownership is determined by SID equality against the caller's user SID or token group SIDs. Deny-only flags affect ACE matching, but they do not change the ownership relation itself.

§3.7.1 OWNER RIGHTS (S-1-3-4)

The implicit READ_CONTROL and WRITE_DAC grants MAY be suppressed or modified by including an ACE for the OWNER RIGHTS SID (S-1-3-4) in the DACL.

When AccessCheck detects any non-inherit-only access-control ACE targeting the OWNER RIGHTS SID in the DACL (via a pre-scan before the DACL walk), the implicit grant is suppressed. The owner's access then comes entirely from the DACL walk -- through ACEs matching their user SID, group SIDs, and any ACEs targeting S-1-3-4.

This enables three patterns:

• Suppress owner rights — a deny ACE for S-1-3-4 with READ_CONTROL | WRITE_DAC.
• Expand owner rights — an allow ACE for S-1-3-4 with additional rights beyond the default.
• Restrict owner rights — an allow ACE for S-1-3-4 with only READ_CONTROL (no WRITE_DAC).

The OWNER RIGHTS pre-scan checks only for the presence of any non-inherit-only access-control ACE targeting the OWNER RIGHTS SID in the DACL, not whether any condition on the ACE evaluates to TRUE. A conditional ACE targeting OWNER RIGHTS suppresses the implicit grant even if the condition later evaluates to FALSE.

During the DACL walk, S-1-3-4 is treated as a normal SID. If the caller is the owner, ACEs targeting S-1-3-4 match the caller. The suppression only removes the automatic implicit grant; it does not isolate the owner from the rest of the DACL.

SeTakeOwnershipPrivilege interaction. OWNER_RIGHTS deny ACEs cannot block SeTakeOwnershipPrivilege. If an OWNER_RIGHTS ACE denies WRITE_OWNER, the DACL walk marks WRITE_OWNER as decided-but-not-granted. The post-DACL SeTakeOwnershipPrivilege override (algorithm step 10) fires when WRITE_OWNER is not granted and was not blocked by a mandatory mechanism (MIC or PIP). DACL denials — including OWNER_RIGHTS denials — are not mandatory decisions, so the privilege overrides them. Only MIC no-write-up or PIP non-dominance can prevent SeTakeOwnershipPrivilege from granting WRITE_OWNER.

§3.7.2 Ownership transfer

Changing an object's owner requires WRITE_OWNER on the object. Without SeTakeOwnershipPrivilege, the new owner MUST be the caller's own SID or a group on the caller's token with SE_GROUP_OWNER (defined in the SID format section, flag value 0x00000008). SE_GROUP_ENABLED is NOT required — a deny-only group with SE_GROUP_OWNER can be set as the owner.

SeTakeOwnershipPrivilege grants WRITE_OWNER on any object regardless of the DACL (deny-proof, but subject to MIC/PIP). SeRestorePrivilege bypasses the ownership SID constraint entirely — the kacs_set_sd syscall checks for SeRestorePrivilege and, when present, skips the "own SID or SE_GROUP_OWNER group" validation, allowing the caller to set ownership to any arbitrary SID.

Standard ACEs match on SID alone. Conditional ACEs add a boolean expression that MUST also evaluate to TRUE for the rule to take effect. This enables attribute-based access control (ABAC).

A conditional ACE is structurally identical to its non-conditional counterpart with a conditional expression appended after the SID. The expression is stored in a binary format defined by MS-DTYP section 2.4.4.17.

§3.8.1 Three-valued evaluation

Conditional expressions produce one of three results:

• TRUE — the condition is satisfied.
• FALSE — the condition is not satisfied.
• UNKNOWN — the condition could not be determined (missing attribute, type mismatch, malformed expression).

How the result affects the ACE depends on the ACE type:

This asymmetry is the fail-safe principle: uncertainty about whether to grant results in no grant; uncertainty about whether to deny results in denial.

§3.8.2 Expression language

The expression supports:

• Relational operators: ==, !=, <, <=, >, >=
• Set operators: Contains, Any_of, Not_Contains, Not_Any_of
• Membership operators: Member_of, Member_of_Any, Not_Member_of, Not_Member_of_Any, Device_Member_of, Device_Member_of_Any, Not_Device_Member_of, Not_Device_Member_of_Any
• Logical operators: AND, OR, NOT
• Existence tests: Exists, Not_Exists
• Literal values: integers, strings, SIDs, octet strings, composites

§3.8.3 Three-valued logic

NOT: TRUE↔FALSE; UNKNOWN→UNKNOWN.

Boolean coercion for logical operands: integer nonzero → TRUE, zero → FALSE. String non-empty → TRUE, empty → FALSE. NULL → UNKNOWN. SID, octet, composite → UNKNOWN. Literal-origin values (values pushed directly from the bytecode, not obtained via attribute lookup) used as operands in AND/OR/NOT → UNKNOWN for the entire expression.

§3.8.4 Attribute sources

Four attribute namespaces exist, resolved via bytecode opcodes:

Attribute names are matched case-insensitively. @User.Clearance, @User.clearance, and @User.CLEARANCE all resolve the same attribute.

§3.8.5 Claim flags

Claim flags apply to token claims (@User., @Device.) and resource attributes (@Resource.). @Local. claims also carry flags.

• DISABLED (0x0010) — the attribute is invisible to all conditions. Resolves as absent.
• USE_FOR_DENY_ONLY (0x0004) — the attribute participates only in deny ACE conditions. For allow ACE conditions, it resolves as absent.

Empty attributes (zero values) are normalized to absent (NULL) at resolution time (when the expression evaluator reads the attribute value during AccessCheck).

Comparisons involving absent attributes evaluate to UNKNOWN. This includes comparing two absent attributes with == or !=: @User.Missing == @Device.AlsoMissing is UNKNOWN, not TRUE.

§3.8.6 SID matching in expressions

The Member_of family evaluates group membership on the token. These operators are polarity-aware: deny-only groups do not satisfy allow-ACE conditions.

An empty SID operand set uses normal set semantics: Member_of({}) and Device_Member_of({}) return TRUE, while Member_of_Any({}) and Device_Member_of_Any({}) return FALSE. The Not_* forms are the logical inverse of those results.

§3.8.7 Binary format

Conditional expressions are encoded as a stack-based bytecode program in reverse Polish notation. The binary format is defined by MS-DTYP section 2.4.4.17.4 and MUST be byte-compatible.

The expression bytecode begins with a 4-byte magic: 0x61 0x72 0x74 0x78 ("artx"). If the magic is absent or the expression is shorter than 4 bytes, evaluation MUST return UNKNOWN.

Evaluation succeeds only if the final stack contains exactly one tri-state result. If evaluation ends with zero entries, more than one entry, or a raw non-boolean value still on the stack, the expression MUST evaluate to UNKNOWN.

The full operator bytecodes and literal encodings are specified in the Conditional ACE Bytecode Reference section. KACS implementations MUST be byte-compatible with MS-DTYP section 2.4.4.17.4.

§3.8.8 Limits

Implementations SHOULD enforce a maximum evaluation stack depth (recommended: 1024) and SHOULD return UNKNOWN for expressions that exceed it. Any bounds violation during parsing (reading beyond the expression buffer, underflowing the stack, integer overflow) MUST return UNKNOWN.

KACS v0.20 uses a Windows-compatible CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 entry format for:

• resource attributes in SYSTEM_RESOURCE_ATTRIBUTE_ACE
• token user_claims
• token device_claims
• local_claims passed to AccessCheck

The claim entry format itself is shared across all four surfaces. When multiple entries are carried in one buffer (token claims or local_claims), KACS wraps the Windows-compatible entry format in a simple length-prefixed sequence so the buffer can be parsed deterministically without external metadata.

§3.9.1 Supported types

KACS v0.20 supports these claim value types:

FQBN (0x0004) is reserved and not supported in KACS v0.20. Any unsupported claim type makes the containing claim entry invalid.

§3.9.2 Entry layout

All multibyte integers are little-endian. All offsets are relative to the start of the claim entry.

Claim flags use the same meanings everywhere this format appears:

Unknown flag bits are preserved but have no defined semantics.

§3.9.3 Value encodings

§3.9.3.1 INT64 / UINT64 / BOOLEAN

For INT64, UINT64, and BOOLEAN, each ValueOffsets[i] points directly to an 8-byte scalar:

• INT64: signed 64-bit integer
• UINT64: unsigned 64-bit integer
• BOOLEAN: unsigned 64-bit integer, normalized at resolution time:
  • 0 = false
  • any non-zero value = true

§3.9.3.2 STRING

For STRING, each ValueOffsets[i] points to a 4-byte u32 named StringOffset. StringOffset then points to the actual UTF-16LE null-terminated string.

Strings are stored without a separate length field. The terminating UTF-16 null (0x0000) MUST appear within the containing claim entry.

§3.9.3.3 SID

For SID, each ValueOffsets[i] points to a 4-byte u32 named SidOffset. SidOffset then points to a binary SID in the standard SID wire format.

§3.9.3.4 OCTET

For OCTET, each ValueOffsets[i] points to a 4-byte u32 named OctetOffset. OctetOffset then points to:

§3.9.4 Single-entry containers

SYSTEM_RESOURCE_ATTRIBUTE_ACE.ApplicationData contains exactly one claim entry and consumes the remainder of the ACE.

§3.9.5 Multi-entry containers

Token claim buffers (user_claims, device_claims) and local_claims use a KACS claim-array wrapper:

repeat until buffer exhausted:
  [entry_len:u32le]
  [entry_bytes: entry_len bytes]

Rules:

• entry_len MUST be non-zero.
• entry_len MUST fit entirely within the containing buffer.
• entry_bytes is one complete claim entry using the layout above.
• The parser consumes entries sequentially until the containing buffer length is exhausted exactly.

§3.9.6 Validation rules

• The fixed header and ValueOffsets[] array MUST fit within the entry.
• Every offset and nested offset MUST remain within the entry bounds.
• Every string name and string value MUST terminate within the entry.
• Every referenced SID MUST be structurally valid.
• A malformed claim entry invalidates the containing surface:
  • malformed resource attribute ACE payload -> malformed SD for AccessCheck
  • malformed token claim buffer -> invalid token spec
  • malformed local_claims buffer -> invalid AccessCheck input

ValueCount = 0 is valid. Empty attributes normalize to absent at resolution time, as defined in the Conditional ACEs section.

A Security Descriptor MAY carry metadata about the object it protects -- descriptive properties rather than access rules. These are resource attributes: name-value pairs stored as SYSTEM_RESOURCE_ATTRIBUTE_ACEs in the SACL.

Resource attributes do not grant or deny access. They exist so that conditional ACEs in the DACL can reference properties of the object during evaluation. A conditional allow ACE might say "grant read access if @User.clearance >= @Resource.confidentiality."

Each resource attribute ACE encodes a single named, typed, multi-valued attribute. The name is a string. Values MAY be integers, strings, booleans, SIDs, or byte arrays. The attribute data uses the claim entry format defined in the Claim Attribute Format section.

Multiple resource attribute ACEs MAY appear in the same SACL, each carrying a different attribute. If two ACEs carry the same attribute name, the first one wins — duplicates are silently ignored. Name comparison is case-insensitive, matching the conditional expression evaluator's attribute name matching.

An inherit-only SYSTEM_RESOURCE_ATTRIBUTE_ACE does not apply to the object it is attached to and MUST be ignored during resource-attribute extraction.

Resource attributes are extracted from the SACL before the DACL walk begins, so they are available when conditional expressions need them.

§3.10.1 Claim types

Boolean values MUST be normalized to 1 (true) or 0 (false) at resolution time (when the conditional expression evaluator reads the attribute value), regardless of the wire encoding.

This section specifies the binary encoding for conditional ACE expressions. The format is byte-compatible with MS-DTYP section 2.4.4.17.4. Conditional expressions are stored in the ApplicationData member of CALLBACK ACE types, encoded in postfix (reverse Polish) notation.

§3.11.1 Magic signature

A CALLBACK ACE contains a conditional expression if the ApplicationData begins with 0x61 0x72 0x74 0x78 (the string "artx"). If the signature is absent or the expression is shorter than 4 bytes, evaluation MUST return UNKNOWN.

§3.11.2 Token formats

Each token begins with a single byte-code identifying the token type. All multibyte integers, including Unicode characters, are stored least-significant byte first (little-endian). Expressions end at the ACE boundary; any bytes needed for DWORD alignment MUST be set to 0x00.

§3.11.3 Literal tokens

§3.11.3.1 Sign codes

Integer literals include a sign byte after the QWORD value:

§3.11.3.2 Base codes

Integer literals include a base byte after the sign byte. The base is for display purposes only — the value is always stored as binary 2's complement regardless of base:

§3.11.3.3 Integer encoding example

The decimal value -1 encoded as a signed int64:

0x04 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x02 0x02
 ^    ^-------- QWORD (2's complement) --------^  ^    ^
 |                                                 |    base=decimal
 byte-code=int64                                   sign=negative

§3.11.4 Relational operator tokens

§3.11.4.1 Binary relational operators

LHS is the second element on the stack, RHS is the top. If LHS and RHS are different types, the entire conditional expression evaluates to UNKNOWN — with the exception of INT64 and UINT64 which are promoted for comparison (see the Conditional ACEs section for promotion rules). If either operand is UNKNOWN, the operation returns UNKNOWN.

String and octet string comparisons are byte-by-byte, case-insensitive by default. If the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE flag (0x0002) is set on either operand's attribute, comparison is case-sensitive.

§3.11.4.2 Unary relational operators (SID membership)

The operand is the top of the stack and MUST be a SID literal or a composite of SID literals.

For an empty SID operand set:

• Member_of({}) and Device_Member_of({}) return TRUE (vacuous truth).
• Member_of_Any({}) and Device_Member_of_Any({}) return FALSE.
• The Not_* forms are the logical inverse of those results.

§3.11.5 Logical operator tokens

Logical operators test the logical value of operands and produce TRUE, FALSE, or UNKNOWN. The logical value of an operand is determined by:

• Literal-origin value → error (entire expression returns UNKNOWN)
• Attribute with null value → UNKNOWN
• Attribute with integer value → TRUE if nonzero, FALSE if zero
• Attribute with string value → TRUE if non-empty, FALSE if empty
• Result value → the result's tri-state value

§3.11.5.1 Unary logical operators

§3.11.5.2 Binary logical operators

LHS is the second element on the stack, RHS is the top.

§3.11.6 Attribute reference tokens

Attribute names are encoded as Unicode strings (same format as the 0x10 literal: DWORD length + UTF-16LE code units). The byte-code determines which namespace to look up the attribute in.

Attribute lookup is case-insensitive: the encoded name is matched against the namespace's attribute names without regard to case.

§3.11.7 Complete byte-code summary

For quick reference, all byte-codes in numeric order:

Security Descriptors MUST be stored alongside the objects they protect. The storage mechanism depends on the object type.

§3.12.1 Files and directories

SDs are stored as filesystem extended attributes (xattrs) in the self-relative binary format. The canonical xattr name is security.peios.sd. On NTFS volumes, KACS uses system.ntfs_security (the ntfs3 driver's native SD xattr) so that SDs round-trip between Peios and other operating systems.

The underlying filesystem MUST support extended attributes of at least 64 KB per value. The architectural maximum SD size is 64 KB (the ACL header's AclSize field is a 16-bit integer).

§3.12.2 Registry keys

SDs are stored by loregd alongside the key data. The format is the same self-relative binary blob. Access control is enforced by loregd impersonating the client and calling AccessCheck via the KACS syscall.

§3.12.3 Kernel objects

Tokens, processes, and logon sessions store SDs inline on the kernel object. These SDs are typically small (a few ACEs) and are set at object creation time.

§3.12.4 IPC endpoints

SDs are stored by the service that owns the endpoint. Pathname sockets use the socket file's inode SD. Abstract sockets store the SD on the socket's LSM security blob, set at bind() time from the binding thread's effective token.

A token is a kernel object representing a thread's identity and security policy. Every thread in Peios MUST have an associated token. There are no NULL tokens.

A token carries: the user's identity (SID), group memberships, privileges, integrity level, impersonation state, claims, confinement settings, and metadata. All KACS-mediated access control decisions evaluate the thread's effective token.

§4.1.1 Credential relationship

Tokens exist as independently allocated, reference-counted kernel objects. The Linux credential structure (struct cred) holds a pointer to the token in its LSM security blob — not the token data itself.

This separation is architecturally significant. Linux credentials are immutable once committed — after commit_creds(), a struct cred cannot be modified. If token data were embedded in the credential, every token mutation (toggling a privilege, adjusting groups) would require allocating a new credential. By keeping the token as an independent object behind a pointer, token-internal mutations use the token's own synchronization and do not require credential reallocation.

Within a process, multiple thread credentials MAY reference the same token object (via real_cred). Mutations to a shared token (privilege enable/disable, group adjustment) are visible to all threads sharing that token. At fork, the child MUST receive an independent deep copy of the parent's token — mutations after fork are invisible across the process boundary.

§4.1.2 Primary and impersonation tokens

The credential carries two roles via the real_cred/cred split on task_struct:

• real_cred — the task's objective identity. Used when other tasks evaluate access to this task. Its LSM blob holds a pointer to the primary token: the process's baseline identity, inherited from the parent on fork.

• cred — the task's subjective identity. Used when this task evaluates access to other objects. Its LSM blob holds a pointer to the effective token: either the primary token (the common case) or an impersonation token installed by a server thread acting on behalf of a client.

In the common case (no impersonation), real_cred and cred point to the same struct cred, and both resolve to the same token object. Impersonation swaps cred to a new credential whose LSM blob points to a different token. Reverting restores cred to real_cred.

§4.1.3 Evaluation context

Token evaluation — AccessCheck, privilege checks — MUST only occur when a userspace thread is executing synchronously in the kernel on its own behalf. The token is accessed via current->cred, which is only valid in this context.

Kernel threads, workqueues, writeback daemons, io_uring workers, and other asynchronous contexts MUST NOT evaluate tokens from current->cred directly. Authorization is evaluated once at the synchronous boundary (e.g., file open), and the result is cached on the object handle (e.g., the granted mask on a file descriptor). Subsequent operations check the cached result.

If a kernel context runs under credentials captured via override_creds() (e.g., io_uring, which captures the submitter's credential at submission time), the token pointer in the credential's LSM blob travels with it and MAY be evaluated.

LSM hooks that detect they are running without a meaningful user context (PF_KTHREAD without override, interrupt context) MUST deny rather than evaluate a meaningless identity.

A token carries identity, policy, and metadata fields. Fields are organized by concern and annotated with mutability:

• Fixed — set at creation, never changes. The security-critical identity fields fall into this category.
• Adjustable — may be modified at runtime via the adjustment operations defined in this specification.
• One-way — can be set or tightened but never cleared or loosened.

§4.2.1 Identity core (fixed)

The set of group SIDs on a token is fixed at creation — AdjustGroups MUST NOT add or remove SIDs. However, individual groups MAY be enabled or disabled by modifying SE_GROUP_ENABLED, subject to constraints: mandatory groups (SE_GROUP_MANDATORY) MUST NOT be disabled, and deny-only groups (SE_GROUP_USE_FOR_DENY_ONLY) MUST NOT be re-enabled.

§4.2.2 Token type (fixed)

§4.2.3 Integrity (fixed)

The mandatory_policy field is immutable. A process MUST NOT change its MIC constraints at runtime (neither loosen nor tighten).

§4.2.4 Privileges (adjustable)

A token MUST carry a set of privileges. Each privilege MUST have four independent states:

• Present — the privilege exists on the token. A present privilege MAY be removed (permanent), but a privilege MUST NOT be added after creation.
• Enabled — the privilege is currently active. Only present privileges MAY be enabled or disabled.
• Enabled by default — the creation-time enabled state. AdjustPrivileges MAY restore all privileges to this state.
• Used — the privilege has been exercised during this token's lifetime. Monotonic — once set, MUST NOT be cleared.

A privilege's lifecycle on a token: present and disabled → enabled → used → optionally disabled → optionally permanently removed. Removal clears the privilege from the present, enabled, and enabled-by-default states.

§4.2.5 Elevation (one-way)

Linked token pairs are associated at the session level, not stored on individual tokens. See the Linked Tokens and Elevation section for the pairing mechanism.

§4.2.6 Default object security (adjustable)

§4.2.7 Metadata (fixed)

§4.2.8 Mutation tracking (adjustable)

§4.2.9 Session (adjustable)

§4.2.10 Claims and security attributes (fixed)

§4.2.11 Device identity (fixed)

§4.2.12 Confinement (fixed)

§4.2.13 Audit (adjustable)

Audit policy flags:

Follows impersonation: if service A impersonates client B and client B's token has auditing enabled for a category, operations during impersonation are audited under client B's identity. Default value at creation: 0 (no per-token audit overrides).

§4.2.14 Credential projection (fixed)

Computed by authd at token creation time, stored on the token. KACS MUST NOT resolve SID-to-UID mappings at runtime. Projection reflects all groups regardless of enabled/disabled state — AdjustGroups MUST NOT trigger projection recalculation.

§4.2.15 Token security (adjustable)

§4.2.16 Internal

§4.3.1 Fork and clone

All process and thread creation paths go through clone(). KACS branches on the CLONE_THREAD flag.

§4.3.1.1 Clone without CLONE_THREAD (fork, vfork)

New process. The child MUST receive an independent deep copy of the parent's primary token. If the parent is impersonating, the impersonation token MUST NOT be inherited — the child's effective credential is set from real_cred.

After fork, mutations to either token (parent or child) are invisible to the other.

