+# Add Proper ops
+proper_ops = [
+ # give Stork permission to mount and unmount client dirs
+ ('arizona_stork', 'mount_dir'),
+ ('arizona_stork', 'set_file_flags pass, "1"'),
+ ('arizona_stork', 'set_file_flags_list "1"'),
+ ('arizona_stork', 'bind_socket sockname=64?:*'),
+ ('arizona_stork2', 'mount_dir'),
+ ('arizona_stork2', 'set_file_flags pass, "1"'),
+ ('arizona_stork2', 'set_file_flags_list "1"'),
+ ('arizona_stork2', 'bind_socket sockname=64?:*'),
+
+ # give CoMon the necessary permissions to run slicestat
+ ('princeton_slicestat', 'exec "root", pass, "/usr/local/planetlab/bin/pl-ps", none'),
+ ('princeton_slicestat', 'exec "root", pass, "/usr/sbin/vtop", "bn1", none'),
+ ('princeton_slicestat', 'open_file file=/proc/virtual/*/cacct'),
+ ('princeton_slicestat', 'open_file file=/proc/virtual/*/limit'),
+ ('princeton_comon', 'open_file file=/var/log/secure'),
+ ('princeton_comon', 'exec "root", pass, "/bin/df", "/vservers", none'),
+
+ # give pl_slicedir access to /etc/passwd
+ ('pl_slicedir', 'open_file pass, "/etc/passwd"'),
+
+ # nyu_d are building a DNS demux so give them access to port 53
+ ('nyu_d', 'bind_socket'),
+ ('nyu_oasis', 'bind_socket'),
+
+ # QA slices need to be able to create and delete bind-mounts
+ ('pl_qa_0', 'mount_dir'),
+ ('pl_qa_1', 'mount_dir'),
+
+ # irb_snort needs packet sockets for tcpdump
+ ('irb_snort', 'create_socket'),
+
+ # uw_ankur is using netlink sockets to do the same thing as netflow
+ ('uw_ankur', 'create_socket'),
+
+ # cornell_codons gets access to port 53 for now
+ ('cornell_codons', 'create_socket'),
+
+ # give Mic Bowman's conf-monitor service read-only access to root fs
+ # and the ability to run df
+ ('idsl_monitor', 'mount_dir "root:/", pass, "ro"'),
+ ('idsl_monitor', 'unmount'),
+ ('idsl_monitor', 'exec "root", pass, "/bin/df", "-P", "/", "/vservers", none'),
+
+ # give Shark access to port 111 to run portmap
+ # and port 955 to run mount
+ ('nyu_shkr', 'bind_socket'),
+ ('nyu_shkr', 'mount_dir "nfs:**:**"'),
+ ('nyu_shkr', 'exec "root", pass, "/bin/umount", "-l", "/vservers/nyu_shkr/**", none'),
+
+ # give tsinghua_lgh access to restricted ports
+ ('tsinghua_lgh', 'bind_socket'),
+
+ # CoDeeN needs port 53 too
+ ('princeton_codeen', 'bind_socket sockname=53:*'),
+
+ # give ucin_load access to /var/log/wtmp
+ ('ucin_load', 'open_file file=/var/log/wtmp*'),
+
+ # give google_highground permission to bind port 81 (and raw sockets)
+ ('google_highground', 'bind_socket'),
+
+ # pl_conf needs access to port 814
+ ('pl_conf', 'bind_socket sockname=814:*'),
+ ('pl_conf', 'open file=/home/*/.ssh/authorized_keys'),
+
+ # give princeton_visp permission to read all packets sent through the
+ # tap0 device
+ ('princeton_visp', 'open file=/dev/net/tun, flags=rw'),
+
+ # The PLB group needs the BGP port
+ ('princeton_iias', 'bind_socket sockname=179:*'),
+ ('princeton_visp', 'bind_socket sockname=179:*'),
+ ('mit_rcp', 'bind_socket sockname=179:*'),
+ ('princeton_bgpmux', 'bind_socket sockname=179:*'),
+ ('princeton_bgpmux2', 'bind_socket sockname=179:*'),
+
+ # PL-VINI group
+ ('mit_rcp', 'exec "root", pass, "/usr/bin/chrt"'),
+ ('princeton_iias', 'exec "root", pass, "/usr/bin/chrt"'),
+
+ # Tycoon needs access to /etc/passwd to determine Slicename->XID mappings
+ ('hplabs_tycoon_aucd', 'open_file file=/etc/passwd'),
+]
+
+for slice, op in proper_ops:
+ try:
+ AddSliceTag(slice, 'proper_op', op)
+ except Exception, err:
+ print "Warning: %s:" % slice, err
+