File Specification - Maple Help
For the best experience, we recommend viewing online help using Google Chrome or Microsoft Edge.
Our website is currently undergoing maintenance, which may result in occasional errors while browsing. We apologize for any inconvenience this may cause and are working swiftly to restore full functionality. Thank you for your patience.

Online Help

All Products    Maple    MapleSim


Home : Support : Online Help : System : Security : EngineSecurity : File Specification

File Specifications for Maple Engine Security

 

File Specification

File Specifications Contained within a File

Matching Rules

File Specification

• 

For information on how inclusion and exclusion specifications are used, see the Maple Engine Security help page.

• 

In the context of Maple security, a file specification is a string of the form

 

    (1) <fully-qualified-file-name>

 

or

 

    (2) <fully-qualified-directory-name><dirsep>*

 

or

 

    (3) <fully-qualified-directory-name><dirsep>...

 

where <dirsep> is '/' or '\' depending on the platform. Trailing slashes are not allowed. Form (3) is not permitted when specifying loadable external libraries.

• 

The file specs are used to match against fully qualified filenames.  Form (1) will match files with the name <fully-qualified-file-name> exactly. Form (2) will match files and directories that are directly below <fully-qualified-directory-name>. Form (3) will match files and directories anywhere below <fully-qualified-directory-name>.

Examples

• 

The following are all valid file specifications:

 

    /home/muser/foo.so

    /home/muser/bar/...

    /home/muser/foo.so

    /home/muser/bar/*

    /*

    /...

 

These are not

 

    /home/*/bar/...

    /home/muser/*.so

    /home/muser/bar/

 

File Specifications Contained within a File

• 

If a list of file specifications is given in a file, then the file must be of the form

 

    [-|+]<spec>

    [-|+]<spec>

    .

    .

    .

 

Specifications with a leading '+' are called 'inclusions' and specifications with a leading '-' are called 'exclusions'.

Examples

• 

The file containing the following entries is a valid specification file:

 

    -/...

    +/home/muser/...

    -/home/muser/bar/...

    +/home/muser/bar/mylib.so

 

If the above specification was provided for readable files, then the reading of files below the directory '/home/muser' would be permitted, except for those files below '/home/muser/bar', where only the file '/home/muser/bar/mylib.so' can be read.

Matching Rules

• 

When Maple determines whether or not an operation is permitted on a particular file (or directory), the filename is compared against the appropriate list of inclusions and exclusions.  The most specific matching specification determines the permission.  In the event of a tie (between an exclusion and inclusion spec), the file is considered excluded.

• 

For specifications without the strings * and ..., the longest match is the most specific.  Otherwise,

 

    <path><dirsep><base-file-name>

 

is considered longer than

 

    <path><dirsep>*

 

which is, in turn, considered longer than

 

    <path><dirsep>...

 

Examples

• 

With the readable file spec

 

    +/home/muser/...

    +/home/muser/a

    -/home/muser/c

    -/home/muser/*

    +/home/muser/c

 

The files '/home/muser/a' and '/home/muser/foo/b' are considered readable, but the files '/home/muser/b' and '/home/muser/c' are not. This is due the following facts:

    '/home/muser/a' is best matched by '+/home/muser/a';

    '/home/muser/foo/b' is best matched by '+/home/muser/...';

    '/home/muser/b' is best matched by '-/home/muser/*';

    '/home/muser/c' is best matched by both '-/home/muser/c' and '+/home/muser/c', but the '-' spec takes precedence.

See Also

EngineSecurity

EngineSecurity,CLIConfig

EngineSecurity,GUIConfig

Security

 


Download Help Document