§4.3.1.2 Clone with CLONE_THREAD

New thread. Threads share the parent's real_cred (reference-counted), and therefore share the same primary token object. Privilege adjustments on the primary token are visible to all threads. Each thread maintains independent impersonation state via its own cred.

§4.3.1.3 Exec

The primary token survives execve() unchanged, with one exception: the NEW_PROCESS_MIN mechanism (below).

If the calling thread is impersonating, impersonation MUST be reverted before the new program runs. The new program always starts with the primary token as its effective identity.

Token assignment for services happens between fork and exec: peinit forks, installs the service's token on the child, then the child execs the service binary.

§4.3.1.4 NEW_PROCESS_MIN

If the token's mandatory_policy includes NEW_PROCESS_MIN, the kernel MUST replace the child's primary token at exec time when the executable has a lower integrity label:

1. Read the executable file's integrity label from its SD (the mandatory label ACE in the SACL). If the file has no label, use the default (Medium).
2. If the file's integrity level is lower than the token's integrity level, create a new token following DuplicateToken semantics (new token_id, modified_id initialized to the new token_id, elevation_type reset to Default) with integrity_level set to the file's label. All other fields are copied from the source. The original token is dropped.
3. If the file's integrity level is greater than or equal to the token's integrity level, no action — the token survives exec unchanged.

NEW_PROCESS_MIN can only lower integrity, never raise it. The child's integrity level is always less than or equal to the parent's. The flag is immutable on the token.

§4.3.2 Bootstrap

The SYSTEM token (S-1-5-18) is created by PKM during kernel initialization, before any userspace process exists. It is hardcoded:

• User SID: S-1-5-18 (Local System)
• Groups: S-1-5-32-544 (BUILTIN\Administrators), S-1-1-0 (Everyone), S-1-5-11 (Authenticated Users), and other well-known SIDs
• Privileges: all defined privileges, present and enabled
• Integrity level: System
• Token type: Primary
• Elevation type: Default (no linked token)
• Token source: PeiosKrn
• Projected UID: 0
• auth_id: SYSTEM_LUID (0x000003E7 = 999)

The SYSTEM token is assigned to the kernel's init task and inherited by PID 1 on exec. No syscall is involved — the kernel allocates the token object directly during initialization.

The Anonymous token (S-1-5-7) is also created by PKM during kernel initialization. It is a global singleton:

• User SID: S-1-5-7 (Anonymous)
• Groups: none (Everyone included only if the system-wide Anonymous-in-Everyone policy is set — see Impersonation Lifecycle)
• Privileges: none
• Integrity level: Untrusted
• Token type: Impersonation
• Impersonation level: Anonymous
• Elevation type: Default
• Token source: PeiosKrn
• auth_id: ANONYMOUS_LOGON_LUID (0x000003E6 = 998)

The Anonymous token is effectively immutable (no privileges to adjust, no groups to adjust). kacs_impersonate_peer at Anonymous level references this global token. KACS_IOC_DUPLICATE with target level=Anonymous creates a fresh independent token matching this shape (the DuplicateToken contract requires a new token object).

§4.3.2.1 Well-known logon session LUIDs

Dynamically created logon sessions (by authd via kacs_create_session) receive auto-generated LUIDs starting at 1000. The kernel MUST NOT assign 999 or 998 to dynamic sessions.

§4.3.3 External token replacement

A privileged process (peinit) MAY replace the primary token on a running process — for example, downgrading a pre-authd service from SYSTEM to a purpose-built token.

The mechanism uses task_work_add() to queue a credential swap on each task in the target thread group. Each task executes the swap in its own context, preserving RCU safety. If a thread is impersonating, the replacement affects real_cred (primary token) only — the impersonation state is left intact.

§4.3.3.1 Requirements

• SeAssignPrimaryTokenPrivilege on the caller's real token.
• TOKEN_ASSIGN_PRIMARY (0x0001) on the token fd.
• PROCESS_SET_INFORMATION on the target process's SD.
• The new token's user SID MUST match the target's current primary token's user SID, unless the caller has SeTcbPrivilege.
• The new token MUST belong to the same logon session (matching auth_id) as the target's current primary token, unless the caller has SeTcbPrivilege.

The process SD gate ensures the target process's owner controls who can change its identity. The SID and session constraints prevent a non-TCB holder of SeAssignPrimaryTokenPrivilege from assigning an arbitrary token to a process it can reach. SeTcbPrivilege bypasses the SID and session constraints — this is how peinit assigns tokens with different user SIDs and sessions to child services.

Tokens are created through three operations, each serving a different purpose.

§4.4.1 CreateToken

Mint a new token from scratch. The caller provides the security-meaningful content; the kernel generates internal bookkeeping and validates structural invariants.

Gated by: SeCreateTokenPrivilege.

Caller-supplied fields: user_sid, groups (with attributes), privileges (privs_present + privs_enabled), owner_sid_index, primary_group_index, default_dacl, integrity_level, mandatory_policy, token_type, impersonation_level, auth_id (MUST reference an existing logon session), expiration (0 = no expiry), audit_policy, source (name + LUID), user_claims, device_claims, device_groups, restricted_sids, restricted_device_groups, confinement_sid, confinement_capabilities, confinement_exempt, isolation_boundary, write_restricted, user_deny_only, projected_uid, projected_gid, projected_supplementary_gids, origin, interactive_session_id. See the ABI Reference for the complete wire format.

The caller (authd) is responsible for including well-known implicit groups in the groups array: Everyone (S-1-1-0), Authenticated Users (S-1-5-11), and any other groups that the principal's authentication context implies (e.g., S-1-5-4 Interactive, S-1-5-6 Service, S-1-5-15 This Organization). The kernel does NOT inject these — only the logon SID is kernel-generated.

Kernel-generated fields: token_id (LUID), modified_id (initialized to token_id), created_at (current time), elevation_type (always Default), logon_sid (derived from session_id as S-1-5-5-{session_id >> 32}-{session_id & 0xFFFFFFFF}), token SD (default SD per the Token Access Rights section).

The kernel injects the logon SID into the groups array with SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED | SE_GROUP_LOGON_ID. Callers MUST NOT include the logon SID in their supplied groups array — it is always kernel-generated. The injected entry is appended after the caller's groups. owner_sid_index and primary_group_index are interpreted relative to the caller-supplied groups (0 = user SID, 1..N = caller's groups), not including the kernel-injected logon SID entry.

The kernel validates:

1. The caller holds SeCreateTokenPrivilege.
2. All SIDs are structurally well-formed.
3. The owner SID is the user SID or a group with SE_GROUP_OWNER. Resolved to owner_sid_index.
4. The primary group SID is the user SID or a group SID on the token. Resolved to primary_group_index.
5. The auth_id references an existing logon session object.
6. If token_type is Primary, impersonation_level MUST be Anonymous.
7. If write_restricted is true, user_deny_only MUST be true.
8. If isolation_boundary is true, confinement_sid MUST be present.
9. elevation_type field in the wire format MUST be 0 (reserved). The kernel always sets Default.

The kernel MUST NOT authenticate the user, look up SIDs in the directory, resolve SID-to-UID mappings, or validate that the principal exists. The caller is trusted as TCB by virtue of holding SeCreateTokenPrivilege.

Returns a token file descriptor to the caller.

§4.4.2 DuplicateToken

Create an independent copy of an existing token.

Requires: TOKEN_DUPLICATE access on the source token.

The caller MAY change during duplication:

• Token type — primary to impersonation, or impersonation to primary. When duplicating to Primary, the impersonation_level MUST be set to Anonymous.
• Impersonation level — equal to or lower than the source token's level (if creating an impersonation token). Escalation is forbidden — an Identification-level token MUST NOT be duplicated as Impersonation.

Fields on the new token:

• token_id — new LUID.
• modified_id — initialized to the new token_id.
• token_type — caller-specified (Primary or Impersonation).
• impersonation_level — caller-specified for Impersonation (must be <= source level); Anonymous for Primary.
• elevation_type — reset to Default (not part of any linked pair).
• user_sid, user_deny_only, logon_sid — copied from source.
• groups — copied from source (SIDs and all per-group attributes).
• restricted_sids, write_restricted — copied from source.
• privileges — present/enabled/enabled_by_default copied from source. used copied from source.
• integrity_level, mandatory_policy — copied from source.
• auth_id, origin, source, created_at, expiration, audit_policy — copied from source.
• interactive_session_id — copied from source.
• default_dacl, owner_sid_index, primary_group_index — copied from source.
• user_claims, device_claims, device_groups, restricted_device_groups — copied from source.
• confinement_sid, confinement_capabilities, confinement_exempt — copied from source.
• projected_uid, projected_gid, projected_supplementary_gids — copied from source.
• Token SD — new default SD per the Token Access Rights section. The caller cannot supply a custom SD at duplication time; use WRITE_DAC on the new handle to modify afterward if needed.

The original token is unaffected.

§4.4.3 FilterToken

Create a restricted copy of an existing token.

Requires: TOKEN_DUPLICATE access on the source token.

FilterToken MAY:

• Remove privileges — specified privileges are permanently deleted from the new token (cleared from the present, enabled, and enabled-by-default states).
• Set groups to deny-only — specified groups receive SE_GROUP_USE_FOR_DENY_ONLY. They can block access via deny ACEs but MUST NOT grant access via allow ACEs. This is permanent and MUST NOT be reverted.
• Add restricted SIDs — a secondary SID list added to the new token. AccessCheck evaluates the DACL twice on restricted tokens; access is granted only if both the normal SIDs and the restricted SIDs independently pass.
• Enable write-restricted mode — a flag that limits the restricted SID check to write operations only. Read access uses the normal SID list, bypassing the restricted evaluation. When write-restricted mode is enabled, user_deny_only MUST be set to true on the new token — the user SID matches only deny ACEs.

FilterToken creates a new token object. The original is untouched. Fields on the new token:

• token_id — new LUID.
• modified_id — initialized to the new token_id.
• elevation_type — reset to Default (not part of any linked pair).
• user_sid, logon_sid, integrity_level, mandatory_policy, token_type, impersonation_level — copied from source.
• groups — SIDs copied from source. Per-group attributes modified per the deny-only list. No SIDs added or removed.
• privileges — present/enabled/enabled_by_default modified per the removal list. used reset to 0.
• restricted_sids — set from the provided restricting SID list. If the source was already restricted, the new list is the intersection of source and provided lists.
• write_restricted — set if requested, OR sticky from source (write_restricted || source.write_restricted).
• user_deny_only — set to true when write_restricted is enabled. Otherwise, copied from source.
• auth_id, origin, source, created_at, expiration, audit_policy — copied from source.
• default_dacl, owner_sid_index, primary_group_index — copied from source.
• user_claims, device_claims, device_groups, restricted_device_groups — copied from source.
• confinement_sid, confinement_capabilities, confinement_exempt — copied from source.
• projected_uid, projected_gid, projected_supplementary_gids — copied from source.
• Token SD — new default SD per the Token Access Rights section.

A strictly confined token MUST NOT carry ALL_APPLICATION_PACKAGES in its confinement_capabilities. Token construction MUST enforce this invariant.

A live token's privileges and groups MAY be adjusted at runtime. These are distinct operations with separate access rights and constraint models. All adjustment operations mutate the token object in place via atomic operations. Changes are visible immediately to all threads sharing the token. All bump modified_id.

§4.5.1 AdjustPrivileges

Requires: TOKEN_ADJUST_PRIVILEGES on the token.

Three modes:

• Enable/disable — flip individual bits in privileges_enabled for privileges that are present on the token. Privileges that are not present MUST NOT be enabled. This operation cannot grant new privileges, only activate existing ones.
• Reset to defaults — restore privileges_enabled to match privileges_enabled_by_default. Returns all privileges to their creation-time state in a single operation.
• Remove — permanently delete a privilege from the token. Clears the bit in privileges_present, privileges_enabled, and privileges_enabled_by_default. Irreversible — the privilege MUST NOT be re-added.

The caller receives a report of the previous state of each adjusted privilege.

§4.5.2 AdjustGroups

Requires: TOKEN_ADJUST_GROUPS on the token.

Two modes:

• Enable/disable — flip SE_GROUP_ENABLED on individual groups, subject to constraints:
  • SE_GROUP_MANDATORY groups MUST NOT be disabled.
  • SE_GROUP_USE_FOR_DENY_ONLY groups MUST NOT be re-enabled.
  • The logon SID (SE_GROUP_LOGON_ID) MUST NOT be disabled.
  • The user SID (if present in the group list) MUST NOT be disabled.
• Reset to defaults — restore all groups to their creation-time enabled/disabled state.

The caller receives a report of the previous state of each adjusted group.

§4.5.3 AdjustDefault

Requires: TOKEN_ADJUST_DEFAULT on the token.

Three mutable fields:

• Default DACL — replace the DACL applied to new objects created by this token. RCU pointer swap; the old DACL is freed after an RCU grace period.
• Owner SID index — change which SID is used as the default owner for new objects. MUST reference the user SID or a group with SE_GROUP_OWNER on the token. Atomic index update.
• Primary group index — change the default primary group for new objects. MUST reference the user SID or a group SID on the token. Atomic index update.

These affect future object creation only — existing objects are unaffected. No escalation is possible: the caller is choosing among SIDs already on their token.

At logon time, authd MAY create two tokens for the same principal, linked together:

• Elevated token (elevation_type = Full) — the user's complete identity: all groups active, all assigned privileges present and enabled.
• Filtered token (elevation_type = Limited) — the same user SID, but administrative groups set to deny-only, dangerous privileges stripped. Created from the elevated token via FilterToken.

Both tokens MUST belong to the same logon session. The filtered token is installed as the session's default. The elevated token exists but is not directly accessible to unprivileged processes.

A token with no linked pair has elevation_type = Default.

§4.6.1 KACS responsibilities

KACS provides pairing, storage, and query restriction:

• Linked pair association — the pair is registered on the logon session. Given either token, the system can retrieve the partner. The pairing is managed at the session level, not stored on individual token objects.
• Elevation type classification — elevation_type on each token so consumers can determine which side they hold.
• Identification-level query restriction — when an unprivileged caller queries a token's linked token, KACS MUST return a copy at Identification impersonation level. The caller can inspect the elevated token but MUST NOT use it for access control decisions. A caller holding SeTcbPrivilege receives a full handle to the actual linked token.

§4.6.2 KACS non-responsibilities

The actual elevation decision — "should this user be allowed to use their elevated token right now?" — is entirely authd's responsibility. KACS MUST NOT gate elevation, verify credentials, or display prompts. KACS stores the pair and restricts unprivileged access to it.

§4.6.3 Lifecycle

Both tokens in a linked pair share a logon session. When a session is destroyed (last token refcount drops to zero), the pair linkage is removed and the pair's own references to both tokens are dropped. However, token objects are refcounted — if a process still holds a token fd or a credential still references the token, the token object itself survives until all references are released. After the pair is unlinked, querying the linked token (KACS_IOC_GET_LINKED_TOKEN) returns an error — the partner relationship no longer exists, even if the individual token objects are still live.

§4.7.1 Logon sessions

A logon session is a lightweight kernel object identified by a LUID (auth_id). Every token references a logon session.

• Creation — authd creates a logon session (via KACS syscall) at authentication time, before creating the token. The session object contains: session ID (LUID), logon type (Interactive, Network, Service, etc.), user SID, authentication package name (e.g., "Kerberos", "Negotiate"), and creation timestamp. A logon SID (S-1-5-5-X-Y) is derived from the session ID.
• Association — each token's auth_id references its logon session. Multiple tokens MAY share a session (linked pairs, tokens derived via duplication).
• Cleanup — when the last token referencing a logon session is freed (refcount drops to zero), the kernel destroys the session object and emits a session-destroyed event via the event subsystem (event_emit). authd subscribes to these events and uses them to clean up associated credentials (cached Kerberos tickets, etc.).

Logon sessions are bookkeeping. No access control decision depends on the logon session — AccessCheck MUST NOT consult auth_id. The interactive_session_id field is similarly metadata; the kernel stores it and returns it on query but no kernel security mechanism evaluates it.

§4.7.2 Token expiration

The token's expiration field carries a timestamp. In v0.20, this field MUST NOT be enforced by AccessCheck — it is informational only.

Token lifetime is governed by reference counting, not by the expiration timestamp. Tokens exist as long as at least one reference (process credential or open file descriptor) exists.

§4.7.3 Session invalidation

A logon session MAY be marked dead via kacs_invalidate_session. This is a kernel-level revocation primitive.

§4.7.3.1 Mechanism

The logon session object carries a dead flag, initially false. kacs_invalidate_session(auth_id) sets this flag atomically. The flag is one-way — a dead session cannot be revived.

§4.7.3.2 Effects

• AccessCheck. EvaluateSecurityDescriptor checks token.logon_session.dead before the impersonation level gate (step 0). If the session is dead, AccessCheck returns ERROR_ACCESS_DENIED immediately. This blocks all live access checks: new opens, path-based operations, O_PATH live checks, process SD evaluations.
• Snapshot checks. Use-time operations that check the fd's cached granted mask are NOT affected. An already-open fd continues working until the fd is closed or the process terminates. The handle model applies: authority is on the handle.
• Token creation. kacs_create_token rejects a auth_id that references a dead session. No new tokens can enter the system referencing a dead session.
• Token installation. KACS_IOC_INSTALL rejects tokens whose logon session is dead. A dead-session token cannot become a process's primary token.
• Token operations. Query, adjust, duplicate, and filter continue to work on tokens referencing dead sessions. These operations are not access-control decisions.
• Event. When a session is invalidated, the kernel emits a session-invalidated event via event_emit.

§4.7.3.3 Revocation workflow

1. authd decides a session must end (admin request, security incident, account deletion, or user-initiated logoff).
2. authd calls kacs_invalidate_session(auth_id). All future access checks against the session's tokens fail immediately.
3. authd enumerates processes whose tokens carry the target auth_id or interactive_session_id by walking /proc/*/token and inspecting TokenStatistics (which includes auth_id). No dedicated enumeration syscall is needed.
4. authd requests process termination — via peinit for supervised services, via signals for user processes.
5. Processes terminate, dropping their token references.
6. When the last reference drops, the logon session object is cleaned up.

Step 2 closes the SCM_RIGHTS gap: even if a token fd is passed to a process in another session (before or after enumeration), all live access checks against that token fail. The handle model means existing open fds retain their cached grants, but no new resource access can be established.

Tokens are securable objects. Every token has its own Security Descriptor, and accessing a token requires passing an AccessCheck against that SD.

§4.8.1 Obtaining a token file descriptor

Open directly. A syscall takes a process identifier (PID or pidfd) and a desired access mask. The kernel finds the target process's primary token, evaluates the caller's token against the target token's SD, and returns a token fd with the granted access mask cached on it. A separate variant opens a thread's impersonation token. Opening another process's token also requires PROCESS_QUERY_INFORMATION on the target process's SD.

Receive via IPC. A token fd MAY be passed over a Unix socket via SCM_RIGHTS. The recipient's operations are constrained by the access mask cached on the fd at the time it was originally opened.

Implicit access. A thread always has implicit access to its own effective token for query operations. This is not a kernel bypass — it is guaranteed by the default token SD, which grants TOKEN_QUERY (plus adjustment rights) to the token's own user SID. The AccessCheck still runs; it simply always succeeds for self-query under the default SD.

§4.8.2 Token-specific access rights

Bit 0x0010 (TOKEN_QUERY_SOURCE) is subsumed by TOKEN_QUERY — a holder of TOKEN_QUERY (0x0008) can also query source information. The 0x0010 bit MUST NOT be reused for other purposes (format compatibility with MS-DTYP).

TOKEN_ALL_ACCESS = 0x000F01FF. This is the union of all token-specific rights (0x01FF = bits 0-8, including the reserved TOKEN_QUERY_SOURCE bit 0x0010 for MS-DTYP format compatibility) plus STANDARD_RIGHTS_REQUIRED (DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER = 0x000F0000). The named rights OR to 0x01EF; the reserved bit adds 0x0010 to reach 0x01FF.

§4.8.3 Generic mapping

§4.8.4 Standard rights

§4.8.5 Default token SD

When a token is created, it receives a default SD:

• Owner: the creating process's user SID.
• DACL:
  • ALLOW the token's own user SID: TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT.
  • ALLOW the creator: TOKEN_ALL_ACCESS.
  • ALLOW SYSTEM (S-1-5-18): TOKEN_ALL_ACCESS.

Self-access is limited to adjustment operations that cannot escalate. TOKEN_DUPLICATE, TOKEN_IMPERSONATE, and WRITE_DAC are not granted to the token's subject by default.

§4.8.6 Access check model

The check-at-open model applies to tokens exactly as it does to files: AccessCheck runs once when the token fd is obtained, the granted access mask is cached on the fd, and subsequent operations verify the cached mask. No per-operation re-evaluation.

The Process Security Block (PSB) is a per-process security structure that carries properties describing what the process is -- determined by the binary that was loaded, not by the principal running it.

The PSB is separate from the token. The token describes identity and travels with impersonation -- when a thread impersonates a client, the effective token changes. The PSB describes the process and MUST NOT be affected by impersonation. This is the load-bearing invariant:

The PSB is never affected by impersonation. Impersonation changes who the thread is acting as. It does not change what the process is.

The PSB lives on the task's LSM security blob (task_struct->security), separate from the credential which holds the token pointer. The credential is swapped during impersonation; the PSB is not.

§5.2.1 Protection (set at exec, fixed)

PIP fields are signing-based. At exec, the kernel MUST verify the binary's cryptographic signature and determine pip_type and pip_trust from the signer's identity. The verification algorithm and key model are specified in the Binary Signing section. The parent process MUST NOT be able to influence PIP determination — even a compromised peinit running as SYSTEM MUST NOT be able to forge PIP protection for an unsigned binary.

