The term "access control list" better describes the concept involved.
Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
---
docs/drvqemu.html.in | 12 ++++++------
docs/kbase/qemu-passthrough-security.rst | 3 ++-
src/lxc/lxc_cgroup.c | 2 +-
src/qemu/qemu.conf | 2 +-
src/qemu/qemu_cgroup.c | 2 +-
src/util/vircgroup.c | 2 +-
6 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in
index b6d731bb59..31d3fee213 100644
--- a/docs/drvqemu.html.in
+++ b/docs/drvqemu.html.in
@@ -468,12 +468,12 @@ chmod o+x /path/to/directory
for resource management. It is implemented via a number of "controllers",
each controller covering a specific task/functional area. One of the
available controllers is the "devices" controller, which is able to
- setup whitelists of block/character devices that a cgroup should be
- allowed to access. If the "devices" controller is mounted on a host,
- then libvirt will automatically create a dedicated cgroup for each
- QEMU virtual machine and setup the device whitelist so that the QEMU
- process can only access shared devices, and explicitly disks images
- backed by block devices.
+ setup access control lists of block/character devices that a cgroup
+ should be allowed to access. If the "devices" controller is mounted on a
+ host, then libvirt will automatically create a dedicated cgroup for each
+ QEMU virtual machine and setup the device access control list so that the
+ QEMU process can only access shared devices, and explicitly assigned
disks
+ images backed by block devices.
</p>
<p>
diff --git a/docs/kbase/qemu-passthrough-security.rst
b/docs/kbase/qemu-passthrough-security.rst
index 5f761cbfcb..4381d9f3a6 100644
--- a/docs/kbase/qemu-passthrough-security.rst
+++ b/docs/kbase/qemu-passthrough-security.rst
@@ -110,7 +110,8 @@ Granting access per VM
policy on a per VM basis.
* Cgroups - a custom cgroup is created per VM and this will either use the
- ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
+ ``devices`` controller or an ``BPF`` rule to define an access control list
+ for the set of device nodes.
There is no way to change this policy on a per VM basis.
Disabling security protection per VM
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index e71f37d2b1..d13f2adde5 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -374,7 +374,7 @@ static int virLXCCgroupSetupDeviceACL(virDomainDefPtr def,
return -1;
}
- VIR_DEBUG("Device whitelist complete");
+ VIR_DEBUG("Device ACL setup complete");
return 0;
}
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 404961c53e..f89dbd2c3a 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -464,7 +464,7 @@
# What cgroup controllers to make use of with QEMU guests
#
# - 'cpu' - use for scheduler tunables
-# - 'devices' - use for device whitelisting
+# - 'devices' - use for device access control
# - 'memory' - use for memory tunables
# - 'blkio' - use for block devices I/O tunables
# - 'cpuset' - use for CPUs and memory nodes
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index d92202f847..57c5b6e69b 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -745,7 +745,7 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
if (rv < 0) {
if (virLastErrorIsSystemErrno(EPERM)) {
virResetLastError();
- VIR_WARN("Group devices ACL is not accessible, disabling
whitelisting");
+ VIR_WARN("Group devices ACL is not accessible, disabling
filtering");
return 0;
}
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index bb535df4f2..e20cc71c78 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -773,7 +773,7 @@ virCgroupSetPartitionSuffix(const char *path, char **res)
return ret;
for (i = 0; tokens[i] != NULL; i++) {
- /* Whitelist the 3 top level fixed dirs
+ /* Special case the 3 top level fixed dirs
* NB i == 0 is "", since we have leading '/'
*/
if (i == 1 &&
--
2.24.1
