File Specifications for Maple Engine Security
File Specification
File Specifications Contained within a File
Matching Rules
For information on how inclusion and exclusion specifications are used, see the Maple Engine Security help page.
In the context of Maple security, a file specification is a string of the form
(1) <fully-qualified-file-name>
or
(2) <fully-qualified-directory-name><dirsep>*
(3) <fully-qualified-directory-name><dirsep>...
where <dirsep> is '/' or '\' depending on the platform. Trailing slashes are not allowed. Form (3) is not permitted when specifying loadable external libraries.
The file specs are used to match against fully qualified filenames. Form (1) will match files with the name <fully-qualified-file-name> exactly. Form (2) will match files and directories that are directly below <fully-qualified-directory-name>. Form (3) will match files and directories anywhere below <fully-qualified-directory-name>.
Examples
The following are all valid file specifications:
/home/muser/foo.so
/home/muser/bar/...
/home/muser/bar/*
/*
/...
These are not
/home/*/bar/...
/home/muser/*.so
/home/muser/bar/
If a list of file specifications is given in a file, then the file must be of the form
[-|+]<spec>
.
Specifications with a leading '+' are called 'inclusions' and specifications with a leading '-' are called 'exclusions'.
The file containing the following entries is a valid specification file:
-/...
+/home/muser/...
-/home/muser/bar/...
+/home/muser/bar/mylib.so
If the above specification was provided for readable files, then the reading of files below the directory '/home/muser' would be permitted, except for those files below '/home/muser/bar', where only the file '/home/muser/bar/mylib.so' can be read.
When Maple determines whether or not an operation is permitted on a particular file (or directory), the filename is compared against the appropriate list of inclusions and exclusions. The most specific matching specification determines the permission. In the event of a tie (between an exclusion and inclusion spec), the file is considered excluded.
For specifications without the strings * and ..., the longest match is the most specific. Otherwise,
<path><dirsep><base-file-name>
is considered longer than
<path><dirsep>*
which is, in turn, considered longer than
<path><dirsep>...
With the readable file spec
+/home/muser/a
-/home/muser/c
-/home/muser/*
+/home/muser/c
The files '/home/muser/a' and '/home/muser/foo/b' are considered readable, but the files '/home/muser/b' and '/home/muser/c' are not. This is due the following facts:
'/home/muser/a' is best matched by '+/home/muser/a';
'/home/muser/foo/b' is best matched by '+/home/muser/...';
'/home/muser/b' is best matched by '-/home/muser/*';
'/home/muser/c' is best matched by both '-/home/muser/c' and '+/home/muser/c', but the '-' spec takes precedence.
See Also
EngineSecurity
EngineSecurity,CLIConfig
EngineSecurity,GUIConfig
Security
Download Help Document
AltStyle によって変換されたページ (->オリジナル) / アドレス: モード: デフォルト 音声ブラウザ ルビ付き 配色反転 文字拡大 モバイル