When pip_type is set to a value other than None at exec, the kernel MUST also set lsv (Library Signature Verification) on the PSB automatically. PIP without LSV is never correct — a Protected process that loads unsigned libraries has a code injection path that defeats the purpose of PIP. This is the only mitigation that is coupled to PIP; all other mitigations remain independently controlled by peinit.

The public verification key is compiled into the kernel image. The kernel only verifies signatures; it MUST NOT sign.

§5.2.2 Process mitigations (one-way)

Mitigations are inherited from the parent at fork and MAY be set via syscall (typically by peinit between fork and exec). They are one-way: once set, they MUST NOT be cleared. Exec MUST NOT reset mitigations — a mitigation set by the process launcher persists regardless of what binary is loaded.

This is distinct from PIP, which is determined at exec from the binary's signature. Mitigations are set by the process launcher as policy; PIP is determined by the kernel as a property of the binary.

§5.2.3 UI access (one-way)

§5.2.4 Process restrictions (one-way)

Unlike the exec-time fields, no_child_process MAY be set at two points:

1. Between fork and exec. The parent's code, running in the freshly forked child, calls a KACS syscall to set the flag on itself before exec. The new binary loads with the restriction already in place.
2. At runtime by the process itself. A process MAY restrict itself at any time (e.g., after spawning worker processes).

§5.2.5 TLP cache (machine-wide)

The approved directory prefixes for TLP enforcement are stored in a global kernel cache, not on individual PSBs. The PSB tlp flag controls whether a process is subject to TLP enforcement; the paths themselves are shared.

Cache structure: an array of UTF-8 directory prefix strings. Maximum 64 entries, maximum 4096 bytes per path. The mechanism for populating and updating the cache is defined by the registry subsystem (loregd) and is outside the scope of this section.

At mmap(PROT_EXEC) time, when the process has TLP enabled, the kernel checks whether the mapped file's path starts with any approved prefix. If no prefix matches, the mmap is rejected. If the cache is empty, all PROT_EXEC mappings are denied for TLP-enabled processes.

§5.2.6 Identity virtualization (reserved)

§5.2.7 Process security descriptor

Every process carries a security descriptor that controls who can perform operations on it. The process SD is stored on the PSB alongside the PIP and mitigation fields.

Every process carries a security descriptor that controls who can perform operations on it. This replaces Linux's UID-based process access control (which is a patchwork of UID comparisons and capabilities) with unified SD evaluation.

§5.3.1 Process access rights

§5.3.2 Signal classification

Each Linux signal maps to a process access right based on its default action:

§5.3.2.1 PROCESS_TERMINATE — default action: terminate (or terminate + core)

§5.3.2.2 PROCESS_SUSPEND_RESUME — default action: stop or continue

§5.3.2.3 PROCESS_SIGNAL — default action: ignore

§5.3.3 Generic mapping

§5.3.4 Default process SD

Processes MUST receive a default SD at creation time:

Owner: <creator's primary token user SID>
Group: <creator's primary token primary group SID>
DACL:
  ALLOW  <process's own user SID>        GENERIC_ALL
  ALLOW  BUILTIN\Administrators           GENERIC_ALL
  ALLOW  SYSTEM                            GENERIC_ALL
  ALLOW  Everyone                          PROCESS_QUERY_LIMITED
SACL:
  SYSTEM_MANDATORY_LABEL  <process's token integrity level>  NO_WRITE_UP

This means:

• The process can do anything to itself.
• Administrators and SYSTEM have full control over all processes.
• Everyone can see basic process info (PID, name, status) -- this is what makes ps and top work for all users.
• Detailed inspection (token, memory, environment) is restricted to self, administrators, and SYSTEM.
• A lower-integrity process running as the same user is blocked from write-category operations (signals, memory write, token replacement) by MIC. This is the foundation of elevation isolation — an unelevated Medium-integrity process cannot tamper with an elevated High-integrity process even when both run under the same user SID.

Services MAY request a custom SD at launch (via the service definition), or modify their own SD at runtime (via kacs_set_sd on their own process, which requires WRITE_DAC -- granted by the default SD to the process itself).

§5.3.5 PIP interaction

PIP and the process SD are complementary. The process SD controls who can perform operations on the process. PIP controls which trust level is required for invasive access to protected processes. Both checks MUST pass:

1. AccessCheck evaluates the caller's token against the target process's SD for the requested right.
2. PIP evaluates the caller's trust level against the target's pip_type and pip_trust (for operations that cross the process boundary).

A process MAY have a permissive SD (Administrators: GENERIC_ALL) but be PIP-protected -- administrators pass the SD check, but only if their PIP trust level is sufficient. Conversely, a non-PIP process MAY have a restrictive SD that denies even administrators specific operations.

§5.3.6 Thread security model

KACS does not define per-thread security descriptors or thread-specific access rights. All thread operations are gated by the process SD.

This is an intentional architectural decision. Linux threads share the process address space (mm_struct), so per-thread isolation has limited security value — a thread that can write the shared address space can compromise any other thread in the same process. Per-thread SDs would add complexity without meaningful isolation.

Consequence: kacs_open_thread_token gates access using the process SD (PROCESS_QUERY_INFORMATION). A caller who passes the process SD check can open any thread's impersonation token within that process. If finer-grained token isolation is required, the service should use separate processes rather than separate threads.

§5.4.1 Fork (clone without CLONE_THREAD)

The child receives a copy of the parent's PSB. PIP fields, mitigations, and any active restrictions are inherited. A Protected process's children start as Protected -- PIP protection propagates across fork.

The child receives a new default process SD. The owner is the forking thread's primary token's user SID (not the impersonation token, even if the thread is impersonating). The DACL follows the default template.

§5.4.2 Exec

PIP fields (pip_type, pip_trust) are reset at exec based on the new binary's cryptographic signature (see the Binary Signing section). A Protected parent that execs an unsigned binary loses PIP protection — protection follows the binary, not the lineage.

Mitigation flags (lsv, wxp, tlp, cfif, cfib, pie, sml, ui_access) are NOT reset by exec. They persist across exec unchanged. A mitigation set between fork and exec survives regardless of what binary is loaded.

The no_child_process flag persists across exec. A process that has been restricted from creating children remains restricted regardless of what binary it loads.

The process SD is NOT reset by exec. The SD was set at fork time and persists. The SD reflects the process's creation context, not the binary it is running.

§5.4.3 Clone with CLONE_THREAD

Threads share the process's PSB. Thread creation is not affected by no_child_process -- only new processes (fork/clone without CLONE_THREAD) are blocked.

§5.4.4 Relationship to AccessCheck

The PSB is NOT an input to AccessCheck in the general case. AccessCheck takes a token (identity) and an SD (policy) and evaluates access. Most PSB fields are invisible to the access control pipeline.

The exception is PIP. The AccessCheck pipeline includes a PIP enforcement step that reads pip_type and pip_trust. These come from the PSB, not from any token. The enforcement layer extracts PIP values from the PSB and passes them as explicit parameters to AccessCheck.

This means:

• MIC (integrity level) uses the effective token -- impersonation changes how MIC evaluates. This is safe because the integrity ceiling on impersonation prevents escalation.
• PIP (process protection) uses the PSB -- impersonation MUST NOT change how PIP evaluates. There is no impersonation gate that constrains PIP dimensions, so the PSB is the only safe source.

Process mitigations (lsv, wxp, tlp, cfif, cfib, pie, sml) and no_child_process do not interact with AccessCheck. They are enforced at their respective enforcement points independently of the access control pipeline.

Binary signing is the foundation of PIP trust determination and Library Signature Verification (LSV). The kernel verifies cryptographic signatures on executable files to establish their trust level. Signing is the only mechanism by which a binary acquires PIP protection — there is no runtime API to forge it.

§6.1.1 Key model

The kernel carries one or more Ed25519 public verification keys compiled into the kernel image. Each key is associated with a PIP trust tier:

Keys are stored as raw 32-byte Ed25519 public keys in a dedicated kernel data section. Each key entry is a struct: [key: 32 bytes][pip_type: u32le][pip_trust: u32le] = 40 bytes per key. The key table is terminated by an all-zero entry. v0.20 has exactly one key.

Unsigned binaries receive PIP type None (0) and trust 0. There is no intermediate — a binary is either signed with a recognized key or it is untrusted.

§6.1.2 Signature format

Signatures use a common encoding: a version byte (0x01) followed by 64 bytes of raw Ed25519 signature. Total: 65 bytes. v0.20 MUST reject any version other than 0x01.

Two storage locations are supported, checked in priority order:

§6.1.2.1 Primary: ELF section (for ELF binaries)

ELF binaries store their signature in a .peios.sig section. The section type is SHT_PROGBITS and contains exactly 65 bytes (version + signature). The ELF section travels with the binary through any file transfer, archive, or distribution mechanism.

Content hash: SHA-256 of the ELF file with the .peios.sig section contents treated as zero bytes. Specifically: the sh_size bytes starting at sh_offset (as read from the section header entry) are replaced with zeros in the hash input. The section header table entry itself (the Elf64_Shdr struct) is NOT zeroed — it is included in the hash as-is. All other file bytes are included verbatim. This avoids the chicken-and-egg problem while ensuring the section header metadata is integrity-protected.

§6.1.2.2 Fallback: xattr (for non-ELF files)

Non-ELF files (scripts, data files, non-standard executable formats) store their signature as an extended attribute:

Content hash: SHA-256 of the file's entire contents (all bytes from offset 0 to EOF). No exclusions.

§6.1.2.3 Lookup order

1. If the file is ELF (first 4 bytes = \x7fELF): look for .peios.sig section. If found and valid, use it. If not found, fall through to step 2.
2. Look for security.peios.sig xattr. If found and valid, use it.
3. Neither found: file is unsigned (PIP = None/0).

If both are present, the ELF section takes priority. The rule for ELF files: once a .peios.sig section header entry is found in the section header table (by name), the ELF path is committed — any error reading, validating, or verifying the section content (bad version, wrong size, truncated file, verification failure) results in unsigned status. The xattr is NOT checked as fallback. This prevents an attacker from crafting a malformed ELF section to force fallback to a weaker xattr path.

For ELF files that fall through to the xattr path (no .peios.sig section header found), the xattr content hash uses the entire file (same as non-ELF), not the ELF-section-zeroed hash. The ELF-specific hash is only used when the ELF section is the signature source.

Files shorter than 4 bytes are not ELF — proceed directly to xattr check.

§6.1.2.4 Signing algorithm

The Ed25519 signature is computed over the content hash (32 bytes) treated as the message: Ed25519_Sign(private_key, content_hash). The kernel verifies as Ed25519_Verify(public_key, content_hash, signature).

§6.1.2.5 Distribution

• ELF binaries (peinit, authd, loregd, etc.) are self-contained — the .peios.sig section survives GitHub releases, tarballs, scp, and any file transfer.
• Non-ELF executables (if any) ship with detached .sig files. The detached file contains the raw 65-byte blob (version byte + 64-byte signature), identical to the xattr value. The image builder (peiso) reads the detached signature and stamps the security.peios.sig xattr during disk image construction. Scripts are NOT signed in v0.20 — PIP for scripts is determined by the interpreter binary's signature (see Scripts and interpreters below).

§6.1.3 Verification at exec (PIP determination)

When a process calls execve(), the kernel:

1. Looks up the signature using the lookup order above (ELF section first, then xattr).
2. If no signature found: PIP is set to None/0. Done.
3. Computes the content hash (ELF: file with .peios.sig section zeroed; non-ELF: entire file).
4. Verifies the 64-byte signature against each compiled-in public key in table order. The first matching key determines the trust tier.
5. If verification succeeds: sets pip_type and pip_trust on the new process's PSB from the matched key's trust tier. Done.
6. If verification fails (bad signature, no matching key): PIP is set to None/0. Done.

In all cases, exec proceeds — PIP is additive protection, not an execution gate.

PIP determination is transactional with exec success. If exec fails after PIP has been determined (e.g., mmap failure, OOM), the PSB is not modified — PIP values from the previous binary remain. PIP is only committed to the PSB when exec completes successfully.

PIP values set at exec are fixed for the lifetime of the process image. They are inherited by child processes at fork and reset at the child's exec based on the new binary's signature.

§6.1.4 Verification at mmap (LSV)

When a process has the LSV mitigation enabled and calls mmap() with PROT_EXEC:

1. Looks up the signature using the lookup order (ELF section first, then xattr).
2. If no signature found: reject the mmap (return -EACCES).
3. Computes the content hash (ELF: file with .peios.sig section zeroed; non-ELF: entire file).
4. Verifies the signature against each compiled-in public key.
5. Determines the library's trust level from the matched key.
6. If verification fails (bad signature, no matching key): reject the mmap (return -EACCES).
7. If the library's trust level is below the loading process's PIP trust level: reject the mmap (return -EACCES).
8. If the library's trust level is at or above the loading process's PIP trust level: allow.

This means a Protected/PeiosTcb process with LSV can only load libraries signed at the PeiosTcb level or above. A future Protected/App process could load both App-tier and TCB-tier libraries, but not unsigned libraries.

§6.1.5 Verification at mprotect

When a process calls mprotect() to add PROT_EXEC to a mapping that was not originally executable, the following checks apply in order:

1. WXP (if enabled): reject if the mapping was ever writable (W→X transition). Applies to all mappings including anonymous.
2. TLP (if enabled): reject if the backing file is outside the approved directory prefixes. Applies to file-backed mappings only.
3. LSV (if enabled): verify the backing file's signature. Reject if unsigned or insufficiently trusted. Applies to file-backed mappings only.

Anonymous mappings (no backing file) are gated only by WXP. TLP and LSV do not apply to anonymous mappings (they have no path or signature to check).

§6.1.6 Key distribution

The TCB signing keypair is generated at build time by the image builder (peiso). The private key is used to sign TCB binaries during image construction. The public key is compiled into the kernel image. The private key MUST NOT be present on the running system.

§6.1.7 Symlinks

When execve() is called on a symlink, the kernel resolves the symlink and opens the target file. The signature xattr is read from the target file, not the symlink. A symlink to a signed binary inherits the target's PIP level. A symlink to an unsigned binary is unsigned.

This is correct by construction: the kernel resolves symlinks before the LSM exec hooks fire. No special handling is needed.

§6.1.8 Scripts and interpreters

When execve() is called on a script with a #! shebang line (e.g., #!/bin/sh), the kernel re-execs the interpreter binary. PIP is determined by the interpreter's signature, not the script's. A TCB-signed interpreter (e.g., /bin/sh signed with the Peios TCB key) runs at PeiosTcb level regardless of what script it executes.

LSV (when enabled on the interpreter process) does not apply to script files — scripts are opened as data (FMODE_READ), not mapped as executable code. LSV only gates mmap(PROT_EXEC).

§6.1.9 LSV file boundary

For both mmap and mprotect verification, the content hash covers the entire file, not just the mapped region. For ELF files, the .peios.sig section contents are zeroed in the hash input. For non-ELF files, the hash covers all bytes from offset 0 to EOF. The kernel MUST read and hash the entire file to verify the signature, even if only a portion is being mapped. This ensures the signature covers all code in the file, including sections not mapped by this particular mmap call.

§6.1.10 Revocation

v0.22 provides no per-binary revocation mechanism. A signed binary whose signature is valid against a compiled-in key will be trusted. There is no CRL, no OCSP, no hash-based deny list, and no policy-based revocation.

Available mitigations for a compromised signed binary:

• Filesystem removal. Delete or replace the binary. Effective on a single machine but requires filesystem access to every affected system.
• Kernel image replacement. Rotate the signing key and rebuild the kernel image. All previously-signed binaries are invalidated unless re-signed with the new key. This is a full update cycle.
• FACS access control. Remove FILE_EXECUTE from the binary's SD. Prevents execution without removing the file. Does not affect PIP determination for copies the attacker controls.

What is not available:

• No mechanism to push a revocation policy across machines before the next OS image update.
• No way to invalidate a specific binary hash while keeping other binaries signed with the same key trusted.
• No timestamping: key rotation invalidates all previously-signed binaries, not just the compromised one.

Future versions may add a kernel-resident hash revocation list (reject specific SHA-256 content hashes even if the signature is valid), populated from the registry at boot and updatable at runtime via a privileged syscall. This would enable targeted revocation without full key rotation.

§6.1.11 Interaction with other mechanisms

• WXP (Write-XOR-Execute): Orthogonal. WXP prevents W+X pages. LSV prevents unsigned executable pages. A TCB process with both mitigations can only execute signed code in read-only pages.
• FACS: Signing verification runs independently of FACS access control. A signed binary in a directory the caller cannot access is still inaccessible — FACS denies the open. Signing only determines PIP level once the binary is being executed.
• PIP object protection: Once a process has PIP set from its binary's signature, PIP trust labels on objects (files, registry keys) are enforced via the AccessCheck pipeline using the process's pip_type/pip_trust from the PSB.

Some operations do not fit the subject-object model. Rebooting the system, loading a kernel module, changing the system clock, creating a new token -- these are system-wide operations that affect the machine itself, not a specific protected resource. They need authorization, but there is no object to attach an SD to.

Privileges fill this gap. A privilege is a right to perform a specific system operation, carried on the token alongside the principal's identity. Where an SD says "this principal may read this file," a privilege says "this principal may shut down the system." The SD is on the object; the privilege is on the subject.

§7.1.1 Lifecycle

A privilege has a simple lifecycle on a token:

1. Assigned by policy. When authd creates a token, it resolves the principal's privilege assignments from security policy. The assignment is resolved once, at token creation time. There MUST NOT be runtime privilege grants -- if a privilege is not on the token at creation, it MUST NOT be added later.

2. Present but disabled. Most privileges start disabled. They exist on the token but are not active.

3. Explicitly enabled. Before using a privilege, the holder enables it via AdjustPrivileges. This is a deliberate act.

4. Exercised. The privilege is checked by the kernel and, if enabled, the operation is permitted. The privilege is recorded as used and an audit event MAY be emitted.

5. Disabled or removed. After the operation, the privilege MAY be disabled via AdjustPrivileges (returning to the resting state) or permanently removed via AdjustPrivileges (irreversible — the privilege is cleared from present, enabled, and enabled-by-default, but the used bit is preserved for audit).

§7.1.2 Two categories

Privileges divide into two categories based on where they are enforced:

Standalone operation gates. The majority of privileges. These authorize specific system operations not mediated by AccessCheck -- rebooting, loading kernel modules, debugging processes. The kernel checks whether the calling thread's token holds the required privilege (present and enabled) before permitting the operation.

AccessCheck-influencing privileges. A small number of privileges alter the outcome of AccessCheck itself -- they can cause AccessCheck to grant access rights that the object's DACL would not independently grant. These are evaluated inside the pipeline alongside DACL rules, integrity policy, and confinement. Five privileges influence AccessCheck:

• SeSecurityPrivilege — grants ACCESS_SYSTEM_SECURITY (SACL read/write) in AccessCheck. Also serves as a kernel-standalone gate for audit-related Linux capabilities (CAP_AUDIT_CONTROL, CAP_MAC_ADMIN, CAP_AUDIT_READ).
• SeTakeOwnershipPrivilege — grants WRITE_OWNER as a post-DACL fallback.
• SeBackupPrivilege — grants all read access (intent-gated).
• SeRestorePrivilege — grants all write access plus WRITE_DAC, WRITE_OWNER, DELETE, and ACCESS_SYSTEM_SECURITY (intent-gated).
• SeRelabelPrivilege — loosens MIC's constraint on WRITE_OWNER for non-dominant callers.

The precise mechanics of how these interact with the AccessCheck pipeline are specified in the AccessCheck section.

§7.1.3 Intent-gated privileges

SeBackupPrivilege and SeRestorePrivilege are intent-gated. Unlike other privileges which are self-scoping (SeSecurityPrivilege only matters when ACCESS_SYSTEM_SECURITY is requested), backup and restore grant broad categories of access that would apply to every AccessCheck call if evaluated unconditionally.

AccessCheck takes a privilege_intent parameter. The caller passes BACKUP_INTENT when performing a backup-context operation and RESTORE_INTENT when performing a restore-context operation. Backup and restore privileges MUST only be evaluated when the corresponding flag is present. Without the flag, these privileges are invisible to the pipeline.

Intent-gating also ensures backup and restore are evaluated inside the AccessCheck pipeline rather than short-circuiting it. This is necessary because later stages -- specifically PIP -- MUST be able to constrain privilege-granted access.

§7.1.4 Assignment

Privileges are assigned by security policy, not by identity. Being a member of the Administrators group does not automatically confer any privilege. Privileges and group memberships are orthogonal: groups determine what objects you can access (via DACLs), privileges determine what system operations you can perform.

The assignment flow:

1. An administrator defines privilege policy: "members of the Backup Operators group receive SeBackupPrivilege and SeRestorePrivilege."
2. When a principal authenticates, authd resolves group memberships and evaluates privilege policy against those memberships.
3. authd creates the token with those privileges via CreateToken. The kernel MUST NOT verify or evaluate the policy -- it trusts authd as a TCB component.
4. The token carries those privileges for its lifetime. No privilege MAY be added after creation.

§7.1.5 Auditing

Every privilege exercise SHOULD be tracked. When a privilege is exercised, the token's used state for that privilege is set (monotonic). For AccessCheck-influencing privileges, audit events are emitted when the privilege was actually necessary for the access decision -- not merely when the privilege is present, but when the access would have been denied without it.

