summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2021-07-14 15:17:40 -0700
committergVisor bot <gvisor-bot@google.com>2021-07-14 15:23:12 -0700
commitd02be7858ac5d185751df9a15a27340e349d19e5 (patch)
treeef3a9b99a229a12b3100879081b4642316f25895
parente963657e7c22b3b0be78c84ec7bec28dd0fc269b (diff)
Replace whitelist with allowlist from docs
PiperOrigin-RevId: 384796852
-rw-r--r--website/blog/2019-11-18-security-basics.md8
1 files changed, 5 insertions, 3 deletions
diff --git a/website/blog/2019-11-18-security-basics.md b/website/blog/2019-11-18-security-basics.md
index b6cf57a77..938605cc2 100644
--- a/website/blog/2019-11-18-security-basics.md
+++ b/website/blog/2019-11-18-security-basics.md
@@ -188,11 +188,11 @@ for direct access to some files. And most files will be remotely accessed
through the Gofers, in which case no FDs are donated to the Sentry.
The Sentry itself is only allowed access to specific
-[whitelisted syscalls](https://github.com/google/gvisor/blob/master/runsc/config/config.go).
+[allowlisted syscalls](https://github.com/google/gvisor/blob/master/runsc/config/config.go).
Without networking, the Sentry needs 53 host syscalls in order to function, and
-with networking, it uses an additional 15[^8]. By limiting the whitelist to only
+with networking, it uses an additional 15[^8]. By limiting the allowlist to only
these needed syscalls, we radically reduce the amount of host OS attack surface.
-If any attempts are made to call something outside the whitelist, it is
+If any attempts are made to call something outside the allowlist, it is
immediately blocked and the sandbox is killed by the Host OS.
### Sentry/Gofer Interface:
@@ -281,6 +281,8 @@ other ways the community can contribute to help make gVisor safe, fast and
stable.
<br>
<br>
+**Updated (2021-07-14):** this post was updated to use more inclusive language.
+<br>
--------------------------------------------------------------------------------