for resource management. It is implemented via a number of "controllers",
each controller covering a specific task/functional area. One of the
available controllers is the "devices" controller, which is able to
- setup whitelists of block/character devices that a cgroup should be
- allowed to access. If the "devices" controller is mounted on a host,
- then libvirt will automatically create a dedicated cgroup for each
- QEMU virtual machine and setup the device whitelist so that the QEMU
- process can only access shared devices, and explicitly disks images
- backed by block devices.
+ setup access control lists of block/character devices that a cgroup
+ should be allowed to access. If the "devices" controller is mounted on a
+ host, then libvirt will automatically create a dedicated cgroup for each
+ QEMU virtual machine and setup the device access control list so that the
+ QEMU process can only access shared devices, and explicitly assigned disks
+ images backed by block devices.
</p>
<p>
policy on a per VM basis.
* Cgroups - a custom cgroup is created per VM and this will either use the
- ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
+ ``devices`` controller or an ``BPF`` rule to define an access control list
+ for the set of device nodes.
There is no way to change this policy on a per VM basis.
Disabling security protection per VM
projects / libvirt.git / commitdiff