[libvirt PATCH 03/23] cgroup: remove use of the term 'whitelist' from cgroup code

Daniel P. Berrangé berrange at redhat.com
Fri Jun 19 09:32:40 UTC 2020


The term "access control list" better describes the concept involved.

Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
 docs/drvqemu.html.in                     | 12 ++++++------
 docs/kbase/qemu-passthrough-security.rst |  3 ++-
 src/lxc/lxc_cgroup.c                     |  2 +-
 src/qemu/qemu.conf                       |  2 +-
 src/qemu/qemu_cgroup.c                   |  2 +-
 src/util/vircgroup.c                     |  2 +-
 6 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in
index b6d731bb59..31d3fee213 100644
--- a/docs/drvqemu.html.in
+++ b/docs/drvqemu.html.in
@@ -468,12 +468,12 @@ chmod o+x /path/to/directory
       for resource management. It is implemented via a number of "controllers",
       each controller covering a specific task/functional area. One of the
       available controllers is the "devices" controller, which is able to
-      setup whitelists of block/character devices that a cgroup should be
-      allowed to access. If the "devices" controller is mounted on a host,
-      then libvirt will automatically create a dedicated cgroup for each
-      QEMU virtual machine and setup the device whitelist so that the QEMU
-      process can only access shared devices, and explicitly disks images
-      backed by block devices.
+      setup access control lists of block/character devices that a cgroup
+      should be allowed to access. If the "devices" controller is mounted on a
+      host, then libvirt will automatically create a dedicated cgroup for each
+      QEMU virtual machine and setup the device access control list so that the
+      QEMU process can only access shared devices, and explicitly assigned disks
+      images backed by block devices.
     </p>
 
     <p>
diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst
index 5f761cbfcb..4381d9f3a6 100644
--- a/docs/kbase/qemu-passthrough-security.rst
+++ b/docs/kbase/qemu-passthrough-security.rst
@@ -110,7 +110,8 @@ Granting access per VM
   policy on a per VM basis.
 
 * Cgroups - a custom cgroup is created per VM and this will either use the
-  ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
+  ``devices`` controller or an ``BPF`` rule to define an access control list
+  for the set of device nodes.
   There is no way to change this policy on a per VM basis.
 
 Disabling security protection per VM
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index e71f37d2b1..d13f2adde5 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -374,7 +374,7 @@ static int virLXCCgroupSetupDeviceACL(virDomainDefPtr def,
             return -1;
     }
 
-    VIR_DEBUG("Device whitelist complete");
+    VIR_DEBUG("Device ACL setup complete");
 
     return 0;
 }
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 404961c53e..f89dbd2c3a 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -464,7 +464,7 @@
 # What cgroup controllers to make use of with QEMU guests
 #
 #  - 'cpu' - use for scheduler tunables
-#  - 'devices' - use for device whitelisting
+#  - 'devices' - use for device access control
 #  - 'memory' - use for memory tunables
 #  - 'blkio' - use for block devices I/O tunables
 #  - 'cpuset' - use for CPUs and memory nodes
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index d92202f847..57c5b6e69b 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -745,7 +745,7 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
     if (rv < 0) {
         if (virLastErrorIsSystemErrno(EPERM)) {
             virResetLastError();
-            VIR_WARN("Group devices ACL is not accessible, disabling whitelisting");
+            VIR_WARN("Group devices ACL is not accessible, disabling filtering");
             return 0;
         }
 
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index bb535df4f2..e20cc71c78 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -773,7 +773,7 @@ virCgroupSetPartitionSuffix(const char *path, char **res)
         return ret;
 
     for (i = 0; tokens[i] != NULL; i++) {
-        /* Whitelist the 3 top level fixed dirs
+        /* Special case the 3 top level fixed dirs
          * NB i == 0 is "", since we have leading '/'
          */
         if (i == 1 &&
-- 
2.24.1




More information about the libvir-list mailing list