4 # anyone can execute the get_file_flags operation (since it is applied
5 # within the caller's vserver and the command lsattr gives the same
6 # info anyway) or get the version string. wait is harmless too since
7 # the caller needs to know the child ID. and we let any slice unmount
8 # directories in its own filesystem, mostly as a workaround for some
16 # give Stork permission to mount and unmount client dirs
17 arizona_stork: mount_dir
18 arizona_stork: set_file_flags pass, "1"
19 arizona_stork: set_file_flags_list "1"
20 arizona_stork: bind_socket sockname=64?:*
21 arizona_stork2: mount_dir
22 arizona_stork2: set_file_flags pass, "1"
23 arizona_stork2: set_file_flags_list "1"
24 arizona_stork2: bind_socket sockname=64?:*
26 # give CoMon the necessary permissions to run slicestat
27 princeton_slicestat: exec "root", pass, "/usr/local/planetlab/bin/pl-ps", none
28 princeton_slicestat: exec "root", pass, "/usr/sbin/vtop", "bn1", none
29 princeton_slicestat: open_file file=/proc/virtual/*/cacct
30 princeton_slicestat: open_file file=/proc/virtual/*/limit
31 princeton_comon: open_file file=/var/log/secure
32 princeton_comon: exec "root", pass, "/bin/df", "/vservers", none
34 # give pl_slicedir access to /etc/passwd
35 pl_slicedir: open_file pass, "/etc/passwd"
37 # netflow now runs in a slice so needs various accesses
38 pl_netflow: open file=/etc/passwd, flags=r
39 pl_netflow: open_file file=/etc/passwd
40 pl_netflow: create_socket
41 pl_netflow: bind_socket
43 # nyu_d are building a DNS demux so give them access to port 53
45 nyu_oasis: bind_socket
47 # QA slices need to be able to create and delete bind-mounts
51 # irb_snort needs packet sockets for tcpdump
52 irb_snort: create_socket
54 # uw_ankur is using netlink sockets to do the same thing as netflow
55 uw_ankur: create_socket
57 # cornell_codons gets access to port 53 for now
58 cornell_codons: create_socket
60 # give Mic Bowman's conf-monitor service read-only access to root fs
61 # and the ability to run df
62 idsl_monitor: mount_dir "root:/", pass, "ro"
64 idsl_monitor: exec "root", pass, "/bin/df", "-P", "/", "/vservers", none
66 # give Shark access to port 111 to run portmap
67 # and port 955 to run mount
69 nyu_shkr: mount_dir "nfs:**:**"
70 nyu_shkr: exec "root", pass, "/bin/umount", "-l", "/vservers/nyu_shkr/**", none
72 # give tsinghua_lgh access to restricted ports
73 tsinghua_lgh: bind_socket
75 # CoDeeN needs port 53 too
76 princeton_codeen: bind_socket sockname=53:*
78 # give ucin_load access to /var/log/wtmp
79 ucin_load: open_file file=/var/log/wtmp*
81 # give google_highground permission to bind port 81 (and raw sockets)
82 google_highground: bind_socket
84 # pl_conf needs access to port 814
85 pl_conf: bind_socket sockname=814:*
86 pl_conf: open file=/home/*/.ssh/authorized_keys
88 # give princeton_visp permission to read all packets sent through the
90 princeton_visp: open file=/dev/net/tun, flags=rw
92 # The PLB group needs the BGP port
93 princeton_iias: bind_socket sockname=179:*
94 princeton_visp: bind_socket sockname=179:*
95 mit_rcp: bind_socket sockname=179:*
98 mit_rcp: exec "root", pass, "/usr/bin/chrt"
99 princeton_iias: exec "root", pass, "/usr/bin/chrt"
100 uw_arvind: exec "root", pass, "/usr/bin/chrt"