This is the complete set of Peios privileges. Each privilege is listed with a description and its enforcement category:

• Kernel standalone — enforced at a specific operation boundary, independent of AccessCheck.
• AccessCheck — evaluated inside the AccessCheck pipeline.
• AccessCheck + kernel standalone — evaluated inside AccessCheck AND used as a standalone gate for capability mappings or other kernel checks.
• Application-level — checked by a userspace service, not by the kernel.
• Reserved — allocated for format compatibility but not enforced in v0.20.
• Kernel standalone (future) — defined for ABI stability but not enforced in v0.20. Will become kernel standalone when the gated subsystem is implemented.

§7.2.1 Identity and token management

§7.2.2 Access control

§7.2.3 System operations

§7.2.4 Network

§7.2.5 Directory and domain operations

§7.2.6 Reserved

The following privileges are allocated for format compatibility. The positions exist so that tokens from Active Directory environments can carry these privileges without information loss. They have no enforcement point in v0.20.

§7.2.7 Custom privilege allocation

Custom Peios privileges are allocated from the high end of the 64-bit privilege space, while format-compatible privileges occupy their standard Windows LUID positions (bits 2-35). Custom privileges grow downward from bit 63:

This avoids collision if new privileges are defined in future AD releases.

§7.2.8 Default-grant privileges

SeChangeNotifyPrivilege and SeCreateSymbolicLinkPrivilege are granted to all principals by default. This is an authd policy decision — authd includes these privileges in every token it creates. They MAY be removed from specific tokens via FilterToken if needed.

The AccessCheck section described PIP protecting objects — files, registry keys, tokens — from processes that lack sufficient trust. This section describes PIP protecting processes — their memory, their execution, their metadata — from other processes.

Process-to-process operations are gated by two independent checks, both of which MUST pass:

1. Process SD check — an AccessCheck evaluation of the caller's token against the target process's Security Descriptor (see the Process Security Descriptors section). This determines who can perform operations on the process.
2. PIP dominance check — a direct comparison of the caller's and target's PSB pip_type/pip_trust fields. This determines which trust level is required. PIP does not use AccessCheck, does not read Security Descriptors, and does not involve the DACL pipeline — it is a standalone binary dominance test.

SeDebugPrivilege bypasses only check 1 (the process SD). It MUST NOT bypass check 2 (PIP dominance). See the Enforcement Points section for details.

The two checks complement each other. The process SD controls who can access the process (identity-based). PIP controls which trust level is required (signing-based). Object PIP protection (via trust label ACEs in SACLs) prevents a non-dominant process from opening authd's private key file. Process PIP protection prevents the same process from reading the key directly out of authd's memory via ptrace, or killing authd with a signal.

§8.1.1 The dominance check

Every process isolation check reduces to one question: does the caller's PSB dominate the target's PSB?

pip_dominates(caller_psb, target_psb) -> bool:
    if target_psb.pip_type == None:
        return true  // Unprotected target — any caller dominates.
    return caller_psb.pip_type >= target_psb.pip_type
       AND caller_psb.pip_trust >= target_psb.pip_trust

PIP types form a total order by their numeric values: None (0) < Protected (512) < Isolated (1024). PIP trust levels are numeric and compared directly (higher = more trusted). The early return for pip_type = None ensures that unprotected processes are always accessible regardless of trust values. The two-dimension check only applies when the target is Protected or Isolated.

PIP dominance is binary: dominate or don't. If you don't dominate, you have no process access via PIP — the operation is denied regardless of which specific operation was attempted. The process SD provides per-operation granularity (different access rights for signals vs memory vs metadata); PIP is the all-or-nothing gate on top of the SD check. Both MUST pass.

PIP process isolation is enforced at kernel hook sites. Each hook reads pip_type and pip_trust from the caller's PSB and the target's PSB, performs the dominance check, and denies the operation if the caller does not dominate.

§8.2.1 SeDebugPrivilege and process SD interaction

All process-to-process operations perform two checks: (1) an AccessCheck against the target's process SD, and (2) a PIP dominance check. SeDebugPrivilege bypasses only the process SD check — it MUST NOT bypass PIP dominance. This applies uniformly to all enforcement points: ptrace, signal delivery, prlimit, process information query/set, and token open operations.

§8.2.2 ptrace

ptrace grants full control over the target: read/write memory, read/write registers, single-step execution, inject signals, modify execution flow. A single successful ptrace attach is equivalent to full compromise of the target process.

If the caller does not dominate the target, the operation MUST be denied regardless of ptrace mode. SeDebugPrivilege bypasses the process SD check but MUST NOT bypass PIP dominance.

§8.2.3 Process memory access

Direct memory access (/proc/pid/mem, process_vm_readv, process_vm_writev) goes through the same ptrace access check in the kernel. The PIP check in the ptrace hook covers all memory access vectors.

§8.2.4 Signal delivery

Signals can disrupt, terminate, or debug a process. If the caller does not dominate the target, signal delivery MUST be denied. PIP dominance is checked uniformly regardless of signal type.

The process SD provides per-signal granularity via three access rights: PROCESS_TERMINATE (lethal signals), PROCESS_SUSPEND_RESUME (stop/continue signals), and PROCESS_SIGNAL (informational signals). See the signal classification table in the process SD specification for the full mapping.

This means lifecycle management of PIP-protected processes (shutdown, restart) MUST go through a process that dominates them — in practice, peinit, which runs at the highest trust level.

§8.2.5 /proc metadata

/proc/pid/ exposes process metadata: command line, memory maps, open file descriptors, environment, status, symlinks to the executable and working directory, namespace handles, and more. New kernel versions regularly add entries.

PIP enforcement on /proc/pid/ uses a default-deny model. If the caller does not dominate the target and the target is PIP-protected, access to ALL files and symlinks under /proc/pid/ MUST be denied. This includes both ptrace-gated entries (mem, maps, fd, environ) and non-ptrace-gated entries (cmdline, status, stat, io, cgroup, exe, cwd, root, ns/*, wchan, stack, syscall, smaps, oom_score, and any others).

Default-deny avoids a blacklist that becomes stale as the kernel adds new /proc entries. The only exception is the directory entry itself — the PID remains visible in /proc directory listings (getdents). The process is visible-but-inaccessible.

§8.2.6 Resource limits (prlimit)

Changing a process's resource limits (prlimit) requires PROCESS_SET_INFORMATION on the target's process SD, plus PIP dominance. SeDebugPrivilege bypasses the SD check but not PIP.

§8.2.7 Token open operations

Opening another process's primary token (kacs_open_process_token) or a thread's token (kacs_open_thread_token) requires PROCESS_QUERY_INFORMATION on the target's process SD, plus PIP dominance. These are process-boundary-crossing operations — reading a process's security identity is as sensitive as reading its memory.

§8.2.8 Performance monitoring (perf_event_open)

perf_event_open() targeting a specific process can leak execution timing, branch prediction behavior, cache access patterns, and instruction traces — side-channel information that can reveal cryptographic keys and other secrets. If the caller does not dominate the target and the target is PIP-protected, perf_event_open() MUST be denied. This is enforced via the security_perf_event_open LSM hook.

§8.2.9 /dev/mem and /dev/kmem

/dev/mem provides raw access to physical memory. A process with access to /dev/mem could read any process's memory by mapping its physical pages, bypassing all virtual memory protections including PIP.

The primary defense is CONFIG_STRICT_DEVMEM=y, which restricts /dev/mem to I/O regions only (no RAM access). This is a kernel build configuration requirement. As a secondary defense, FACS SHOULD place a restrictive SD on /dev/mem and /dev/kmem.

§8.3.1 Threat model boundary

PIP operates within the kernel's trust boundary. Three things sit outside it:

Kernel compromise. A loaded kernel module runs with unrestricted access to all memory and kernel data structures. PIP is enforced by the kernel; if the kernel is compromised, PIP is void. SeLoadDriverPrivilege is therefore the ceiling of PIP's guarantees.

Defense-in-depth:

• CONFIG_MODULE_SIG_FORCE=y — require cryptographically signed kernel modules.
• Strip SeLoadDriverPrivilege from all tokens except peinit's.

Hardware access. DMA-capable devices can read and write physical memory directly, bypassing the CPU's virtual memory system. IOMMU mitigates this but IOMMU configuration is a kernel responsibility.

Hypervisor-level isolation. PIP cannot provide guarantees equivalent to hypervisor-based memory isolation. The threat model ceiling is "non-compromised kernel."

§8.3.2 Fd inheritance across PIP transitions

When a PIP-protected process forks and the child execs an unsigned binary, the child's PIP drops to None. However, file descriptors inherited from the parent retain their cached granted masks — including access to PIP-protected objects that the child could not independently open.

KACS does not perform fd sanitization at PIP transitions. This is an intentional simplification for v0.22. The mitigations are:

• O_CLOEXEC. TCB processes SHOULD open all fds with O_CLOEXEC. Fds that don't survive exec cannot leak. Token fds are O_CLOEXEC by default.
• Operational discipline. PIP-protected processes (authd, loregd, etc.) are TCB components that should not fork+exec untrusted binaries. Their children are other signed TCB components launched by peinit.
• no_child_process. TCB processes that have no legitimate reason to fork can set this PSB restriction to prevent the scenario entirely.

Kernel-level fd sanitization at exec-time PIP downgrade (closing fds whose granted masks exceed what the new PIP level would allow) is a future enhancement. The semantics are non-trivial: the kernel would need to walk all fds, re-evaluate PIP eligibility for each, and close those that fail — potentially breaking legitimate fd inheritance patterns.

SCM_RIGHTS fd injection into PIP-protected processes is not a PIP-specific concern. The received fds carry the sender's granted masks (typically lower privilege), and the handle model applies: possession is authorization. This is a general confused-deputy risk, not a PIP bypass.

§8.3.3 Impersonation interaction

PIP reads from the PSB, not the effective token. When service A (Protected, trust 5) impersonates client B, service A's process isolation checks still use service A's PSB. The client's identity does not affect the process-to-process boundary.

Conversely, if a None-type process impersonates a token that was created for a Protected-type process, the impersonation MUST NOT grant process isolation privileges. The process's PSB is still None.

§8.3.4 No debug opt-out

PIP determination is entirely kernel-driven from the binary's cryptographic signature. There is no equivalent of Windows's PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL — a parent process cannot choose to launch a signed binary without PIP protection.

This is intentional: removing the parent-controlled aspect eliminates the attack surface where a compromised launcher forges a protection level. The trade-off is that a signed binary always gets full PIP protection and cannot be ptraced, even for debugging.

Workaround: compile an unsigned debug build of the binary. An unsigned binary gets pip_type = None and is fully debuggable. This is the intended development workflow — production binaries are signed and protected, debug binaries are unsigned and unprotected. A formal opt-out mechanism may be added in a future version if the operational need is demonstrated.

§8.3.5 Coredumps

When a PIP-protected process crashes, a core dump is a potential secret leak. Core dumps of PIP-protected processes MUST NOT be readable by non-dominant processes.

Two strategies:

Disable dumps. Clear the dumpable flag for PIP-protected processes at exec time. No core dump is generated. Simple and secure.

PIP-protected crash handler. A signed, high-trust crash handler receives dump data from the kernel and writes it with a restrictive SD that only PIP-dominant processes can read. The kernel generates dump data internally (in the crashing process's own context), so PIP process isolation is never bypassed.

Impersonation allows a server thread to temporarily assume a client's identity. All access control decisions on that thread evaluate the client's token instead of the server's.

The client controls how far their identity can travel by setting an impersonation level on the connection before it is established. The server MUST NOT escalate beyond the level the client chose.

§9.1.1 Levels

Four levels, from least to most permissive:

Anonymous. The server MUST NOT identify the caller. The connection carries no identity information — both token inspection and impersonation return a token containing only the Anonymous SID (S-1-5-7). There is no API that bypasses the client's choice.

Identification. The server can identify the caller (read SIDs, query groups, inspect privileges) but MUST NOT act as them. An Identification-level token MUST NOT be used for AccessCheck against resources. If a server thread impersonates an Identification-level token and attempts to open a file, the access check fails.

Impersonation. The server can act as the caller for all local operations, including operations that cross local IPC boundaries. If service A impersonates client B at Impersonation level and connects to service C (also local), service C sees client B's identity. Identity cascades freely across local services. This is the default level.

Delegation. For local operations, identical to Impersonation. The distinction activates at the network boundary: a Delegation-level token carries authorization for the server to forward the client's identity to services on other machines via Kerberos delegation. KACS enforces the level; authd acts on it for network-level credential forwarding.

The level is set by the client via a KACS syscall on the socket before connect(). The default is Impersonation.

When a server thread attempts to impersonate a client's token, two independent checks determine whether impersonation proceeds at the requested level or is capped downward. Both MUST pass for the requested level to be granted. If either fails, the effective level is reduced to Identification — never the reverse.

§9.2.1 The identity gate

The identity gate answers: is this server permitted to impersonate this particular user's identity?

Impersonation at the Impersonation or Delegation level is permitted if any of the following are true:

1. Same user, same restriction status. The server's primary token and the client's token have the same user SID, and both are either restricted or both unrestricted. A restricted token MUST NOT impersonate an unrestricted token of the same user — this would allow a sandbox to escape by impersonating its parent's unrestricted token.

2. SeImpersonatePrivilege. The server's primary token holds SeImpersonatePrivilege and it is enabled.

If neither condition holds, the impersonation level is silently capped to Identification. No error is returned; the impersonation call succeeds, but the resulting token is at Identification level.

Exception: restricted-server → unrestricted-client same-user impersonation is hard-denied (-EPERM). This prevents a sandboxed process from escaping by impersonating its parent's unrestricted token. The reverse direction (unrestricted → restricted) is a harmless downgrade and uses the normal cap-to-Identification path.

The identity gate is checked against the server's primary token (real_cred), not the effective token. If the server is already impersonating another client, that impersonation MUST NOT affect the gate evaluation.

§9.2.2 The integrity ceiling

The integrity ceiling answers: is the client's token at an integrity level the server is allowed to assume?

The impersonation token's integrity level MUST be less than or equal to the server's primary token's integrity level. A Medium-integrity server can impersonate Low or Medium clients. It MUST NOT impersonate High-integrity clients at Impersonation level — the result is capped to Identification.

This constraint exists because MIC in AccessCheck uses the effective token's integrity level. Without the ceiling, a server could impersonate a higher-integrity token and gain write access to higher-integrity objects — integrity escalation through impersonation.

The integrity ceiling is checked against the server's primary token. It is always enforced, regardless of privileges — SeImpersonatePrivilege bypasses the identity gate but MUST NOT bypass the integrity ceiling.

§9.2.3 Gate composition

The two gates are independent. Both are evaluated, and the effective impersonation level is the minimum permitted by all constraints:

1. Start with the level the client set on the socket.
2. If the identity gate fails, cap to Identification.
3. If the integrity ceiling fails, cap to Identification.
4. The result is the effective impersonation level.

§9.3.1 The sequence

1. Client connects. The client optionally sets the maximum impersonation level via syscall (default: Impersonation). The client calls connect() on a Unix stream (SOCK_STREAM) or seqpacket (SOCK_SEQPACKET) socket. The kernel's LSM hook (security_unix_stream_connect, which fires for both stream and seqpacket) captures the client's identity.

2. Identity capture. The hook examines the client thread's effective credential and the socket's max impersonation level:

   • Anonymous: a token containing only S-1-5-7 is stored on the socket's LSM blob. The client's real identity is not recorded.
   • Impersonation or Delegation: the thread's effective token is stored. If the connecting thread is itself impersonating, the impersonated identity flows through — this is how identity cascades across local services.
   • Identification: the thread's effective token is stored but tagged at Identification level.

3. Server impersonates. The server calls kacs_impersonate_peer with the connection fd. The kernel retrieves the stored token and evaluates the two gates against the server thread's primary token. The effective level is computed. A new credential is constructed with the impersonation token at the resulting level. The credential holds its own reference to the token (refcount incremented). Closing the source socket or token fd after this point does not revoke impersonation — the credential's reference keeps the token alive.

4. Access control. All subsequent AccessCheck evaluations on this thread use the impersonation token. MIC uses the impersonation token's integrity level. PIP uses the PSB (unchanged).

5. Revert. The server calls kacs_revert(). The thread's credential is restored to real_cred. The impersonation credential is freed, dropping its token reference. The thread is back to its service identity.

§9.3.2 Anonymous semantics

Any thread MAY impersonate the Anonymous identity without passing either gate. Assuming Anonymous is always a downgrade — the Anonymous token has no access rights beyond what is explicitly granted to S-1-5-7 or Everyone. No privilege is needed, no identity gate check is performed, and no integrity ceiling applies.

Anonymous tokens carry only the Anonymous SID (S-1-5-7) as the user SID, no privileges, and Untrusted integrity. This applies uniformly regardless of how the Anonymous token was obtained:

• Socket path: kacs_impersonate_peer at Anonymous level constructs a minimal token from scratch. The client's real identity is not recorded.
• Duplicate path: KACS_IOC_DUPLICATE with target impersonation_level=Anonymous strips the source token's identity. The duplicate is a minimal Anonymous token, not a copy of the source with the level flag changed. The source token's user SID, groups, privileges, and claims are not carried forward.

This ensures Anonymous is an identity boundary, not a cosmetic flag. A service that needs to "drop identity" for an operation can duplicate its client token to Anonymous and impersonate the result.

§9.3.2.1 Anonymous-in-Everyone policy

A system-wide kernel setting controls whether Anonymous tokens include Everyone (S-1-1-0) in their group list:

• Default (secure): excluded. Anonymous tokens have no group memberships. They can only match ACEs targeting S-1-5-7 explicitly. ACEs targeting Everyone do NOT match. This is the recommended setting and the default at boot.
• Permissive: included. Anonymous tokens include Everyone as a group. ACEs targeting Everyone match Anonymous tokens. This is less secure — a targeted deny on a specific user SID can be bypassed by going Anonymous, since the deny no longer matches but the Everyone allow does.

The setting is stored in the registry and read by the kernel at boot. It can be changed at runtime via a privileged syscall (SeTcbPrivilege required). The setting applies to all Anonymous token construction — both the socket path and the duplicate path.

§9.3.3 Double impersonation

If a thread is already impersonating and calls kacs_impersonate_peer again, the kernel internally reverts and then re-impersonates. The gates are evaluated against the primary token (unaffected by the previous impersonation).

§9.3.4 Interaction with MIC and PIP

MIC uses the effective token because the integrity ceiling makes it safe. A thread can never hold an impersonation token with a higher integrity level than its primary token. MIC can trust the effective token because impersonation can only lower integrity, never raise it.

PIP uses the PSB because there is no equivalent ceiling. PIP operates on pip_type and pip_trust, which are orthogonal to integrity level. If PIP read from the effective token, a process could impersonate a token carrying higher PIP values and gain protection it does not deserve.

§9.3.5 SeImpersonatePrivilege

SeImpersonatePrivilege permits a service to impersonate arbitrary clients — those with different user SIDs. Without it, a process can only impersonate tokens that match its own user SID and restriction status.

The privilege is checked against the server's primary token. A thread already impersonating one client has its privilege checked against its real service identity.

SeImpersonatePrivilege bypasses only the identity gate. It MUST NOT bypass the integrity ceiling. The privilege MUST be enabled at the time of the impersonation call.

§9.3.6 Supported transports

Socket-based impersonation (kacs_impersonate_peer) is supported on two socket types:

• SOCK_STREAM — connection-oriented byte stream. The standard IPC transport for Peios services.
• SOCK_SEQPACKET — connection-oriented with message boundaries. Same identity capture model as stream (same LSM hook, same SO_PEERCRED). Useful for services that need message framing.

Both use the same identity lifecycle: capture at connect(), impersonate via kacs_impersonate_peer, revert via kacs_revert.

Not supported for socket-based impersonation:

• SOCK_DGRAM — connectionless. Identity would come via per-message SCM_CREDENTIALS, which is a fundamentally different model (no persistent peer, per-message identity). Under KACS, CAP_SETUID is ALLOW, so any process can forge SCM_CREDENTIALS — the identity assertion is not trustworthy. Services using datagram sockets that need client identity SHOULD use explicit token fd passing (SCM_RIGHTS + KACS_IOC_IMPERSONATE) instead.
• Pipes / FIFOs — no peer credential mechanism.

Explicit token fd impersonation (KACS_IOC_IMPERSONATE) works regardless of how the token fd was obtained — socket-based, SCM_RIGHTS transfer, kacs_open_peer_token, or any other path. This is the universal fallback for transports that don't support socket-based impersonation.

§9.3.7 Per-call level constraint

KACS_IOC_IMPERSONATE uses the token's own impersonation_level (subject to gate capping). There is no per-call max-level parameter equivalent to Windows's SECURITY_QUALITY_OF_SERVICE.

If a service holds a Delegation-level token but needs only Impersonation-level access, it SHOULD duplicate the token to Impersonation level first via KACS_IOC_DUPLICATE, then impersonate the duplicate. This is the standard pattern for defense-in-depth: hold the minimum impersonation level needed for the operation.

§9.3.8 Thread-to-thread impersonation

KACS does not support direct thread-to-thread impersonation (Windows's NtImpersonateThread). Impersonation is established via socket peer identity (kacs_impersonate_peer) or explicit token fd (KACS_IOC_IMPERSONATE). There is no mechanism for thread A to directly assume thread B's client identity without an intermediate token fd.

This is an architectural simplification. In Windows, thread-to-thread impersonation is used for RPC dispatch where a receiving thread needs to assume a client thread's identity. In KACS, the equivalent workflow uses socket-based impersonation or explicit token passing via fd.

§9.3.9 Delegation and the network boundary

Locally, Impersonation and Delegation are identical. The distinction activates at the network boundary: a Delegation-level token carries authorization for Kerberos credential forwarding to services on other machines.

