The constraint is matched literally so that only an executable with an identical fully qualified pathname will match the constraint. This means that the executable /usr/bin/foo will not match a constraint for /usr/bin/./foo and vice-versa. This is the default constraint type.
A constraint with no path is matched against the basename of the executable. foo will match /bin/foo, /usr/local/sbin/foo, or any other executable named foo, no matter what its path is.
A constraint with a trailing slash is prefix-matched against the full pathname of the executable. /usr/bin/ will match any executable with a path starting with /usr/bin.
Note that the executable path matched against is the path parameter in an exec* function call. The Directory or Exact constraints can only match when the executable is called with a full pathname. Most programs executed from a shell are run without a full path, via exec*p, so the Basename constraint type is the most useful.
WARNING! Constrained mappings must never appear first in the configuration file. While there is a way to specify the "default" constraint, its use is not recommended.
The most common use at the date of writing is for allowing multiple POSIX threading libraries to be used on a system without relinking or changing symlinks.
This mechanism has also been used to create shims to allow Linux shared libraries to be dynamically loaded into .Fx binaries. In this case, an Exact constraint is used for the Linux shared library, mapping libraries it depends on to a wrapper. The wrapper then defines any needed symbols for the Linux shared library and relies on its libraries not being mapped to provide actual implementations. It appears that only libraries loaded via dlopen(3) will work correctly. The symbol version information in shared libraries is checked at link time, but at run time the version information is currently ignored.