From 60e4d9d04ee4bf9c4b62540411c759053db775fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 16 Jun 2020 11:24:48 +0100 Subject: [PATCH] docs: remove use of the term 'whitelist' from cgroup docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The term "access control list" better describes the concept involved. Reviewed-by: Peter Krempa Signed-off-by: Daniel P. Berrangé --- docs/drvqemu.html.in | 12 ++++++------ docs/kbase/qemu-passthrough-security.rst | 3 ++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in index b6d731bb59..31d3fee213 100644 --- a/docs/drvqemu.html.in +++ b/docs/drvqemu.html.in @@ -468,12 +468,12 @@ chmod o+x /path/to/directory for resource management. It is implemented via a number of "controllers", each controller covering a specific task/functional area. One of the available controllers is the "devices" controller, which is able to - setup whitelists of block/character devices that a cgroup should be - allowed to access. If the "devices" controller is mounted on a host, - then libvirt will automatically create a dedicated cgroup for each - QEMU virtual machine and setup the device whitelist so that the QEMU - process can only access shared devices, and explicitly disks images - backed by block devices. + setup access control lists of block/character devices that a cgroup + should be allowed to access. If the "devices" controller is mounted on a + host, then libvirt will automatically create a dedicated cgroup for each + QEMU virtual machine and setup the device access control list so that the + QEMU process can only access shared devices, and explicitly assigned disks + images backed by block devices.

diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst index 5f761cbfcb..4381d9f3a6 100644 --- a/docs/kbase/qemu-passthrough-security.rst +++ b/docs/kbase/qemu-passthrough-security.rst @@ -110,7 +110,8 @@ Granting access per VM policy on a per VM basis. * Cgroups - a custom cgroup is created per VM and this will either use the - ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes. + ``devices`` controller or an ``BPF`` rule to define an access control list + for the set of device nodes. There is no way to change this policy on a per VM basis. Disabling security protection per VM -- GitLab