KACS tracks the impersonation level on the token and the socket. When authd needs to perform Kerberos authentication on behalf of an impersonating thread, it checks the level. KACS has no Kerberos awareness and no network awareness — the level is a flag that authd interprets.

AccessCheck is the function that connects tokens to Security Descriptors. Given a token (who is asking?), a Security Descriptor (what are the rules?), and a desired access mask (what do they want to do?), AccessCheck returns a verdict: which of the requested rights are granted, and whether the request succeeds or fails.

AccessCheck is a pipeline that evaluates multiple layers of security policy in a specific order. Each layer can grant or constrain access, and the layers interact -- integrity policy can block what the DACL would allow, privileges can override what the DACL denied, and confinement can revoke what privileges granted. The order matters.

§10.1.1 API variants

AccessCheck has two API variants:

• AccessCheck — the common case. Returns: the granted access mask, whether the request succeeded, a continuous audit mask (from SACL alarm ACEs), and a CAAP staging mismatch flag. When an object type list is provided, success requires all listed nodes to pass; the returned mask is the intersection. In this variant, the staging mismatch flag is set if the staged scalar result differs from the effective scalar result, if any per-node staged grant differs from the effective per-node grant, or if staged auditing differs from effective auditing.

• AccessCheckResultList — the per-property variant. Requires an object type list. Returns a separate verdict for each node — a denial on one property fails that property only, not the whole request. Also returns continuous audit mask and staging mismatch. In this variant, the staging mismatch flag is set if any node's staged granted mask differs from that node's effective granted mask, or if staged auditing differs from effective auditing. Used by directory services where a single operation may touch multiple properties with independent access rules.

  Privilege-use auditing in this variant also uses the per-node view: a privilege counts as successfully used if its contributed requested bits survive on any node's final granted mask.

Both variants share the same evaluation pipeline. The only difference is how results are collected.

§10.1.2 Core mechanics

Three values track the state of every access check:

decided — which bits in the access mask have been resolved. Enforces first-writer-wins within the DACL walk: once a bit is decided, no later ACE in the same walk can change its outcome. However, pipeline layers that operate on top of the DACL result -- restricted token intersection, confinement intersection, PIP revocation, CAAP intersection -- MAY revoke granted bits. Those layers narrow the result; they do not re-evaluate decided bits through the DACL.

granted — which bits have been resolved as "yes, access is granted." During the DACL walk, granted is a subset of decided. After the walk, pipeline layers MAY remove bits from granted. The final granted is what the caller receives.

privilege_granted — which bits in granted were specifically granted by a privilege rather than by the DACL. Exists for audit accuracy (distinguishing DACL-granted from privilege-granted access) and for the restricted token merge (privilege-granted bits are restored after the intersection so that privileges bypass the restricted pass). PIP MAY revoke privilege-granted bits.

When an object type list is present, each node carries its own decided and granted pair.

The DACL is an ordered list of ACEs. AccessCheck walks the list from first entry to last, comparing each ACE's SID against the calling token's identity.

The fundamental principle is first-writer-wins: once a bit in the access mask has been resolved -- granted or denied -- no later ACE can change the outcome for that bit.

§10.2.1 Allow ACEs

When an allow ACE's SID matches the token and the ACE carries rights that have not yet been decided, those rights are granted. Already-decided bits are unaffected.

§10.2.2 Deny ACEs

When a deny ACE's SID matches the token and the ACE carries rights that have not yet been decided, those rights are denied (decided but not granted). Already-decided bits are unaffected.

§10.2.3 SID matching

An ACE's SID matches the token if it equals the token's user SID or a group SID on the token, subject to group attribute filtering:

• Allow ACEs: only groups that are enabled (SE_GROUP_ENABLED) and not deny-only match.
• Deny ACEs: both enabled groups and deny-only groups (SE_GROUP_USE_FOR_DENY_ONLY) match. A deny-only group always participates in deny matching regardless of its enabled state.
• A group with neither ENABLED nor USE_FOR_DENY_ONLY set does not participate in any matching.

The user SID follows the same deny-only rules: when user_deny_only is true, the user SID matches deny ACEs but not allow ACEs.

§10.2.4 Inherit-only ACEs

ACEs with the INHERIT_ONLY flag exist solely to propagate to child objects. The DACL walk MUST skip them.

§10.2.5 ACE mask mapping

At the top of the walk, each ACE's access mask is mapped through MapGenericBits using the same GenericMapping applied to the caller's request. The mapping uses a local copy -- the ACE itself MUST NOT be mutated.

§10.2.6 NULL DACL

If the SD has no DACL (SE_DACL_PRESENT not set), all valid rights that have not already been decided by earlier pipeline stages are granted AND marked as decided. The valid rights are bounded to MapGenericBits(GENERIC_ALL, mapping), not raw 0xFFFFFFFF. Marking these bits as decided ensures the restricted pass and confinement pass see a full grant from the NULL DACL during their intersections.

§10.2.7 Empty DACL

If the DACL is present but contains zero ACEs, no rights are granted by the walk. The only access an owner receives comes from the owner implicit rights mechanism.

§10.2.8 Short-circuit

When all bits in the caller's desired mask have been decided, the walk MAY stop early. This optimization MUST NOT apply in MAXIMUM_ALLOWED mode, where the walk MUST run to completion.

§10.2.9 Owner implicit rights

By default, the owner of an object receives READ_CONTROL and WRITE_DAC regardless of what the DACL says. These implicit rights are granted before the DACL walk begins, as the first action inside EvaluateDACL. Because first-writer-wins governs the walk, a deny ACE encountered during the walk cannot override owner implicit rights.

The EvaluateDACL function accepts a skip_owner_implicit parameter. When true (used by the confinement pass), the implicit grant is skipped entirely — confinement is an absolute intersection with no owner bypass.

If any non-inherit-only access-control ACE in the DACL targets the OWNER RIGHTS SID (S-1-3-4), the implicit grant is suppressed entirely. This is a pre-scan of the DACL performed at the start of EvaluateDACL, before the main walk loop. The pre-scan checks for the ACE's SID presence only — it does not evaluate conditional expressions on the ACE.

During the main walk, S-1-3-4 is treated as a normal SID matching the owner (both allow and deny polarity).

§10.2.10 MAXIMUM_ALLOWED

When the caller includes MAXIMUM_ALLOWED (bit 25) in the desired mask, AccessCheck runs the full evaluation pipeline and returns the complete set of rights that would be granted. MAXIMUM_ALLOWED is stripped from the desired mask before evaluation begins.

Effects:

• The DACL walk runs to completion (no short-circuit).
• The returned mask is whatever the pipeline accumulated, not filtered to requested bits.

MAXIMUM_ALLOWED MAY be combined with specific rights: MAXIMUM_ALLOWED | READ_CONTROL asks both "can I read the SD?" (success/fail) and "what else could I get?" (granted mask).

A pure MAXIMUM_ALLOWED request with no specific bits always succeeds.

MIC is a mandatory constraint that restricts which rights the DACL is allowed to grant based on a vertical trust hierarchy. It is evaluated before the DACL walk.

Every token carries an integrity level. Every object MAY carry a mandatory label (a SYSTEM_MANDATORY_LABEL_ACE in its SACL). MIC compares the two: if the caller's integrity level is below the object's, certain categories of access are blocked regardless of what the DACL says.

§10.3.1 Default behaviour

The default is no-write-up: a lower-integrity process can read and execute a higher-integrity object but MUST NOT write to it. The object's mandatory label MAY additionally block reads (no-read-up) or execution (no-execute-up) for processes below its integrity level.

§10.3.2 Default label

When an object has no mandatory label ACE in its SACL, MIC applies a default: Medium integrity with no-write-up. This ensures Low and Untrusted processes MUST NOT write to unlabeled objects.

§10.3.3 MIC and privileges

Rights granted by privileges (resolved before MIC in the pipeline) are NOT constrained by MIC. MIC constrains what the DACL can grant; it does not revoke what privileges have already granted.

This includes ACCESS_SYSTEM_SECURITY: MIC does not block it, because that right is privilege-granted rather than DACL-granted. PIP is stricter and MAY revoke ACCESS_SYSTEM_SECURITY for non-dominant callers because PIP explicitly revokes privilege-granted rights.

§10.3.4 SeRelabelPrivilege

SeRelabelPrivilege has a specific interaction with MIC: it allows the DACL to grant WRITE_OWNER even when MIC would otherwise block it due to an integrity level mismatch. This enables a privileged administrator to take ownership of a higher-integrity object as the first step in modifying it.

§10.3.5 Token integrity policy

MIC enforcement is controlled by the token's mandatory_policy field. When the NO_WRITE_UP flag is set (the default), MIC's no-write-up rule applies. When cleared, MIC is effectively disabled for that token.

The mandatory policy is fixed -- set at token creation time. A process MUST NOT loosen its own MIC constraints.

§10.3.6 Dominant callers

A caller whose integrity level is greater than or equal to the object's label dominates the object. MIC MUST NOT pre-decide any bits for dominant callers -- the DACL handles authorization normally.

§10.3.7 Multiple labels

If an object's SACL contains multiple mandatory label ACEs, only the first non-inherit-only ACE MUST be used. Inherit-only mandatory-label ACEs do not apply to the current object.

§10.3.8 Label SID validity

The SID in a SYSTEM_MANDATORY_LABEL_ACE MUST have the Mandatory Label authority (S-1-16) and exactly one sub-authority. The sub-authority value is the numeric integrity level, compared as an unsigned integer. Any S-1-16-X SID is valid — the integrity level is the sub-authority value X.

A mandatory-label ACE with a SID outside the S-1-16 authority (wrong identifier authority or wrong sub-authority count) is malformed. AccessCheck MUST reject the SD.

§10.3.8.1 Standard integrity levels

These are the standard levels. Peios tools and authd SHOULD use these values. Intermediate values (e.g., S-1-16-2048, S-1-16-8448) are valid and compared numerically — this ensures interoperability with Windows-originated SDs that use non-standard levels.

§10.3.9 Label policy bits

The mandatory-label ACE mask uses these policy bits:

Unknown mandatory-label mask bits MUST be ignored.

§10.3.10 MIC enforcement algorithm

EnforceMIC(ace, token, mapping, &decided):

    if not (token.mandatory_policy & NO_WRITE_UP):
        return

    token_dominates = (token.integrity_level >= ace.integrity_level)

    if token_dominates:
        return

    // Non-dominant: start with read + execute + standard read rights,
    // strip based on label policy. READ_CONTROL and SYNCHRONIZE are
    // always in the allowed set regardless of the object type's
    // GenericMapping — a non-dominant caller can always read the SD
    // and synchronize on an object.
    allowed = MapGenericBits(GENERIC_READ, mapping)
            | MapGenericBits(GENERIC_EXECUTE, mapping)
            | READ_CONTROL
            | SYNCHRONIZE

    if ace.mask & SYSTEM_MANDATORY_LABEL_NO_READ_UP:
        allowed &= ~MapGenericBits(GENERIC_READ, mapping)
    if ace.mask & SYSTEM_MANDATORY_LABEL_NO_WRITE_UP:
        allowed &= ~MapGenericBits(GENERIC_WRITE, mapping)
    if ace.mask & SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP:
        allowed &= ~MapGenericBits(GENERIC_EXECUTE, mapping)

    // SeRelabelPrivilege: allow WRITE_OWNER through MIC.
    if token.privilege_enabled(SeRelabelPrivilege):
        allowed |= WRITE_OWNER

    all_bits = MapGenericBits(GENERIC_ALL, mapping)
    decided |= all_bits & ~allowed

A restricted token carries a secondary SID list -- the restricting SIDs. When AccessCheck encounters a restricted token, it evaluates the DACL twice:

1. Normal pass. The DACL is evaluated against the token's normal identity (user SID, group SIDs). This is the standard evaluation.

2. Restricted pass. The same DACL is evaluated again, but SID matching uses only the restricting SID list. The token's normal groups are invisible. Conditional membership operators (Member_of, Member_of_Any, and their device variants) also use this restricted identity view: only the restricting SID list is visible, plus any virtual groups injected from that list.

The restricting SID list is presence-based. A SID participates in the restricted identity whenever it appears in restricted_sids; SE_GROUP_ENABLED and SE_GROUP_USE_FOR_DENY_ONLY on those entries are ignored for restricted-pass SID matching and restricted-pass non-device conditional membership. This matches Windows restricted-token behavior, where restricting SIDs are always enabled for access checks.

Access is granted only for rights that both passes agree on -- the intersection. The restricting SID list acts as a filter: the principal can never receive more access than the restricting SIDs would independently permit.

§10.4.1 Write-restricted tokens

A variant where the intersection applies only to write-category bits. Read and execute access comes from the normal pass alone. What constitutes "write" is defined by the object type's GenericMapping: the bits that GENERIC_WRITE maps to are subject to the restricted check.

§10.4.2 Privileges bypass the restricted pass

Rights granted by privileges are added back after the intersection. Privileges are system-level grants from security policy, not from the object's DACL. Token restriction reduces the token's identity-based access surface; privilege-based grants are orthogonal.

§10.4.3 Owner implicit rights in the restricted pass

The restricted pass evaluates owner implicit rights independently: if the object's owner SID appears in the restricting SID list, the restricted pass grants READ_CONTROL and WRITE_DAC (subject to the same OWNER RIGHTS suppression rules as the normal pass). If the owner SID is not a restricting SID, the restricted pass does not grant implicit rights.

§10.4.4 Virtual groups in the restricted pass

If the object's owner SID appears in the restricting SIDs, S-1-3-4 (OWNER RIGHTS) is injected as a virtual restricting SID. If self_sid appears in the restricting SIDs, S-1-5-10 (PRINCIPAL_SELF) is injected. This ensures the restricted pass handles these well-known SIDs consistently.

§10.4.5 Restricted device groups

If the token has restricted device groups, the restricted pass swaps them in so that conditional expression operators (Device_Member_of, etc.) evaluate against the restricted set, not the unrestricted device groups.

Object ACEs add a GUID to the ACE that identifies which property or property set the rule applies to. They enable per-property access control on objects with internal structure, such as Active Directory objects.

An object ACE without a GUID (ACE_OBJECT_TYPE_PRESENT not set) behaves identically to a basic ACE.

§10.5.1 Object type lists

To request property-level access, the caller provides an object type list -- a tree of GUIDs representing the properties being requested. Each node tracks its own access state independently.

When no object type list is provided, object ACEs with GUIDs apply globally, as if they were basic ACEs.

When an object type list is provided, any ACE that behaves like a basic ACE applies globally to every node in the tree. This includes ordinary basic ACEs and object ACEs without an ObjectType GUID.

§10.5.2 Propagation

Access decisions propagate through the tree in two directions:

Downward from grants. When an object ACE grants access to a property set, that grant flows down to all attributes within the set. Each child node independently respects first-writer-wins.

Upward from grants. When every attribute within a property set has been granted the same right, that right propagates up to the property set node. Uses per-bit intersection -- a right propagates to the parent only if all siblings share it.

Upward from denials. When an object ACE denies access to an attribute, the denial propagates upward to each ancestor regardless of sibling state. Sibling nodes are unaffected. Upward denial propagation does not override bits already decided at an ancestor; each ancestor still applies normal first-writer-wins for the propagated bits.

Downward from denials. When an object ACE denies access to a property set, the denial flows to all attributes within the set, subject to first-writer-wins.

§10.5.3 PRINCIPAL_SELF (S-1-5-10)

PRINCIPAL_SELF is a well-known SID that acts as a placeholder for the object's associated principal. An ACE targeting S-1-5-10 matches the caller if the caller's token represents the same principal as the object.

The caller provides the object's principal SID as the self_sid parameter to AccessCheck. If self_sid is null, PRINCIPAL_SELF ACEs match nothing.

PRINCIPAL_SELF follows the same deny-only rules as other SIDs: if the caller's matching SID is deny-only, PRINCIPAL_SELF matches for deny ACEs but not allow ACEs.

§10.5.4 AccessCheck vs AccessCheckResultList

AccessCheck requires every node to pass -- if any property is denied, the whole request fails. AccessCheckResultList returns a separate verdict per node.

§10.5.5 Object type list validation

KACS validates object type lists strictly:

• The list MUST NOT be empty (when provided).
• The first node MUST be at level 0.
• There MUST be exactly one level-0 node.
• Level gaps (a node at level N+2 following a node at level N) MUST be rejected.
• Duplicate GUIDs MUST be rejected.

Confinement restricts a token's effective access to only what is explicitly granted to its confinement identity. Even if the normal DACL walk grants access via the user SID or group SIDs, the confinement pass intersects those grants with what the confinement SIDs would independently receive. Access that the confinement SIDs cannot independently justify is revoked. The only exception is objects with a NULL DACL (no discretionary restrictions), which grant access in the confinement pass as they do in the normal pass.

§10.6.1 How confinement works

A confined token carries:

• confinement_sid — the token's confinement identity. When set, the token is confined.
• confinement_capabilities — capability SIDs the application has declared.
• confinement_exempt — escape hatch. When set, confinement restrictions are not evaluated.

AccessCheck evaluates confinement as a final mask over the granted rights. The normal evaluation (DACL walk, privileges, integrity, restricted tokens) runs first. The confinement check then independently evaluates the same DACL, matching only against the confinement SID and capability SIDs. The final result is the intersection.

The confinement SID set is:

• confinement_sid
• every SID in confinement_capabilities

confinement_capabilities are presence-based capability identities, not ordinary ACE-matching groups. A capability SID participates in the confinement SID set whenever it is present in confinement_capabilities, regardless of SE_GROUP_ENABLED or SE_GROUP_USE_FOR_DENY_ONLY.

The confinement pass also injects confinement-scoped virtual groups:

• S-1-5-10 (PRINCIPAL_SELF) is injected only if self_sid equals confinement_sid or one of the confinement capability SIDs.
• S-1-3-4 (OWNER RIGHTS) is injected only if the object's owner SID equals confinement_sid or one of the confinement capability SIDs.

These confinement-scoped virtual groups apply to both:

• ACE SID matching during the confinement DACL walk
• conditional membership operators (Member_of, Member_of_Any, and the device/non-device negated variants) evaluated during the confinement pass

The generic allow/deny group-attribute rules do not apply to capability membership inside the confinement SID set. Disabling a capability entry or marking it deny-only does not remove it from the confinement identity.

This is an absolute boundary:

• Privileges MUST NOT bypass confinement.
• Owner implicit rights MUST NOT apply in the confinement evaluation.
• Backup, restore, SeTakeOwnershipPrivilege, SeSecurityPrivilege -- none can grant access that the confinement check denies.

§10.6.2 Strict confinement

A normal confined token carries both ALL_APPLICATION_PACKAGES and ALL_RESTRICTED_APPLICATION_PACKAGES in its capabilities. For additional security, ALL_APPLICATION_PACKAGES MAY be omitted. This is strict confinement -- far fewer system objects grant to ALL_RESTRICTED_APPLICATION_PACKAGES, resulting in a much narrower access surface.

A strictly confined token MUST NOT carry ALL_APPLICATION_PACKAGES in its confinement_capabilities.

§10.6.3 Known consequences

• SACL access is unreachable. ACCESS_SYSTEM_SECURITY is granted by SeSecurityPrivilege in the privilege grants step, not by any DACL ACE. The confinement intersection only preserves bits that the confinement DACL walk independently granted. Since ACCESS_SYSTEM_SECURITY never appears in the confinement DACL walk's output, the intersection strips it.
• Owner implicit rights are skipped in the confinement evaluation.
• NULL DACL grants access. An object with no DACL means "no discretionary restrictions." The confinement pass follows standard evaluation -- NULL DACL grants all valid bits.
• OWNER RIGHTS is confinement-scoped. S-1-3-4 matches in the confinement pass only when the owner SID is part of the confinement SID set.
• PRINCIPAL_SELF is isolated from user identity in the confinement pass. S-1-5-10 is injected only if self_sid matches a confinement SID (the package SID or a capability).
• Conditional membership operators are confinement-scoped. Membership operators in conditional expressions (Member_of, Member_of_Any, Not_Member_of, Not_Member_of_Any) evaluate against the confinement SID set during the confinement pass, not the token's real group list. This matches the ordinary SID matching behavior — confinement isolates identity uniformly. A conditional ACE like Allow Everyone if Member_of({Administrators}) does NOT grant access in confinement unless Administrators is in the confinement SID set, even though the real token may carry Administrators.
• Device membership operators are confinement-scoped. Device_Member_of and its variants evaluate against the confinement SID set during the confinement pass (not the token's real device groups, and not the restricted device groups). Device identity is part of the identity boundary that confinement enforces. This contrasts with the restricted pass, which swaps in restricted device groups but preserves real device groups for non-device operators.
• Non-membership conditional operators see the full token. Operators that evaluate claims and resource attributes (Exists, ==, !=, <, >, <=, >=, Contains, Any_of) use the token's real user_claims, device_claims, and the object's resource attributes during the confinement pass. Claims are properties, not identity — confinement isolates identity but does not erase properties.
• Confinement-scoped virtual groups in conditionals. S-1-3-4 (OWNER RIGHTS) and S-1-5-10 (PRINCIPAL_SELF) follow the confinement identity rules during conditional membership evaluation, as described above.

§10.6.4 Confinement ordering

Confinement runs AFTER the restricted token merge and its privilege restoration. This ordering is critical: privileges bypass the restricted pass but MUST NOT bypass confinement. If confinement ran before the restricted merge, the privilege restoration would resurrect bits that confinement already blocked.

Write-restricted interaction. In write-restricted mode, only write-category bits are intersected with the restricted pass; read and execute bits come from the normal pass alone. Privilege-granted bits are restored after the write-restricted intersection. All of these — normal-pass read bits, write-restricted intersection results, and restored privilege bits — then enter the confinement intersection. Confinement strips any bits that the confinement SIDs cannot independently justify, including privilege-granted bits. The net effect: write-restricted mode narrows the write surface, confinement narrows the total surface, and privileges bypass neither confinement boundary.

