#
# default ACL:
#
# anyone can execute the get_file_flags operation (since it is applied
# within the caller's vserver and the command lsattr gives the same
# info anyway) or get the version string.  wait is harmless too since
# the caller needs to know the child ID.  and we let any slice unmount
# directories in its own filesystem, mostly as a workaround for some
# Stork problems.
#
*: get_file_flags
*: version
*: wait
+: unmount

# give Stork permission to mount and unmount client dirs
arizona_stork: mount_dir
arizona_stork: set_file_flags pass, "1"
arizona_stork: set_file_flags_list "1"
arizona_stork: bind_socket sockname=64?:*
arizona_stork2: mount_dir
arizona_stork2: set_file_flags pass, "1"
arizona_stork2: set_file_flags_list "1"
arizona_stork2: bind_socket sockname=64?:*

# give CoMon the necessary permissions to run slicestat
princeton_slicestat: exec "root", pass, "/usr/local/planetlab/bin/pl-ps", none
princeton_slicestat: exec "root", pass, "/usr/sbin/vtop", "bn1", none
princeton_slicestat: open_file file=/proc/virtual/*/cacct
princeton_slicestat: open_file file=/proc/virtual/*/limit
princeton_comon: open_file file=/var/log/secure
princeton_comon: exec "root", pass, "/bin/df", "/vservers", none

# give pl_slicedir access to /etc/passwd
pl_slicedir: open_file pass, "/etc/passwd"

# netflow now runs in a slice so needs various accesses
pl_netflow: open file=/etc/passwd, flags=r
pl_netflow: open_file file=/etc/passwd
pl_netflow: create_socket
pl_netflow: bind_socket

# nyu_d are building a DNS demux so give them access to port 53
nyu_d: bind_socket
nyu_oasis: bind_socket

# QA slices need to be able to create and delete bind-mounts
pl_qa_0: mount_dir
pl_qa_1: mount_dir

# irb_snort needs packet sockets for tcpdump
irb_snort: create_socket

# uw_ankur is using netlink sockets to do the same thing as netflow
uw_ankur: create_socket

# cornell_codons gets access to port 53 for now
cornell_codons: create_socket

# give Mic Bowman's conf-monitor service read-only access to root fs
# and the ability to run df
idsl_monitor: mount_dir "root:/", pass, "ro"
idsl_monitor: unmount
idsl_monitor: exec "root", pass, "/bin/df", "-P", "/", "/vservers", none

# give Shark access to port 111 to run portmap
# and port 955 to run mount
nyu_shkr: bind_socket
nyu_shkr: mount_dir "nfs:**:**"
nyu_shkr: exec "root", pass, "/bin/umount", "-l", "/vservers/nyu_shkr/**", none

# give tsinghua_lgh access to restricted ports
tsinghua_lgh: bind_socket

# CoDeeN needs port 53 too
princeton_codeen: bind_socket sockname=53:*

# give ucin_load access to /var/log/wtmp
ucin_load: open_file file=/var/log/wtmp*

# give google_highground permission to bind port 81 (and raw sockets)
google_highground: bind_socket

# pl_conf needs access to port 814
pl_conf: bind_socket sockname=814:*
pl_conf: open file=/home/*/.ssh/authorized_keys

# give princeton_visp permission to read all packets sent through the
# tap0 device
princeton_visp: open file=/dev/net/tun, flags=rw

# The PLB group needs the BGP port
princeton_iias: bind_socket sockname=179:*
princeton_visp: bind_socket sockname=179:*
mit_rcp: bind_socket sockname=179:*

# PL-VINI group
mit_rcp: exec "root", pass, "/usr/bin/chrt"
princeton_iias: exec "root", pass, "/usr/bin/chrt"
uw_arvind: exec "root", pass, "/usr/bin/chrt"