mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-31 22:17:17 +00:00
docs: remove use of the term 'whitelist' from cgroup docs
The term "access control list" better describes the concept involved. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
11fc562951
commit
60e4d9d04e
@ -468,12 +468,12 @@ chmod o+x /path/to/directory
|
|||||||
for resource management. It is implemented via a number of "controllers",
|
for resource management. It is implemented via a number of "controllers",
|
||||||
each controller covering a specific task/functional area. One of the
|
each controller covering a specific task/functional area. One of the
|
||||||
available controllers is the "devices" controller, which is able to
|
available controllers is the "devices" controller, which is able to
|
||||||
setup whitelists of block/character devices that a cgroup should be
|
setup access control lists of block/character devices that a cgroup
|
||||||
allowed to access. If the "devices" controller is mounted on a host,
|
should be allowed to access. If the "devices" controller is mounted on a
|
||||||
then libvirt will automatically create a dedicated cgroup for each
|
host, then libvirt will automatically create a dedicated cgroup for each
|
||||||
QEMU virtual machine and setup the device whitelist so that the QEMU
|
QEMU virtual machine and setup the device access control list so that the
|
||||||
process can only access shared devices, and explicitly disks images
|
QEMU process can only access shared devices, and explicitly assigned disks
|
||||||
backed by block devices.
|
images backed by block devices.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
@ -110,7 +110,8 @@ Granting access per VM
|
|||||||
policy on a per VM basis.
|
policy on a per VM basis.
|
||||||
|
|
||||||
* Cgroups - a custom cgroup is created per VM and this will either use the
|
* Cgroups - a custom cgroup is created per VM and this will either use the
|
||||||
``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
|
``devices`` controller or an ``BPF`` rule to define an access control list
|
||||||
|
for the set of device nodes.
|
||||||
There is no way to change this policy on a per VM basis.
|
There is no way to change this policy on a per VM basis.
|
||||||
|
|
||||||
Disabling security protection per VM
|
Disabling security protection per VM
|
||||||
|
Loading…
Reference in New Issue
Block a user