Objects MAY opt in to PIP protection by placing a SYSTEM_PROCESS_TRUST_LABEL_ACE in their SACL. The ACE's SID encodes the required pip_type and pip_trust. The ACE's access mask specifies the exact rights that non-dominant callers are allowed.

When AccessCheck encounters a trust label, it compares the caller's process (which carries pip_type and pip_trust on the PSB) against the ACE:

• If the caller dominates (pip_type >= ACE type AND pip_trust >= ACE trust), PIP imposes no restrictions.
• If the caller does not dominate, only the rights in the ACE mask are permitted; everything else is denied.

§10.7.1 Trust-label SID validity

The SID in a SYSTEM_PROCESS_TRUST_LABEL_ACE MUST have the form:

• S-1-19-{type}-{trust}

where:

• type is a numeric PIP type axis
• trust is a numeric trust axis

AccessCheck compares both axes numerically. The object is PIP-dominant only if the caller's pip_type >= type and pip_trust >= trust.

KACS currently standardizes these type values:

• 0 = None
• 512 = Protected
• 1024 = Isolated

These named values are conventional labels, not a closed enum for AccessCheck. Other numeric type values are valid and MUST be compared numerically using the same dominance rule.

A trust-label SID with any other shape is invalid. AccessCheck MUST treat the security descriptor as malformed rather than guessing.

§10.7.2 Privilege revocation

The critical difference from MIC: PIP actively revokes privilege-granted rights. If a non-dominant process used SeBackupPrivilege to gain read access, PIP strips those bits. If SeTakeOwnershipPrivilege granted WRITE_OWNER, PIP strips it. If SeSecurityPrivilege granted ACCESS_SYSTEM_SECURITY, PIP strips it.

Without privilege revocation, a non-PIP administrator with SeSecurityPrivilege could read the SACL of PIP-protected objects -- including removing the trust label itself.

§10.7.3 No default

Unlike MIC, PIP has no default. Objects without a trust label ACE are unrestricted -- any process can access them regardless of PIP identity.

§10.7.4 No privilege escape

PIP has no SeRelabelPrivilege equivalent. No privilege can compensate for insufficient trust level. This is an absolute boundary.

§10.7.5 Multiple trust labels

If multiple SYSTEM_PROCESS_TRUST_LABEL_ACEs appear in the SACL, only the first non-inherit-only ACE MUST be used. Inherit-only trust-label ACEs do not apply to the current object.

§10.7.6 PIP enforcement algorithm

EnforcePIP(ace, pip_type, pip_trust, mapping, &decided,
           &granted, &privilege_granted):

    // pip_type and pip_trust come from the PSB, not the token.

    ace_type = ace.sid.pip_type
    ace_trust = ace.sid.pip_trust

    caller_dominates = (pip_type >= ace_type
                        and pip_trust >= ace_trust)

    if caller_dominates:
        return

    // Non-dominant: the ACE mask IS the allowed set.
    allowed = MapGenericBits(ace.mask, mapping)

    // Compute denied set: everything not explicitly allowed.
    // Includes ACCESS_SYSTEM_SECURITY.
    all_bits = MapGenericBits(GENERIC_ALL, mapping)
              | ACCESS_SYSTEM_SECURITY
    pip_denied = all_bits & ~allowed

    decided |= pip_denied

    // Revoke privilege-granted rights.
    granted &= ~pip_denied
    privilege_granted &= ~pip_denied

Central Access and Auditing Policy (CAAP) separates policy definition from the objects it governs. A policy is defined once, centrally. Objects reference the policy by SID via a SYSTEM_SCOPED_POLICY_ID_ACE in their SACL. When the policy changes, every future AccessCheck against a referencing object uses the new rules. Already-open handles are not retroactively affected (check-at-open model).

CAAP extends the Windows Central Access Policy (CAP) model by adding an audit component: each policy rule carries both an access restriction (DACL) and an audit requirement (SACL).

§10.8.1 Policy structure

A CAAP is a named collection of rules, identified by a policy SID. Each rule has:

• An applies-to condition (optional) — a conditional expression that determines which objects this rule governs, based on the object's resource attributes. If absent, the rule applies to all objects that reference the policy.

• An effective DACL — mandatory access rules enforced by this rule. A real DACL evaluated using the full pipeline.

• An effective SACL (optional) — mandatory audit rules enforced by this rule. Audit ACEs in the effective SACL are merged with the object's own SACL during audit evaluation.

• A staged DACL (optional) — a proposed replacement for the effective DACL, used for testing.

• A staged SACL (optional) — a proposed replacement for the effective SACL, used for testing.

§10.8.2 Access evaluation (DACL component)

The DACL result is an AND with the normal DACL evaluation — CAAP can only further restrict access, never expand it. If the DACL grants read and write but the applicable CAAP rule's effective DACL grants only read, the final result is read.

Multiple SYSTEM_SCOPED_POLICY_ID_ACEs MAY appear in the same SACL, enabling composable policies. The AND semantics make composition safe — every additional policy can only further restrict. Inherit-only scoped-policy ACEs do not apply to the current object and MUST be ignored during CAAP lookup.

For each scoped policy ACE, AccessCheck:

1. Looks up the policy in the kernel's policy cache.
2. For each rule whose applies_to condition evaluates to TRUE (or has no condition). If applies_to evaluates to FALSE or UNKNOWN, the rule is skipped — this is intentionally opposite to the deny-ACE UNKNOWN behavior, because skipping a rule is the conservative choice (the rule's DACL cannot widen access beyond what the normal DACL grants):
   • Evaluates the rule's effective DACL using the full evaluation pipeline (privilege grants, MIC, PIP, DACL walk, restricted tokens, confinement) with one exception: backup/restore intent is not passed (intent is a caller concern, not a policy concern).
   • Intersects the result with the running total (which starts at the normal evaluation's granted mask — CAAP can only reduce, never expand).
3. If no rules apply (all conditions FALSE/UNKNOWN, or policy has no rules), CAAP has no effect — the normal DACL result stands unchanged. CAAP MUST NOT recurse — a CAAP rule's synthetic SD MUST NOT trigger nested CAAP evaluation, even if the original SD's SACL contains additional SYSTEM_SCOPED_POLICY_ID_ACEs.

§10.8.3 Audit evaluation (SACL component)

For each applicable rule that carries an effective SACL, the rule's audit ACEs are evaluated alongside the object's own SACL during the audit walk (step 15 of the AccessCheck algorithm). Audit ACEs from the CAAP effective SACL are treated identically to ACEs from the object's own SACL — if either says "audit this operation," it is audited.

The SACL component is additive: a CAAP SACL can only add audit coverage, never suppress auditing that the object's own SACL requests.

§10.8.4 Policy cache

The kernel maintains a policy cache: a map from policy SID to policy object. The cache is empty at boot.

§10.8.4.1 Population

Policies are pushed into the kernel cache via the kacs_set_caap syscall. Requires SeTcbPrivilege.

Calling with a non-NULL spec for an existing policy SID replaces the policy. Calling with a NULL spec or zero length removes the policy.

§10.8.4.2 Wire format

[version:u8 = 0x01]
[rule_count:u32le]
per rule:
  [applies_to_len:u32le][applies_to_expr bytes]     (0 = no condition)
  [effective_dacl_len:u32le][effective_dacl bytes]   (binary ACL; MUST NOT be 0)
  [effective_sacl_len:u32le][effective_sacl bytes]   (0 = no audit rules)
  [staged_dacl_len:u32le][staged_dacl bytes]         (0 = no staged DACL)
  [staged_sacl_len:u32le][staged_sacl bytes]         (0 = no staged SACL)

Limits:

• Maximum spec_len: 256 KB.
• Maximum rule_count: 256.
• Maximum individual ACL length: 64 KB (consistent with SD size limit).
• Maximum applies_to_len: 64 KB.
• Version byte: MUST be 0x01 for v0.20. Unknown versions are rejected.

All length-prefixed fields use little-endian u32 lengths. ACLs use the standard binary ACL format defined in the Security Descriptor chapter. All ACE types valid for DACLs/SACLs are permitted inside policy ACLs. The applies_to expression is conditional ACE bytecode (same format as CALLBACK ACE application data, including the "artx" prefix).

The applies_to expression MUST be structurally valid conditional bytecode at ingestion time. Malformed or truncated applies_to bytecode causes the entire kacs_set_caap call to fail with -EINVAL; it MUST NOT be accepted into the cache and later treated as runtime UNKNOWN.

The effective_dacl_len MUST NOT be zero — every rule MUST have an effective DACL. A rule with effective_dacl_len = 0 causes kacs_set_caap to return -EINVAL.

Parsing errors (truncated fields, lengths exceeding buffer, invalid ACL headers) cause the entire kacs_set_caap call to fail with -EINVAL. SeTcbPrivilege is checked before any parsing begins.

§10.8.4.3 Lifecycle

authd is responsible for populating the cache. On a standalone machine, authd reads policies from the registry (loregd). On a domain-joined machine, authd reads policies from Active Directory. The kernel does not know or care about the policy source — it is a passive cache.

authd SHOULD push all policies during early boot, before user-facing services start. If a policy is pushed after services are running, objects already opened with cached access decisions are not retroactively affected (check-at-open model).

§10.8.5 Recovery policy

When a scoped policy ACE references a policy SID not in the kernel cache (authd failed to push, policy was deleted, machine is disconnected), a hardcoded recovery policy is used:

• ALLOW GENERIC_ALL to BUILTIN\Administrators (S-1-5-32-544)
• ALLOW GENERIC_ALL to SYSTEM (S-1-5-18)
• ALLOW GENERIC_ALL to OWNER_RIGHTS (S-1-3-4)

The ACE masks MUST use the literal GENERIC_ALL bit (0x10000000), not pre-mapped object-specific bits. EvaluateSecurityDescriptor step 3 expands GENERIC_ALL via the caller's GenericMapping at evaluation time, ensuring the recovery policy works correctly for all object types.

Because CAAP is applied as an intersection, the recovery policy does not widen access beyond the object's own DACL. It prevents missing CAAP from further restricting access — the object's DACL remains the baseline.

§10.8.6 Error handling

If a CAAP rule's DACL evaluation produces an error (e.g., malformed DACL in the policy definition), the rule denies all access except rights granted by privileges. Privilege-granted rights are preserved as an escape hatch: an administrator with SeSecurityPrivilege retains the ability to read and modify the SACL to remove the scoped policy ACE. Note: PIP enforcement (step 6) runs before CAAP (step 13) and may have already stripped ACCESS_SYSTEM_SECURITY from privilege_granted for non-dominant callers. The escape hatch only works for callers who are PIP-dominant or have no PIP trust label on the object.

If a CAAP rule's SACL evaluation produces an error, the error is logged and the rule's audit contribution is skipped.

§10.8.7 Staging

Each CAAP rule MAY carry staged DACLs and SACLs alongside effective ones. AccessCheck evaluates both in parallel. The staged result does not affect access or audit. If the effective and staged results differ, the difference is logged.

Rules without a staged DACL contribute their effective result to both the effective and staged running totals. Rules without a staged SACL contribute their effective SACL to both.

Auditing is purely observational. No audit rule affects the access decision. Audit ACEs are evaluated after the access decision is final.

KACS defines three auditing mechanisms within the AccessCheck pipeline.

§10.9.1 Access auditing

SYSTEM_AUDIT ACEs in the SACL define which access attempts to log. Each audit ACE specifies:

• A SID — matched using deny polarity (the broadest identity view -- deny-only groups are visible). Auditing SHOULD capture the widest possible picture.
• An access mask — which operations are audited.
• Success and/or failure flags — SUCCESSFUL_ACCESS_ACE_FLAG (0x40) and FAILED_ACCESS_ACE_FLAG (0x80) control whether to audit successful access, failed access, or both.

When an audit ACE's SID matches the caller, its mask overlaps with the generic-mapped requested access mask, and its success/failure flags match the final outcome, an audit event is emitted.

The overlap check uses the mapped requested mask after generic mapping (mapped_desired in the algorithm), not the final granted mask. This ensures failed requests are still auditable for the rights that were actually requested.

Conditional audit ACEs carry expressions that gate whether the event fires. An expression that evaluates to UNKNOWN results in the event being emitted (when in doubt, audit).

§10.9.2 Continuous auditing

Access auditing fires once, at the point where AccessCheck runs. Continuous auditing fills the gap for per-operation monitoring.

SYSTEM_ALARM ACEs configure per-operation audit masks. When AccessCheck evaluates an alarm ACE and the caller's SID matches, the ACE's access mask is recorded as a continuous audit mask on the open handle. On each subsequent operation, the enforcement point checks the handle's continuous audit mask and emits an event if the operation matches.

The continuous audit mask is returned by AccessCheck to the caller (FACS, registryd), which stores it on the handle and enforces it per-operation.

§10.9.3 Privilege-use auditing

When a privilege is exercised to grant access that the DACL would not have independently granted, a privilege-use audit event MAY be emitted. This fires after the complete evaluation pipeline -- after integrity policy, confinement, and central access policy.

KACS distinguishes success and failure privilege-use auditing:

• Successful privilege use — the privilege contributed requested bits that survive to the final granted result. In this case the privilege is marked used, and a privilege-use audit event is emitted when audit_policy & PRIVILEGE_USE_SUCCESS (0x04).
• Failed privilege use — the privilege contributed requested bits during evaluation, but those bits do not survive to the final granted result. In this case the privilege is not marked used, and a privilege-use audit event is emitted when audit_policy & PRIVILEGE_USE_FAILURE (0x08).

If a privilege did not contribute to the requested access at all, no privilege-use audit event is emitted.

§10.9.4 Per-token audit policy (algorithm step 15b)

The token's audit_policy field MAY force audit events for specific categories regardless of SACL content. This runs after the SACL walk (step 15) and before result computation (step 16). The kernel checks:

• If the access succeeded and audit_policy & OBJECT_ACCESS_SUCCESS (0x01): emit a success audit event.
• If the access failed and audit_policy & OBJECT_ACCESS_FAILURE (0x02): emit a failure audit event.

These events are additive — they fire even if no SACL ACE matched. The object_audit_context from the AccessCheck caller is included in the event. Token audit policy is per-token, set at creation time, and follows impersonation (the impersonated token's policy applies during impersonation).

§10.9.5 Audit event contents

Each audit event contains:

• Subject — the calling token's identity (user SID, group SIDs, integrity level, PIP identity) and auth_id (logon session LUID, for correlating events to logon sessions).
• Object — caller-provided context identifying the object.
• Access — what was requested, what was granted, whether the request succeeded or failed.
• Trigger — which audit ACE matched, or which privilege was exercised.
• Process — the calling process's PID, name, and executable path.

This section specifies the complete AccessCheck evaluation algorithm. The feature sections describe what each feature does. This section describes how they compose.

§10.10.1 Pipeline overview

The complete evaluation runs in this order:

0. Session validity gate. If the token's logon session is marked dead, deny immediately.
1. Impersonation level gate. If the token is an impersonation token at Identification level, deny immediately. Anonymous tokens proceed through the full pipeline.
2. Input validation. Reject null SDs, SDs without owner or group, and malformed object type lists.
3. Generic mapping. Map generic bits in the desired mask to object-specific bits. Strip MAXIMUM_ALLOWED.
4. Effective privileges. Clear backup/restore bits when the corresponding intent flag is absent.
5. Privilege grants. Resolve ACCESS_SYSTEM_SECURITY, backup, and restore. Seed decided, granted, and privilege_granted.
6. Pre-SACL walk. Extract the mandatory integrity label, PIP trust label, resource attributes, and scoped policy IDs from the SACL. Enforce MIC and PIP.
7. Virtual group injection. Inject S-1-3-4 and S-1-5-10 as virtual groups if the caller is the owner or matches the object's principal.
8. Tree initialization. Copy scalar decided/granted to each tree node.
9. Normal DACL evaluation. Owner implicit rights, then the DACL walk with token-based SID matching. Resource attributes extracted in step 6 are available to conditional expressions in callback ACEs.
10. Post-DACL privilege override. SeTakeOwnershipPrivilege grants WRITE_OWNER if the DACL did not and mandatory policy (MIC/PIP) did not block it.
11. Restricted token pass. If the token has restricting SIDs, evaluate the DACL again with the restricted SID list and intersect. Privilege-granted bits are restored after intersection.
12. Confinement pass. If the token is confined, evaluate the DACL with confinement SIDs and intersect. No privilege bypass.

Invariant: Steps 11, 12, and 13 are intersections — they can only narrow the granted set. Bits denied by MIC or PIP in step 6 remain denied through all subsequent stages. 13. CAAP (Central Access and Auditing Policy). For each scoped policy, evaluate each applicable rule's DACL using the full per-SD pipeline and intersect. Collect applicable rules' SACLs for the audit walk. 14. Privilege-use auditing. Emit audit events for privileges that contributed to the final result. 15. Audit emission. Walk the object's SACL and any CAAP effective SACLs for audit and alarm ACEs. 16. Result computation. Derive the final granted mask and success/failure verdict.

§10.10.2 EvaluateSecurityDescriptor

Per-SD evaluation (steps 0--12). Called once for the normal evaluation and once per CAAP rule with a synthetic SD.

EvaluateSecurityDescriptor(
    sd, token, pip_type, pip_trust, desired, mapping,
    object_tree, self_sid, local_claims, privilege_intent
) -> (decided, granted, privilege_granted,
      max_allowed_mode, mapped_desired, resource_attributes,
      policy_sids) | error

    // Step 0: Session validity gate.
    if token.logon_session.dead:
        return ERROR_ACCESS_DENIED

    // Step 1: Impersonation level gate.
    if token.token_type == Impersonation
       and token.impersonation_level == Identification:
        return ERROR_ACCESS_DENIED

    // Step 2: Input validation.
    if sd is null:
        return ERROR_INVALID_PARAMETER
    if sd.owner is null or sd.group is null:
        return ERROR_INVALID_SECURITY_DESCR
    if object_tree is not null:
        validate: non-empty, first node at level 0,
        exactly one level-0 node, no level gaps,
        no duplicate GUIDs

    // Step 3: Generic mapping.
    desired = MapGenericBits(desired, mapping)
    max_allowed_mode = (desired & MAXIMUM_ALLOWED) != 0
    desired = desired & ~MAXIMUM_ALLOWED

    // Step 4: Effective privileges.
    effective_privileges = token.privileges_enabled
    if not (privilege_intent & BACKUP_INTENT):
        effective_privileges &= ~SeBackupPrivilege
    if not (privilege_intent & RESTORE_INTENT):
        effective_privileges &= ~SeRestorePrivilege

    // Step 5: Privilege-based grants.
    decided = 0; granted = 0; privilege_granted = 0

    // ACCESS_SYSTEM_SECURITY: always decided by privilege.
    decided |= ACCESS_SYSTEM_SECURITY
    if (effective_privileges & SeSecurityPrivilege):
        granted |= ACCESS_SYSTEM_SECURITY
        privilege_granted |= ACCESS_SYSTEM_SECURITY

    // Backup: all read-mapped bits.
    if (effective_privileges & SeBackupPrivilege):
        backup_bits = MapGenericBits(GENERIC_READ, mapping)
        decided |= backup_bits
        granted |= backup_bits
        privilege_granted |= backup_bits

    // Restore: all write-mapped bits + metadata rights.
    if (effective_privileges & SeRestorePrivilege):
        restore_bits = MapGenericBits(GENERIC_WRITE, mapping)
                       | WRITE_DAC | WRITE_OWNER | DELETE
                       | ACCESS_SYSTEM_SECURITY
        decided |= restore_bits
        granted |= restore_bits
        privilege_granted |= restore_bits

    // Note: SeRestorePrivilege above includes WRITE_OWNER in
    // restore_bits. If restore is active, WRITE_OWNER is decided
    // here. Step 10 (SeTakeOwnershipPrivilege) is a fallback for
    // when restore is not active and the DACL did not grant it.

