File Specifications for Maple Engine Security - Maple Programming Help

# Online Help

###### All Products    Maple    MapleSim

Home : Support : Online Help : Configure Maple : Customize the Maple System : Configure Maple Engine Security Settings : EngineSecurity/FileSpec

File Specifications for Maple Engine Security

File Specification

 • For information on how inclusion and exclusion specifications are used, see the Maple Engine Security help page.
 • In the context of Maple security, a file specification is a string of the form

(1) <fully-qualified-file-name>

or

(2) <fully-qualified-directory-name><dirsep>*

or

(3) <fully-qualified-directory-name><dirsep>...

where <dirsep> is '/' or '\' depending on the platform. Trailing slashes are not allowed. Form (3) is not permitted when specifying loadable external libraries.

 • The file specs are used to match against fully qualified filenames.  Form (1) will match files with the name exactly. Form (2) will match files and directories that are directly below . Form (3) will match files and directories anywhere below .

Examples

 • The following are all valid file specifications:

/home/muser/foo.so

/home/muser/bar/...

/home/muser/foo.so

/home/muser/bar/*

/*

/...

These are not

/home/*/bar/...

/home/muser/*.so

/home/muser/bar/

File Specifications Contained within a File

 • If a list of file specifications is given in a file, then the file must be of the form

[-|+]<spec>

[-|+]<spec>

.

.

.

Specifications with a leading '+' are called 'inclusions' and specifications with a leading '-' are called 'exclusions'.

Examples

 • The file containing the following entries is a valid specification file:

-/...

+/home/muser/...

-/home/muser/bar/...

+/home/muser/bar/mylib.so

If the above specification was provided for readable files, then the reading of files below the directory '/home/muser' would be permitted, except for those files below '/home/muser/bar', where only the file '/home/muser/bar/mylib.so' can be read.

Matching Rules

 • When Maple determines whether or not an operation is permitted on a particular file (or directory), the filename is compared against the appropriate list of inclusions and exclusions.  The most specific matching specification determines the permission.  In the event of a tie (between an exclusion and inclusion spec), the file is considered excluded.
 • For specifications without the strings * and ..., the longest match is the most specific.  Otherwise,

<path><dirsep><base-file-name>

is considered longer than

<path><dirsep>*

which is, in turn, considered longer than

<path><dirsep>...

Examples

 • With the readable file spec

+/home/muser/...

+/home/muser/a

-/home/muser/c

-/home/muser/*

+/home/muser/c

The files '/home/muser/a' and '/home/muser/foo/b' are considered readable, but the files '/home/muser/b' and '/home/muser/c' are not. This is due the following facts:

'/home/muser/a' is best matched by '+/home/muser/a';

'/home/muser/foo/b' is best matched by '+/home/muser/...';

'/home/muser/b' is best matched by '-/home/muser/*';

'/home/muser/c' is best matched by both '-/home/muser/c' and '+/home/muser/c', but the '-' spec takes precedence.

 See Also

## Was this information helpful?

 Please add your Comment (Optional) E-mail Address (Optional) What is ? This question helps us to combat spam