The term "access control list" better describes the concept involved. Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- docs/drvqemu.html.in | 12 ++++++------ docs/kbase/qemu-passthrough-security.rst | 3 ++- src/lxc/lxc_cgroup.c | 2 +- src/qemu/qemu.conf | 2 +- src/qemu/qemu_cgroup.c | 2 +- src/util/vircgroup.c | 2 +- 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in index b6d731bb59..31d3fee213 100644 --- a/docs/drvqemu.html.in +++ b/docs/drvqemu.html.in @@ -468,12 +468,12 @@ chmod o+x /path/to/directory for resource management. It is implemented via a number of "controllers", each controller covering a specific task/functional area. One of the available controllers is the "devices" controller, which is able to - setup whitelists of block/character devices that a cgroup should be - allowed to access. If the "devices" controller is mounted on a host, - then libvirt will automatically create a dedicated cgroup for each - QEMU virtual machine and setup the device whitelist so that the QEMU - process can only access shared devices, and explicitly disks images - backed by block devices. + setup access control lists of block/character devices that a cgroup + should be allowed to access. If the "devices" controller is mounted on a + host, then libvirt will automatically create a dedicated cgroup for each + QEMU virtual machine and setup the device access control list so that the + QEMU process can only access shared devices, and explicitly assigned disks + images backed by block devices. </p> <p> diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst index 5f761cbfcb..4381d9f3a6 100644 --- a/docs/kbase/qemu-passthrough-security.rst +++ b/docs/kbase/qemu-passthrough-security.rst @@ -110,7 +110,8 @@ Granting access per VM policy on a per VM basis. * Cgroups - a custom cgroup is created per VM and this will either use the - ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes. + ``devices`` controller or an ``BPF`` rule to define an access control list + for the set of device nodes. There is no way to change this policy on a per VM basis. Disabling security protection per VM diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c index e71f37d2b1..d13f2adde5 100644 --- a/src/lxc/lxc_cgroup.c +++ b/src/lxc/lxc_cgroup.c @@ -374,7 +374,7 @@ static int virLXCCgroupSetupDeviceACL(virDomainDefPtr def, return -1; } - VIR_DEBUG("Device whitelist complete"); + VIR_DEBUG("Device ACL setup complete"); return 0; } diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 404961c53e..f89dbd2c3a 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -464,7 +464,7 @@ # What cgroup controllers to make use of with QEMU guests # # - 'cpu' - use for scheduler tunables -# - 'devices' - use for device whitelisting +# - 'devices' - use for device access control # - 'memory' - use for memory tunables # - 'blkio' - use for block devices I/O tunables # - 'cpuset' - use for CPUs and memory nodes diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index d92202f847..57c5b6e69b 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -745,7 +745,7 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm) if (rv < 0) { if (virLastErrorIsSystemErrno(EPERM)) { virResetLastError(); - VIR_WARN("Group devices ACL is not accessible, disabling whitelisting"); + VIR_WARN("Group devices ACL is not accessible, disabling filtering"); return 0; } diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c index bb535df4f2..e20cc71c78 100644 --- a/src/util/vircgroup.c +++ b/src/util/vircgroup.c @@ -773,7 +773,7 @@ virCgroupSetPartitionSuffix(const char *path, char **res) return ret; for (i = 0; tokens[i] != NULL; i++) { - /* Whitelist the 3 top level fixed dirs + /* Special case the 3 top level fixed dirs * NB i == 0 is "", since we have leading '/' */ if (i == 1 && -- 2.24.1