提交 60e4d9d0 编写于 作者: D Daniel P. Berrangé

docs: remove use of the term 'whitelist' from cgroup docs

The term "access control list" better describes the concept involved.
Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
上级 11fc5629
......@@ -468,12 +468,12 @@ chmod o+x /path/to/directory
for resource management. It is implemented via a number of "controllers",
each controller covering a specific task/functional area. One of the
available controllers is the "devices" controller, which is able to
setup whitelists of block/character devices that a cgroup should be
allowed to access. If the "devices" controller is mounted on a host,
then libvirt will automatically create a dedicated cgroup for each
QEMU virtual machine and setup the device whitelist so that the QEMU
process can only access shared devices, and explicitly disks images
backed by block devices.
setup access control lists of block/character devices that a cgroup
should be allowed to access. If the "devices" controller is mounted on a
host, then libvirt will automatically create a dedicated cgroup for each
QEMU virtual machine and setup the device access control list so that the
QEMU process can only access shared devices, and explicitly assigned disks
images backed by block devices.
</p>
<p>
......
......@@ -110,7 +110,8 @@ Granting access per VM
policy on a per VM basis.
* Cgroups - a custom cgroup is created per VM and this will either use the
``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
``devices`` controller or an ``BPF`` rule to define an access control list
for the set of device nodes.
There is no way to change this policy on a per VM basis.
Disabling security protection per VM
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册