File Specification - Maple Help
For the best experience, we recommend viewing online help using Google Chrome or Microsoft Edge.

Online Help

All Products    Maple    MapleSim


Home : Support : Online Help : System : Security : EngineSecurity : File Specification

File Specifications for Maple Engine Security

 

File Specification

File Specifications Contained within a File

Matching Rules

File Specification

• 

For information on how inclusion and exclusion specifications are used, see the Maple Engine Security help page.

• 

In the context of Maple security, a file specification is a string of the form

 

    (1) <fully-qualified-file-name>

 

or

 

    (2) <fully-qualified-directory-name><dirsep>*

 

or

 

    (3) <fully-qualified-directory-name><dirsep>...

 

where <dirsep> is '/' or '\' depending on the platform. Trailing slashes are not allowed. Form (3) is not permitted when specifying loadable external libraries.

• 

The file specs are used to match against fully qualified filenames.  Form (1) will match files with the name <fully-qualified-file-name> exactly. Form (2) will match files and directories that are directly below <fully-qualified-directory-name>. Form (3) will match files and directories anywhere below <fully-qualified-directory-name>.

Examples

• 

The following are all valid file specifications:

 

    /home/muser/foo.so

    /home/muser/bar/...

    /home/muser/foo.so

    /home/muser/bar/*

    /*

    /...

 

These are not

 

    /home/*/bar/...

    /home/muser/*.so

    /home/muser/bar/

 

File Specifications Contained within a File

• 

If a list of file specifications is given in a file, then the file must be of the form

 

    [-|+]<spec>

    [-|+]<spec>

    .

    .

    .

 

Specifications with a leading '+' are called 'inclusions' and specifications with a leading '-' are called 'exclusions'.

Examples

• 

The file containing the following entries is a valid specification file:

 

    -/...

    +/home/muser/...

    -/home/muser/bar/...

    +/home/muser/bar/mylib.so

 

If the above specification was provided for readable files, then the reading of files below the directory '/home/muser' would be permitted, except for those files below '/home/muser/bar', where only the file '/home/muser/bar/mylib.so' can be read.

Matching Rules

• 

When Maple determines whether or not an operation is permitted on a particular file (or directory), the filename is compared against the appropriate list of inclusions and exclusions.  The most specific matching specification determines the permission.  In the event of a tie (between an exclusion and inclusion spec), the file is considered excluded.

• 

For specifications without the strings * and ..., the longest match is the most specific.  Otherwise,

 

    <path><dirsep><base-file-name>

 

is considered longer than

 

    <path><dirsep>*

 

which is, in turn, considered longer than

 

    <path><dirsep>...

 

Examples

• 

With the readable file spec

 

    +/home/muser/...

    +/home/muser/a

    -/home/muser/c

    -/home/muser/*

    +/home/muser/c

 

The files '/home/muser/a' and '/home/muser/foo/b' are considered readable, but the files '/home/muser/b' and '/home/muser/c' are not. This is due the following facts:

    '/home/muser/a' is best matched by '+/home/muser/a';

    '/home/muser/foo/b' is best matched by '+/home/muser/...';

    '/home/muser/b' is best matched by '-/home/muser/*';

    '/home/muser/c' is best matched by both '-/home/muser/c' and '+/home/muser/c', but the '-' spec takes precedence.

See Also

EngineSecurity

EngineSecurity,CLIConfig

EngineSecurity,GUIConfig

Security