    // Step 6: Pre-SACL walk.
    resource_attributes = {}
    policy_sids = []
    // mandatory_decided tracks bits decided by MIC and PIP
    // (mandatory mechanisms). Used at step 10 to prevent
    // SeTakeOwnershipPrivilege from overriding mandatory
    // decisions. Populated by EnforceMIC and EnforcePIP.
    mandatory_decided = 0
    PreSACLWalk(sd, token, pip_type, pip_trust, mapping,
                &decided, &granted, &privilege_granted,
                &mandatory_decided, &resource_attributes,
                &policy_sids)

    // Step 7: Virtual group injection.
    token = EnrichToken(token, sd.owner, self_sid)

    // Step 8: Tree initialization.
    if object_tree is not null:
        for each node in object_tree:
            node.decided = decided
            node.granted = granted

    // Step 9: Normal DACL evaluation.
    EvaluateDACL(sd, token, mapping, object_tree,
                 SidMatchesToken, desired, max_allowed_mode,
                 resource_attributes, local_claims,
                 skip_owner_implicit=false,
                 &decided, &granted)

    // Step 10: Post-DACL WRITE_OWNER override.
    // Deny-proof but respects mandatory decisions (MIC/PIP).
    if (desired & WRITE_OWNER) != 0 or max_allowed_mode:
        if (effective_privileges & SeTakeOwnershipPrivilege):
            if not (mandatory_decided & WRITE_OWNER)
               and not (granted & WRITE_OWNER):
                decided |= WRITE_OWNER
                granted |= WRITE_OWNER
                privilege_granted |= WRITE_OWNER
                if object_tree is not null:
                    for each node:
                        if not (node.granted & WRITE_OWNER):
                            node.decided |= WRITE_OWNER
                            node.granted |= WRITE_OWNER

    // Step 11: Restricted token pass.
    if token.restricted_sids is not empty:
        r_decided = 0; r_granted = 0
        // Build restricted enriched token: inject virtual groups
        // (S-1-3-4 if owner in restricting SIDs, S-1-5-10 if
        // self_sid in restricting SIDs). Swap in restricted
        // device groups for Device_Member_of evaluation.
        // Restricting SIDs are presence-based; attributes ignored.
        r_enriched = EnrichTokenForRestricted(
            token, sd.owner, self_sid,
            token.restricted_sids,
            token.restricted_device_groups)
        // Fresh tree: same structure, zeroed decided/granted.
        r_tree = null
        if object_tree is not null:
            r_tree = copy_tree_structure(object_tree)
            for each node in r_tree:
                node.decided = 0; node.granted = 0
        EvaluateDACL(sd, r_enriched, mapping, r_tree,
                     SidInRestrictingSids, desired,
                     max_allowed_mode, resource_attributes,
                     local_claims, skip_owner_implicit=false,
                     &r_decided, &r_granted)
        // Scalar merge: intersection.
        if token.write_restricted:
            write_bits = MapGenericBits(GENERIC_WRITE, mapping)
            granted = (granted & ~write_bits)
                    | (granted & r_granted & write_bits)
        else:
            granted = granted & r_granted
        // Privilege-granted bits bypass the restricted pass.
        granted |= privilege_granted
        // Tree merge: same intersection per node.
        if object_tree is not null:
            for i in 0..len(object_tree):
                if token.write_restricted:
                    object_tree[i].granted =
                        (object_tree[i].granted & ~write_bits)
                        | (object_tree[i].granted
                           & r_tree[i].granted & write_bits)
                else:
                    object_tree[i].granted =
                        object_tree[i].granted & r_tree[i].granted
                object_tree[i].granted |= privilege_granted

    // Step 12: Confinement pass.
    if token.confinement_sid is not null
       and not token.confinement_exempt:
        c_decided = 0; c_granted = 0
        // Build confinement SID set:
        // - confinement_sid
        // - confinement_capabilities (presence-based; attributes ignored)
        // Inject virtual groups:
        // - S-1-3-4 if owner SID is in the confinement SID set
        // - S-1-5-10 if self_sid is in the confinement SID set
        // Build confinement token view for conditional expressions:
        // - Member_of/Member_of_Any and device variants evaluate
        //   against the confinement SID set (not real groups)
        // - Non-membership operators (Exists, ==, Contains, etc.)
        //   see the real token's user_claims and device_claims
        // Fresh tree: same structure, zeroed decided/granted.
        c_tree = null
        if object_tree is not null:
            c_tree = copy_tree_structure(object_tree)
            for each node in c_tree:
                node.decided = 0; node.granted = 0
        EvaluateDACL(sd, token, mapping, c_tree,
                     SidInConfinementSids, desired,
                     max_allowed_mode, resource_attributes,
                     local_claims, skip_owner_implicit=true,
                     membership_sids=confinement_sids,
                     &c_decided, &c_granted)
        // Absolute intersection. No privilege bypass.
        granted = granted & c_granted
        // Tree merge: absolute intersection per node.
        if object_tree is not null:
            for i in 0..len(object_tree):
                object_tree[i].granted =
                    object_tree[i].granted & c_tree[i].granted

    return (decided, granted, privilege_granted,
            max_allowed_mode, desired, resource_attributes,
            policy_sids)

§10.10.3 AccessCheckCore

Orchestrator. Calls EvaluateSecurityDescriptor, then evaluates CAAPs, emits privilege-use audits, and walks the SACL (plus CAAP SACLs) for audit ACEs.

AccessCheckCore(
    sd, token, pip_type, pip_trust, desired, mapping,
    object_tree, self_sid, local_claims,
    object_audit_context, privilege_intent
) -> (decided, granted, privilege_granted,
      max_allowed_mode, mapped_desired,
      continuous_audit_mask, staging_mismatch) | error

    // Steps 0-12: per-SD evaluation.
    (decided, granted, privilege_granted,
     max_allowed_mode, mapped_desired,
     resource_attributes, policy_sids
    ) = EvaluateSecurityDescriptor(
        sd, token, pip_type, pip_trust, desired, mapping,
        object_tree, self_sid, local_claims, privilege_intent)

    // Step 13: CAAP (Central Access and Auditing Policy).
    caap_sacls = []          // Effective SACLs from applicable rules.
    staged_caap_sacls = []   // Staged SACLs (or effective as fallback).
    staged_dacl_total = granted  // Staged DACL running total.
    staged_tree_total = null
    if object_tree is not null:
        staged_tree_total = []
        for each node in object_tree:
            staged_tree_total.append(node.granted)
    staging_mismatch = false
    if len(policy_sids) > 0:
        for caap_sid in policy_sids:
            policy = LookupCAAP(caap_sid)
            if policy is null:
                policy = RECOVERY_POLICY
            for rule in policy.rules:
                if rule.applies_to is not null:
                    cond_result = EvaluateConditionalExpression(
                                     rule.applies_to, token,
                                     resource_attributes,
                                     local_claims, for_allow=false)
                    if cond_result != TRUE:
                        continue
                // DACL component: build synthetic SD, evaluate,
                // intersect with running total.
                rule_sd = synthetic_sd(sd, rule.effective_dacl)
                rule_tree = copy_tree_structure(object_tree)
                rule_result = EvaluateSecurityDescriptor(
                    rule_sd, token, pip_type, pip_trust,
                    desired, mapping, rule_tree, self_sid,
                    local_claims, 0)
                if rule_result is error:
                    // DACL error: deny all except privileges.
                    granted &= privilege_granted
                    if object_tree is not null:
                        for i in 0..len(object_tree):
                            object_tree[i].granted &= privilege_granted
                else:
                    granted &= rule_result.granted
                    if object_tree is not null:
                        for i in 0..len(object_tree):
                            object_tree[i].granted &=
                                rule_tree[i].granted
                // SACL component: collect for audit walk.
                // SACL errors are logged and the rule's audit
                // contribution is skipped (not fail-closed).
                if rule.effective_sacl is not null:
                    caap_sacls.append(rule.effective_sacl)

                // Staged DACL evaluation (parallel, no access effect).
                if rule.staged_dacl is not null:
                    stg_sd = synthetic_sd(sd, rule.staged_dacl)
                    stg_tree = copy_tree_structure(object_tree)
                    stg_result = EvaluateSecurityDescriptor(
                        stg_sd, token, pip_type, pip_trust,
                        desired, mapping, stg_tree, self_sid,
                        local_claims, 0)
                    stg_granted = stg_result.granted
                        if stg_result is not error else 0
                else:
                    stg_granted = rule_result.granted
                        if rule_result is not error
                        else privilege_granted
                staged_dacl_total &= stg_granted
                if object_tree is not null:
                    for i in 0..len(object_tree):
                        if rule.staged_dacl is not null:
                            stg_node_granted =
                                stg_tree[i].granted
                                if stg_result is not error
                                else privilege_granted
                        else:
                            stg_node_granted =
                                rule_tree[i].granted
                                if rule_result is not error
                                else privilege_granted
                        staged_tree_total[i] &=
                            stg_node_granted

                // Staged SACL: collect for staged audit walk.
                if rule.staged_sacl is not null:
                    staged_caap_sacls.append(rule.staged_sacl)
                else if rule.effective_sacl is not null:
                    // No staged SACL: contribute effective to both.
                    staged_caap_sacls.append(rule.effective_sacl)

        // After all policies: compare staged vs effective.
        if staged_dacl_total != granted:
            staging_mismatch = true
            // Log: effective_granted, staged_dacl_total, policy_sids.
        if object_tree is not null:
            for i in 0..len(object_tree):
                if staged_tree_total[i] != object_tree[i].granted:
                    staging_mismatch = true
                    break
            // In result-list mode, any per-node staged/effective
            // grant delta sets staging_mismatch.

    // Step 14: Privilege-use auditing.
    // Only for explicit requests, not MAXIMUM_ALLOWED probing.
    // For each privilege tracked by a provenance mask
    // (security_granted, backup_granted, restore_granted,
    // take_ownership_granted, relabel_granted):
    //
    // success_bits = provenance_var & mapped_desired & granted
    // failure_bits = provenance_var & mapped_desired & ~granted
    //
    // In scalar AccessCheck, compare against scalar final granted.
    // In AccessCheckResultList, compare against the final per-node
    // granted list: a privilege-use success occurs if contributed
    // requested bits survive on any node; a privilege-use failure
    // occurs only if contributed requested bits survive on no node.
    //
    // If success_bits != 0, the privilege was actually necessary
    // for the final result:
    // - call mark_used on the token
    // - emit a PrivilegeUseEvent with success=true if the token's
    //   audit_policy has PRIVILEGE_USE_SUCCESS (0x04)
    //
    // Else if failure_bits != 0, the privilege was exercised but
    // did not survive to the final granted result:
    // - do NOT call mark_used on the token
    // - emit a PrivilegeUseEvent with success=false if the token's
    //   audit_policy has PRIVILEGE_USE_FAILURE (0x08)
    //
    // If both are zero, the privilege did not contribute to the
    // requested access and no privilege-use event is emitted.
    //
    // The object_audit_context is included in emitted events so
    // the audit trail identifies which object the privilege was
    // exercised on.

    // Step 15: Audit emission.
    audit_events = []
    continuous_audit_mask = 0
    // Walk the object's own SACL.
    if sd.sacl is not null:
        EvaluateSACL(sd.sacl, token, sd.owner, self_sid,
                     object_tree, mapped_desired, granted, mapping,
                     resource_attributes, local_claims,
                     &audit_events, &continuous_audit_mask)
    // Walk each CAAP effective SACL collected in step 13.
    // Same evaluation rules as the object's own SACL.
    for caap_sacl in caap_sacls:
        EvaluateSACL(caap_sacl, token, sd.owner, self_sid,
                     object_tree, mapped_desired, granted, mapping,
                     resource_attributes, local_claims,
                     &audit_events, &continuous_audit_mask)
    // continuous_audit_mask is the OR of all matching alarm
    // ACE masks across the object SACL and all CAAP SACLs.
    // audit_events contains all matching audit ACEs.
    // Read-only — does not modify granted.

    // Staged SACL comparison: walk staged SACLs in parallel,
    // compare audit event sets. Does not affect real auditing.
    // Any audit delta sets staging_mismatch in both scalar and
    // result-list modes.
    if len(staged_caap_sacls) > 0:
        staged_audit_events = []
        staged_continuous = 0
        if sd.sacl is not null:
            EvaluateSACL(sd.sacl, token, sd.owner, self_sid,
                         object_tree, mapped_desired, granted, mapping,
                         resource_attributes, local_claims,
                         &staged_audit_events, &staged_continuous)
        for stg_sacl in staged_caap_sacls:
            EvaluateSACL(stg_sacl, token, sd.owner, self_sid,
                         object_tree, mapped_desired, granted, mapping,
                         resource_attributes, local_claims,
                         &staged_audit_events, &staged_continuous)
        if staged_audit_events != audit_events
           or staged_continuous != continuous_audit_mask:
            staging_mismatch = true
            // Log: audit delta between effective and staged SACLs.

    // Step 15b: Token audit_policy forced auditing.
    // If the token's audit_policy has OBJECT_ACCESS_SUCCESS (0x01)
    // and the access succeeded, emit an audit event regardless
    // of whether the SACL matched. Similarly for
    // OBJECT_ACCESS_FAILURE (0x02) on failure. These are additive
    // — they force audit events that the SACL alone would not
    // have generated.
    success = (granted & mapped_desired) == mapped_desired
              or mapped_desired == 0
    if success and (token.audit_policy & 0x01):
        audit_events.append(AuditEvent(
            policy_forced=true, mapped_desired, granted, true))
    if not success and (token.audit_policy & 0x02):
        audit_events.append(AuditEvent(
            policy_forced=true, mapped_desired, granted, false))

    // Step 16: Result computation.
    return (decided, granted, privilege_granted,
            max_allowed_mode, mapped_desired,
            continuous_audit_mask, staging_mismatch)

§10.10.4 AccessCheck wrapper

AccessCheck(...) -> (granted, allowed,
                     continuous_audit_mask,
                     staging_mismatch) | error

    (decided, granted, privilege_granted,
     max_allowed_mode, mapped_desired,
     continuous_audit_mask,
     staging_mismatch) = AccessCheckCore(...)

    // When a tree is present, root.granted reflects the
    // whole object (ancestor propagation ensures this).
    if object_tree is not null:
        granted = object_tree[0].granted

    // All comparisons use mapped_desired.
    if mapped_desired == 0:
        allowed = true
    else:
        allowed = (granted & mapped_desired) == mapped_desired

    return (granted, allowed, continuous_audit_mask,
            staging_mismatch)

§10.10.5 AccessCheckResultList wrapper

AccessCheckResultList(...) -> (granted_list, status_list,
                               continuous_audit_mask,
                               staging_mismatch) | error

    // Requires object_tree.
    (decided, granted, privilege_granted,
     max_allowed_mode, mapped_desired,
     continuous_audit_mask,
     staging_mismatch) = AccessCheckCore(...)

    for each node in object_tree:
        if mapped_desired == 0:
            node_status = OK
        else if (node.granted & mapped_desired) == mapped_desired:
            node_status = OK
        else:
            node_status = ACCESS_DENIED
        granted_list.append(node.granted or 0)
        status_list.append(node_status)

    return (granted_list, status_list, continuous_audit_mask,
            staging_mismatch)

§10.10.6 Key helper functions

SidMatchesToken(sid, token, for_allow) -> bool
    if sid == token.user_sid:
        if for_allow and token.user_deny_only:
            return false
        return true
    for group in token.groups:
        if not group.enabled and not group.deny_only:
            continue
        if for_allow and group.deny_only:
            continue
        if sid == group.sid:
            return true
    return false

EnrichToken(token, owner_sid, self_sid) -> Token
    // Idempotent. Returns a view — original not modified.
    if SidMatchesToken(owner_sid, token, for_allow=true):
        add S-1-3-4 as virtual group
    if self_sid is not null:
        if SidMatchesToken(self_sid, token, for_allow=true):
            add S-1-5-10 as virtual group
        else if SidMatchesToken(self_sid, token, for_allow=false):
            add S-1-5-10 as virtual group (deny-only)
    return token

MapGenericBits(mask, mapping) -> ACCESS_MASK
    if mask & GENERIC_READ:
        mask = (mask & ~GENERIC_READ) | mapping.read
    if mask & GENERIC_WRITE:
        mask = (mask & ~GENERIC_WRITE) | mapping.write
    if mask & GENERIC_EXECUTE:
        mask = (mask & ~GENERIC_EXECUTE) | mapping.execute
    if mask & GENERIC_ALL:
        mask = (mask & ~GENERIC_ALL) | mapping.all
    return mask

EvaluateSACL(sacl, token, owner, self_sid,
             object_tree, mapped_desired, granted, mapping,
             resource_attributes, local_claims,
             &audit_events, &continuous_audit_mask)

    enriched = EnrichToken(token, owner, self_sid)

    for ace in sacl.aces:
        if ace.flags & INHERIT_ONLY_ACE:
            continue
        ace_mask = MapGenericBits(ace.mask, mapping)

        if ace.type == SYSTEM_AUDIT_ACE
           or ace.type == SYSTEM_AUDIT_OBJECT_ACE:
            if not enriched_sid_matches(ace.sid, enriched,
                                        for_allow=false):
                continue
            // Object ACE GUID scoping: if the ACE has an
            // ObjectType GUID and an object_tree is present,
            // the ACE only fires if the GUID matches a node.
            if ace.has_object_type() and object_tree is not null:
                if FindNode(object_tree, ace.object_type) is null:
                    continue
            if (ace_mask & mapped_desired) == 0:
                continue
            success = (granted & mapped_desired) == mapped_desired
                      or mapped_desired == 0
            if success and (ace.flags & SUCCESSFUL_ACCESS_ACE_FLAG):
                audit_events.append(AuditEvent(
                    ace, mapped_desired, granted, true))
            if not success and (ace.flags & FAILED_ACCESS_ACE_FLAG):
                audit_events.append(AuditEvent(
                    ace, mapped_desired, granted, false))

        if ace.type == SYSTEM_AUDIT_CALLBACK_ACE
           or ace.type == SYSTEM_AUDIT_CALLBACK_OBJECT_ACE:
            if not enriched_sid_matches(ace.sid, enriched,
                                        for_allow=false):
                continue
            // Object ACE GUID scoping (same as above).
            if ace.has_object_type() and object_tree is not null:
                if FindNode(object_tree, ace.object_type) is null:
                    continue
            // Condition must be TRUE or UNKNOWN to fire.
            cond = EvaluateConditionalExpression(
                ace.condition, enriched, resource_attributes,
                local_claims, for_allow=false)
            if cond == FALSE:
                continue
            if (ace_mask & mapped_desired) == 0:
                continue
            success = (granted & mapped_desired) == mapped_desired
                      or mapped_desired == 0
            if success and (ace.flags & SUCCESSFUL_ACCESS_ACE_FLAG):
                audit_events.append(AuditEvent(
                    ace, mapped_desired, granted, true))
            if not success and (ace.flags & FAILED_ACCESS_ACE_FLAG):
                audit_events.append(AuditEvent(
                    ace, mapped_desired, granted, false))

        if ace.type == SYSTEM_ALARM_ACE
           or ace.type == SYSTEM_ALARM_OBJECT_ACE:
            if enriched_sid_matches(ace.sid, enriched,
                                    for_allow=false):
                if ace.has_object_type() and object_tree is not null:
                    if FindNode(object_tree, ace.object_type) is null:
                        continue
                continuous_audit_mask |= ace_mask

        if ace.type == SYSTEM_ALARM_CALLBACK_ACE
           or ace.type == SYSTEM_ALARM_CALLBACK_OBJECT_ACE:
            if enriched_sid_matches(ace.sid, enriched,
                                    for_allow=false):
                if ace.has_object_type() and object_tree is not null:
                    if FindNode(object_tree, ace.object_type) is null:
                        continue
                cond = EvaluateConditionalExpression(
                    ace.condition, enriched, resource_attributes,
                    local_claims, for_allow=false)
                if cond == FALSE:
                    continue
                continuous_audit_mask |= ace_mask

§10.10.7 Undefined helper functions

The following functions are called in the pseudocode above but defined in other spec sections:

§10.10.7.1 Privilege provenance tracking

Step 14 references per-privilege provenance masks. These are tracked throughout the pipeline as additional scalar variables:

Each variable records which bits that privilege contributed. At step 14, for each privilege, compare the provenance mask against the mapped requested mask and the final result. In scalar AccessCheck, the comparison uses scalar final granted. In AccessCheckResultList, the comparison uses the final per-node granted list: if contributed requested bits survive on any node, the privilege was "actually necessary" — call mark_used and emit a successful PrivilegeUseEvent if the token's audit_policy has PRIVILEGE_USE_SUCCESS (0x04). If contributed requested bits were exercised but survive on no node, emit a failure PrivilegeUseEvent if the token's audit_policy has PRIVILEGE_USE_FAILURE (0x08), but do not call mark_used.

FACS — the File Access Control Shim — is the file-specific enforcement surface of KACS. It replaces Linux DAC (UID/GID/mode-bit checks) with SD-based evaluation on files.

The enforcement model follows the handle pattern: AccessCheck runs once at open time, the granted access mask is cached on the file descriptor, and subsequent operations check the cached mask. Limited exceptions exist where a live AccessCheck is used instead (e.g., v0.20 execveat(AT_EMPTY_PATH) — see use-time semantics).

Every open file description on a local FACS-managed filesystem carries a single granted access mask in its LSM security blob. This mask is set once — at open time — and never modified. The primary authorization check for subsequent operations is:

(fd.granted & required) == required ? allow : deny

The granted mask is immutable for the fd's entire lifetime, regardless of subsequent SD changes. Open handles survive SD modifications — if a file's DACL is modified after a process has it open, the existing fd retains its cached grants.

§11.1.1 Scope

The sole-authority claim applies to local FACS-managed filesystems (root, /home, /var, tmpfs, devtmpfs, and adopted foreign media). It does not apply to:

• O_PATH fds (not FACS-managed)
• NFS client mounts (dual authority with server)
• /proc (PIP-protected)
• /sys (hardcoded rule: writes require Administrators or SYSTEM)

§11.1.2 Handle acquisition

An fd carries its granted mask through all acquisition paths. fd transfer is an intentional capability-delegation mechanism:

• dup/dup3 — same file description, same rights.
• fork/clone — child inherits fds, same rights.
• SCM_RIGHTS — the fd is a capability token; possession is authorization. The receiver's identity is not re-checked.
• pidfd_getfd() — gated by AccessCheck against the target process's SD for PROCESS_DUP_HANDLE. If the SD allows it, the caller gets the fd with its full granted mask.
• exec — fds without FD_CLOEXEC survive, same rights.

The security boundary is at open time. All subsequent transfers carry the granted mask unchanged.

Peios provides a KACS-native open syscall that takes an explicit desired access mask. The caller names every right it will need: FILE_READ_DATA, FILE_WRITE_DATA, WRITE_DAC, READ_CONTROL, or any combination. AccessCheck evaluates the full requested mask at open time. If every requested right is granted, the fd's granted mask is set to the requested mask. If any requested right is denied, the open fails. The full AccessCheck pipeline MUST run to completion even on denial — audit emission (SACL walk, privilege-use events) depends on it. Implementations MUST NOT short-circuit before the audit steps.

