File Specifications for Maple Engine Security
File Specifications Contained within a File
For information on how inclusion and exclusion specifications are used, see the Maple Engine Security help page.
In the context of Maple security, a file specification is a string of the form
where <dirsep> is '/' or '\' depending on the platform. Trailing slashes are not allowed. Form (3) is not permitted when specifying loadable external libraries.
The file specs are used to match against fully qualified filenames. Form (1) will match files with the name <fully-qualified-file-name> exactly. Form (2) will match files and directories that are directly below <fully-qualified-directory-name>. Form (3) will match files and directories anywhere below <fully-qualified-directory-name>.
The following are all valid file specifications:
These are not
If a list of file specifications is given in a file, then the file must be of the form
Specifications with a leading '+' are called 'inclusions' and specifications with a leading '-' are called 'exclusions'.
The file containing the following entries is a valid specification file:
If the above specification was provided for readable files, then the reading of files below the directory '/home/muser' would be permitted, except for those files below '/home/muser/bar', where only the file '/home/muser/bar/mylib.so' can be read.
When Maple determines whether or not an operation is permitted on a particular file (or directory), the filename is compared against the appropriate list of inclusions and exclusions. The most specific matching specification determines the permission. In the event of a tie (between an exclusion and inclusion spec), the file is considered excluded.
For specifications without the strings * and ..., the longest match is the most specific. Otherwise,
is considered longer than
which is, in turn, considered longer than
With the readable file spec
The files '/home/muser/a' and '/home/muser/foo/b' are considered readable, but the files '/home/muser/b' and '/home/muser/c' are not. This is due the following facts:
'/home/muser/a' is best matched by '+/home/muser/a';
'/home/muser/foo/b' is best matched by '+/home/muser/...';
'/home/muser/b' is best matched by '-/home/muser/*';
'/home/muser/c' is best matched by both '-/home/muser/c' and '+/home/muser/c', but the '-' spec takes precedence.
Download Help Document
What kind of issue would you like to report? (Optional)