MAXIMUM_ALLOWED MUST NOT appear in the native open's desired access mask. The native open is the explicit-rights path — the caller always knows exactly what it is requesting. MAXIMUM_ALLOWED is available via the AccessCheck probing API for querying maximum grantable access without opening the file. If MAXIMUM_ALLOWED is set, the open fails with -EINVAL.

§11.2.1 Required data right

The KACS-native open MUST require at least one data right (FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA) or FILE_EXECUTE in the desired access mask. This ensures every fd has a valid f_mode:

• FILE_READ_DATA → FMODE_READ
• FILE_WRITE_DATA or FILE_APPEND_DATA → FMODE_WRITE
• FILE_EXECUTE (alone) → FMODE_EXEC

FMODE_EXEC enables execveat(fd, "", ..., AT_EMPTY_PATH) — an execute-only handle that cannot read or write file contents.

§11.2.2 Directories

Directory rights share bit positions with file data rights: FILE_LIST_DIRECTORY = FILE_READ_DATA (0x0001), FILE_ADD_FILE = FILE_WRITE_DATA (0x0002), FILE_ADD_SUBDIRECTORY = FILE_APPEND_DATA (0x0004). A native directory open with FILE_LIST_DIRECTORY satisfies the data-right requirement and maps to FMODE_READ.

§11.2.3 Metadata-only operations

Operations that need no data or execute access (e.g., changing a file's DACL without reading its contents) use path-based interfaces or O_PATH fds as object anchors. The KACS get/set-security syscalls accept O_PATH fds via AT_EMPTY_PATH.

§11.2.4 Create dispositions

FILE_SUPERSEDE deletes the existing file and creates a new one with the same name. Requires DELETE on the existing file (or FILE_DELETE_CHILD on the parent) AND FILE_ADD_FILE on the parent. The new file gets a new inode and a new SD (inherited from parent or caller-supplied). Old hardlinks are broken. Already-open fds reference the old (now unlinked) inode.

FILE_OVERWRITE truncates the existing file to zero length. Same inode, same SD, hardlinks preserved. Requires FILE_WRITE_DATA.

§11.2.4.1 DELETE / FILE_DELETE_CHILD fallback during open

FILE_SUPERSEDE and DELETE_ON_CLOSE reference "DELETE on the file (or FILE_DELETE_CHILD on the parent)." This is a two-SD check within the open path. The kernel first runs AccessCheck against the target file's SD for DELETE. If DELETE is not granted, the kernel runs a second AccessCheck against the parent directory's SD for FILE_DELETE_CHILD. If neither check grants the required right, the open fails. This follows the same duality described in the link operation semantics.

§11.2.5 Create options

All other bits are reserved and MUST be zero. The kernel rejects non-zero reserved bits with -EINVAL.

§11.2.6 Caller-supplied SD for creation

When a create disposition results in a new file, the caller MAY supply an SD via the kacs_open_how struct. If the SD pointer is null (and sd_len is 0), the new file's SD is inherited from the parent directory per the inheritance algorithm.

§11.2.7 Creation status

The syscall MAY return a creation status indicating what happened: created, opened, overwritten, or superseded.

Linux's open() / openat() cannot express rights like WRITE_DAC or READ_CONTROL. FACS maps open flags to a core set of required rights plus a compat set of POSIX-expected rights, then evaluates both in a single AccessCheck call.

§11.3.1 Core rights

Minimum rights for a usable legacy fd. The open MUST fail if any core right is denied.

For regular files, device nodes, FIFOs, and pathname sockets:

For directories:

Directory core does NOT include FILE_LIST_DIRECTORY. A directory opened O_RDONLY MAY be used for fchdir() and fstat() without requiring listing permission. FILE_LIST_DIRECTORY is in the compat set.

Modifiers (applied in order):

When both O_APPEND and O_TRUNC are specified, both modifiers apply: FILE_WRITE_DATA is first replaced with FILE_APPEND_DATA (O_APPEND), then FILE_WRITE_DATA is re-added (O_TRUNC). The result is both FILE_APPEND_DATA and FILE_WRITE_DATA in core.

FILE_READ_ATTRIBUTES is always core. An SD that grants data access but denies attribute reads is not openable through legacy APIs.

§11.3.2 Compat rights

Requested alongside core — silently omitted if denied:

• FILE_READ_EA — fgetxattr().
• READ_CONTROL — reading the SD.
• FILE_WRITE_ATTRIBUTES — futimens().
• FILE_WRITE_EA — fsetxattr().
• FILE_WRITE_DATA — included for O_APPEND opens so ftruncate() works if the SD allows it.
• WRITE_DAC — POSIX allows fchmod() on any fd.
• WRITE_OWNER — POSIX allows fchown() on any fd.
• SYNCHRONIZE.
• FILE_LIST_DIRECTORY — enables readdir() on directory fds.
• FILE_EXECUTE — enables fexecve() on regular file fds.

§11.3.3 The open-time flow

1. Construct the full requested mask: core | compat.
2. Run AccessCheck. AccessCheck returns a granted mask — the subset of requested rights the SD allows.
3. Check: are all core rights in the granted mask? If not, fail with EACCES.
4. Stamp the actual granted mask on the fd. This MAY include all, some, or none of the compat rights.

The two open paths use the same AccessCheck pipeline with different success criteria. KACS-native open: strict mode (granted & requested == requested). Legacy open: subset mode (insist only that core is fully present).

§11.3.4 O_PATH semantics

O_PATH fds are not FACS-managed. security_file_open does not fire for them. They carry no granted mask and serve as namespace anchors for *at() syscalls.

• fstat() / fstatfs() — allowed unconditionally.
• fchdir() — runs AccessCheck for FILE_TRAVERSE at use time.
• fchmod(), fchown(), fgetxattr(), fsetxattr(), ioctl(), mmap() — denied (EBADF).
• execveat(fd, "", ..., AT_EMPTY_PATH) — exec permission enforced via live AccessCheck in the bprm hook.
• kacs_get_sd / kacs_set_sd with AT_EMPTY_PATH — live AccessCheck against the file's SD. Provides race-free object identity without snapshot authorization.

Every operation on an open fd is a mask check against the granted mask, with one v0.20 exception: execveat(AT_EMPTY_PATH) uses a live AccessCheck rather than the cached mask (see Execution below).

§11.4.1 Data operations

§11.4.2 Metadata operations

SD xattr reads and writes (security.peios.sd, system.ntfs_security) MUST be denied unconditionally via the xattr hooks. All SD access MUST go through kacs_get_sd / kacs_set_sd. POSIX ACL xattr writes (system.posix_acl_access, system.posix_acl_default) MUST also be denied unconditionally.

§11.4.3 Append-only enforcement

A handle with FILE_APPEND_DATA but not FILE_WRITE_DATA allows appends but MUST deny:

• Positioned writes (pwrite, pwritev, pwritev2 with RWF_NOAPPEND, io_uring writes with offset, AIO writes with offset).
• Shared writable mmap / mprotect upgrades to PROT_WRITE.
• fallocate mutation modes (PUNCH_HOLE, ZERO_RANGE, COLLAPSE_RANGE, INSERT_RANGE).

§11.4.4 fcntl enforcement

• F_SETFL clearing O_APPEND: denied if fd has FILE_APPEND_DATA but not FILE_WRITE_DATA.
• F_SETFL setting O_APPEND: always allowed (privilege reduction).
• F_SETFL adding O_NOATIME: requires FILE_WRITE_ATTRIBUTES.

§11.4.5 ioctl enforcement

Regular files and directories: known ioctls are classified by required right. Unclassified ioctls fall back to: allowed if the fd has at least one data right (FILE_READ_DATA, FILE_WRITE_DATA, or FILE_APPEND_DATA).

§11.4.5.1 Classified file ioctls

§11.4.5.2 Classified directory ioctls

§11.4.5.3 Unclassified ioctls

Any ioctl not in the tables above is allowed if the fd carries at least one data right (FILE_READ_DATA, FILE_WRITE_DATA, or FILE_APPEND_DATA). Future versions will expand the classified list and may deny unclassified ioctls.

Device nodes, pipes, sockets: ioctls are allowed if the fd has at least one data right. Device-specific ioctl semantics are outside FACS scope — the device node's SD is the authorization boundary.

§11.4.6 Execution

Execution is a two-layer check:

• Mode execute bit — prerequisite. "This file is a program." Set by package managers and chmod +x. Applies only to execve / execveat, not to mmap(PROT_EXEC).
• SD FILE_EXECUTE — access control. "This principal may execute this file." Gates both execve and mmap(PROT_EXEC).

For execve: both +x AND FILE_EXECUTE MUST be true. For mmap(PROT_EXEC): only FILE_EXECUTE is checked.

For fd-based exec (execveat with AT_EMPTY_PATH) in v0.20, a live AccessCheck for FILE_EXECUTE is performed on the re-opened file. O_PATH fds use the same live AccessCheck. Future versions will check the fd's cached granted mask directly (snapshot mode).

§11.5.1 Xattr protection

FACS intercepts all raw xattr operations on the canonical SD xattr (security.peios.sd, or system.ntfs_security on NTFS):

• Writes denied. Any attempt to write the SD xattr via setxattr() MUST be denied. All SD modification MUST go through the set-security interface.
• Removal denied. Any attempt to remove the SD xattr MUST be denied. SDs MUST NOT be detached from files.
• Reads denied. Any attempt to read the SD xattr via getxattr() MUST be denied. The raw xattr contains the entire SD including the SACL — allowing reads with only READ_CONTROL would leak SACL content that SHOULD require ACCESS_SYSTEM_SECURITY. All SD reads MUST go through kacs_get_sd.

§11.5.2 SD caching

FACS caches the parsed SD in the inode's LSM security blob.

Readers (the AccessCheck path) use RCU read-side locks. No locks, no atomics, no contention.

Writers (the set-security syscall) allocate a new parsed SD, swap the pointer atomically via RCU, and free the old SD after a grace period. No partial reads are possible.

Population is lazy — on first access. The xattr is read via an internal kernel path that bypasses the read-denial hook. After parsing, the result is installed via compare-and-swap. If another thread races, the loser frees its copy.

Invalidation happens atomically with writes. The set-security syscall is the sole writer — after writing the xattr, it installs the new parsed SD. There is no window where xattr and cache disagree.

Eviction frees the cached SD when the kernel evicts the inode, using an RCU-safe callback to ensure in-flight permission checks complete before the SD is freed.

§11.5.3 Missing SDs

FACS handles files without a security.peios.sd xattr with a per-mount policy:

§11.5.3.1 Deny mode

No SD means deny all FACS-managed access. This is the default for Peios system mounts (root, /home, /var). A missing SD on a system mount is a corruption indicator.

Directory traversal exception: SeChangeNotifyPrivilege (granted to all by default) bypasses traverse checks, including on directories with missing SDs. This ensures path resolution works for the repair path.

O_PATH exception: O_PATH opens bypass security_file_open entirely. A file with a missing SD can still be acquired as an O_PATH reference, enabling the repair path: open(path, O_PATH) → kacs_set_sd(fd, ..., AT_EMPTY_PATH) with SeRestorePrivilege.

§11.5.3.2 Synthesize mode

No SD means generate a default SD on the fly. For foreign mounts — USB drives, external volumes, NFS client mounts. Synthesis sources, evaluated in order:

1. Inherit from parent directory. If the parent has an SD, FACS runs the inheritance algorithm as if a new file were being created.
2. Mount-level template. A default SD configured in the mount options. Applied when there is no parent SD — typically only the mount root. If no mount-level template is configured, the fallback SD grants GENERIC_ALL to SYSTEM (S-1-5-18) and BUILTIN\Administrators (S-1-5-32-544), with GENERIC_READ | GENERIC_EXECUTE to Everyone (S-1-1-0). Owner is SYSTEM, group is SYSTEM.

Persistence flag: each mount carries a persist_synthesized setting:

• true (adopting foreign media) — the synthesized SD is written to xattr immediately. Synthesis happens once.
• false (removable media) — cached in the inode blob only, never written to disk. The original filesystem remains unmodified.

§11.5.4 Corrupt SDs

A security.peios.sd xattr that exists but fails structural validation is a corrupt SD.

Policy: fail-closed. A corrupt SD MUST deny all access. AccessCheck MUST NOT be called. A truncated DACL MUST NOT be treated as empty.

Audit: every corrupt SD encounter SHOULD emit an audit event. The event fires once per inode per cache population to avoid spam.

Recovery: a process with SeRestorePrivilege calls the set-security syscall to overwrite the corrupt SD. Offline repair tools MAY also rewrite xattrs directly on unmounted filesystems.

§11.5.5 NFS client mounts

NFS client mounts are a distinct mount class where FACS's sole-authority guarantee does not hold:

• The NFS server enforces its own access control independently. FACS evaluates locally against the synthesized SD, but the server MAY deny I/O that FACS allowed.
• A locally authorized open() MAY produce an fd whose read() calls fail because the server denies the I/O.

This is inherent to network filesystems with server-side enforcement.

All SD modification flows through a single KACS syscall. The caller provides a file descriptor or path, a bitmask specifying which SD components to modify, and a self-relative SD blob containing the new values.

§11.6.1 Security information flags

The kernel validates the SD blob structurally (parseable, well-formed ACEs, valid SIDs, size within 64 KB) then merges only the indicated components into the existing SD. Unindicated components are preserved unchanged. After merging, the resulting SD MUST have a non-null owner and non-null group. If the merge would produce an SD without an owner or group (e.g., setting OWNER_SECURITY_INFORMATION with a null owner on an object that has no existing owner), the operation fails.

MIC and PIP apply to these checks. A low-integrity caller MUST NOT modify a high-integrity file's SD even if the DACL grants WRITE_OWNER.

§11.6.2 Ownership constraints

Ownership changes are a two-phase check. Phase 1 (AccessCheck or granted mask): the caller MUST have WRITE_OWNER — the right to change the owner. Phase 2 (set-security validation): the specific SID being set as owner MUST be permitted. Having WRITE_OWNER does not grant the ability to set an arbitrary owner SID.

When setting a new owner, the caller MAY only set the owner to:

• Their own SID.
• A group SID on the token with SE_GROUP_OWNER.

SeTakeOwnershipPrivilege allows setting ownership to the caller's own SID regardless of the current SD. SeRestorePrivilege allows setting ownership to any arbitrary SID.

§11.6.3 Integrity label constraints

Without SeRelabelPrivilege, callers MAY only set a label at or below their own integrity level. With SeRelabelPrivilege, any level is permitted.

§11.6.4 SeRestorePrivilege bypass

SeRestorePrivilege bypasses the access check when kacs_set_sd runs a live AccessCheck — i.e., when called via O_PATH fd + AT_EMPTY_PATH, via pidfd, or via path. The privilege fires in the AccessCheck pipeline and grants all requested rights including WRITE_OWNER, WRITE_DAC, and ACCESS_SYSTEM_SECURITY.

When kacs_set_sd is called on a normal (non-O_PATH) file fd, the required rights are checked against the fd's cached granted mask — no AccessCheck runs, so SeRestorePrivilege has no effect. A caller who needs the privilege bypass MUST use the O_PATH + AT_EMPTY_PATH path. This is the mechanism for backup restoration, administrative SD repair, and the missing-SD repair path.

§11.6.5 Mandatory resource attribute protection

When a caller modifies the SACL (SACL_SECURITY_INFORMATION), the kernel compares the existing and new SACLs for changes to SYSTEM_RESOURCE_ATTRIBUTE_ACE entries. If an existing resource attribute has the CLAIM_SECURITY_ATTRIBUTE_MANDATORY flag (0x0020), the caller MUST NOT remove it or modify its values unless the caller has SeTcbPrivilege. If the caller lacks SeTcbPrivilege and attempts to remove or modify a MANDATORY attribute, the entire kacs_set_sd call fails.

This prevents file owners (who may have ACCESS_SYSTEM_SECURITY or WRITE_DAC) from stripping classification tags that conditional ACEs rely on. Only TCB processes (typically automated classifiers or administrative tools running under peinit) can modify mandatory attributes.

§11.6.6 Write mechanics

After merging:

1. Serialize the updated SD to self-relative binary format.
2. Write the appropriate xattr via an internal kernel path that bypasses the setxattr denial hook.
3. Update the in-memory SD cache in the same operation.
4. Emit an audit event if the file's SACL contains a matching audit ACE.

Concurrent set-security calls on the same inode are serialized by the inode mutex. RCU readers on the AccessCheck path are not blocked.

§12.1.1 Compatibility model

Peios is its own operating system with its own security model. Because it is based on Linux, it supports Linux applications — but the compatibility shims in this section are designed to minimise total failure of unmodified Linux applications, not to ensure they operate securely. A Linux daemon that calls setuid() to drop privileges will not crash, but it also will not achieve privilege separation under KACS. The KACS token is unchanged; the UID change is cosmetic.

In production, Linux applications that require KACS-aware security behavior should be wrapped in custom shims that intercept security-sensitive syscalls and translate them to KACS token operations. The compatibility layer is a crash-prevention mechanism, not a security mechanism.

§12.1.2 Credential projection

KACS tokens are the sole identity-based authorization mechanism. Linux applications do not know tokens exist — they call getuid(), getgid(), getgroups(), read /proc/self/status, and assume the numbers they see determine their access rights. KACS projects token identity onto standard Linux credentials so unmodified applications function normally.

When a KACS token is installed on a process, the process's Linux credentials are set to match:

• The token's user SID maps to a UID via the directory's uidNumber attribute. If no uidNumber is set, the UID defaults to 65534 (nobody). No algorithmic mapping.
• The token's primary group SID maps to a GID via the directory's gidNumber attribute, with the same fallback.
• The token's group SIDs map to supplementary GIDs where gidNumber attributes exist.
• getuid(), getgid(), getgroups() return these projected values.
• /proc/<pid>/status reflects them.

§12.1.3 Consequences

• Under normal token projection, no process runs as UID 0 unless it holds the SYSTEM token (S-1-5-18).
• Home directories work naturally — getpwuid(getuid()) returns the correct home directory because the UID is real and consistent with NSS/LDAP.
• Different services get different UIDs, providing incidental defense-in-depth alongside KACS enforcement.

§12.1.4 Projection is one-way

Token state flows into credential fields, never the reverse. The projected credentials are observational compatibility data; the token is the authority.

Projection reflects all groups regardless of their enabled/disabled state — AdjustGroups MUST NOT trigger projection recalculation.

Projected credentials reflect the effective token — which is the impersonated token during impersonation, or the primary token otherwise. When a service thread impersonates a client and creates a file, the file is owned by the client's projected UID, quotas are charged to the client, and audit is attributed to the client. This matches the Windows model where the impersonation token governs all operations during impersonation.

The current_fsuid() patch reads the projected UID from current->cred (the effective credential), which carries the effective token. During impersonation, this is the impersonated token's projected UID. After kacs_revert, it returns to the primary token's projected UID.

getuid() reads current->real_cred->uid (the primary credential's UID), which is always the primary token's projected UID regardless of impersonation. This means during impersonation: getuid() returns the service's UID, current_fsuid() returns the client's UID. This is the correct and intended behavior.

§12.1.5 Projected UIDs

Every token carries pre-computed projected UID/GID values, computed by authd at token creation time and stored on the token. KACS MUST NOT resolve SID-to-UID mappings at runtime.

Linux evaluates DAC (UID/GID/mode-bit checks) before consulting LSM hooks. If DAC denies an operation, the LSM hook never fires — KACS cannot override a DAC denial. LSM hooks are restrictive: they can further deny what DAC would allow, but cannot grant what DAC has denied.

KACS neutralizes DAC so that LSM hooks always fire. Every process in Peios receives a set of Linux capabilities that bypass DAC gates:

• CAP_DAC_OVERRIDE — bypass read, write, and execute permission checks on files.
• CAP_DAC_READ_SEARCH — bypass read and search permission checks on directories.
• CAP_FOWNER — bypass permission checks requiring the process's fsuid to match the file's owner.
• CAP_CHOWN — bypass the restriction that only the file owner can change ownership.
• CAP_SETUID / CAP_SETGID — allow UID/GID credential changes (cosmetic under KACS).

These capabilities MUST be present on every credential. KACS MUST deny any attempt to clear them (via capset(), bounding set drops, or ambient capability manipulation).

§12.2.1 The capability switchboard

Linux's 41 capabilities are classified into three categories:

ALLOW — DAC-bypass capabilities. These exist to override UID-based permission checks on operations that KACS enforces via LSM hooks. Allowing them ensures DAC never blocks an operation that KACS will evaluate independently.

PRIVILEGE — capabilities that gate operations not covered by other KACS hooks. These are mapped to specific KACS privileges. The security_capable() hook checks whether the calling thread's token holds the corresponding privilege. If not, the capability check fails. This is fail-closed: an unmapped or unknown capability is denied by default.

DENY — capabilities that are dead under KACS or MUST NOT be granted. Denied unconditionally.

§12.2.1.1 ALLOW — DAC bypass

§12.2.1.2 PRIVILEGE — mapped to KACS privileges

§12.2.1.3 DENY — dead or dangerous

§12.2.2 LSM stack invariant

MAC LSMs (SELinux, AppArmor, SMACK, TOMOYO) and BPF LSM MUST be disabled in the kernel config. Non-MAC security LSMs (landlock, lockdown, yama, integrity) are permitted — they provide complementary hardening without conflicting with KACS's identity-based authorization model. PKM MUST verify the stack at initialization and refuse to activate if any MAC or BPF LSM is present.

Under KACS, UIDs have zero security properties. The UID is not consulted during any access control decision. It does not appear in any Security Descriptor. No ACE references a UID. The UID is a compatibility value stored in struct cred for the sole purpose of answering getuid() calls.