diff --git a/doc/source/admin/components.rst b/doc/source/admin/components.rst
index 08671c9a16..e30966bdb1 100644
--- a/doc/source/admin/components.rst
+++ b/doc/source/admin/components.rst
@@ -361,6 +361,26 @@ executor
 
       disk_limit_per_job=100
 
+**trusted_ro_paths**
+
+  List of paths, separated by ':' to read-only bind mount into trusted
+  bubblewrap contexts.
+
+**trusted_rw_paths**
+
+  List of paths, separated by ':' to read-write bind mount into trusted
+  bubblewrap contexts.
+
+**untrusted_ro_paths**
+
+  List of paths, separated by ':' to read-only bind mount into untrusted
+  bubblewrap contexts.
+
+**untrusted_rw_paths**
+
+  List of paths, separated by ':' to read-write bind mount into untrusted
+  bubblewrap contexts.
+
 merger
 """"""
 
diff --git a/etc/zuul.conf-sample b/etc/zuul.conf-sample
index e6375a54c4..0ae42a2bf3 100644
--- a/etc/zuul.conf-sample
+++ b/etc/zuul.conf-sample
@@ -27,8 +27,8 @@ zuul_url=http://zuul.example.com/p
 
 [executor]
 default_username=zuul
-trusted_ro_dirs=/opt/zuul-scripts:/var/cache
-trusted_rw_dirs=/opt/zuul-logs
+trusted_ro_paths=/opt/zuul-scripts:/var/cache
+trusted_rw_paths=/opt/zuul-logs
 
 [web]
 listen_address=127.0.0.1
diff --git a/tests/base.py b/tests/base.py
index 568e15fbb4..35c8324544 100755
--- a/tests/base.py
+++ b/tests/base.py
@@ -2080,7 +2080,7 @@ class ZuulTestCase(BaseTestCase):
                         self.copyDirToRepo(project,
                                            os.path.join(git_path, reponame))
         # Make test_root persist after ansible run for .flag test
-        self.config.set('executor', 'trusted_rw_dirs', self.test_root)
+        self.config.set('executor', 'trusted_rw_paths', self.test_root)
         self.setupAllProjectKeys()
 
     def setupSimpleLayout(self):
diff --git a/zuul/driver/__init__.py b/zuul/driver/__init__.py
index 5193fe6090..6ac9197535 100644
--- a/zuul/driver/__init__.py
+++ b/zuul/driver/__init__.py
@@ -272,11 +272,11 @@ class WrapperInterface(object, metaclass=abc.ABCMeta):
         pass
 
     @abc.abstractmethod
-    def setMountsMap(self, state_dir, ro_dirs=[], rw_dirs=[]):
+    def setMountsMap(self, state_dir, ro_paths=None, rw_paths=None):
         """Add additional mount point to the execution environment.
 
         :arg str state_dir: the state directory to be read write
-        :arg list ro_dirs: read only directories paths
-        :arg list rw_dirs: read write directories paths
+        :arg list ro_paths: read only files or directories to bind mount
+        :arg list rw_paths: read write files or directories to bind mount
         """
         pass
diff --git a/zuul/driver/bubblewrap/__init__.py b/zuul/driver/bubblewrap/__init__.py
index ea75c0b5a6..5370484ab8 100644
--- a/zuul/driver/bubblewrap/__init__.py
+++ b/zuul/driver/bubblewrap/__init__.py
@@ -83,12 +83,12 @@ class BubblewrapDriver(Driver, WrapperInterface):
     def stop(self):
         pass
 
-    def setMountsMap(self, ro_dirs=None, rw_dirs=None):
-        if not ro_dirs:
-            ro_dirs = []
-        if not rw_dirs:
-            rw_dirs = []
-        self.mounts_map = {'ro': ro_dirs, 'rw': rw_dirs}
+    def setMountsMap(self, ro_paths=None, rw_paths=None):
+        if not ro_paths:
+            ro_paths = []
+        if not rw_paths:
+            rw_paths = []
+        self.mounts_map = {'ro': ro_paths, 'rw': rw_paths}
 
     def getPopen(self, **kwargs):
         # Set zuul_dir if it was not passed in
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index b306e75c45..21c4cf1482 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -1467,20 +1467,20 @@ class AnsibleJob(object):
             opt_prefix = 'trusted'
         else:
             opt_prefix = 'untrusted'
-        ro_dirs = get_default(self.executor_server.config, 'executor',
-                              '%s_ro_dirs' % opt_prefix)
-        rw_dirs = get_default(self.executor_server.config, 'executor',
-                              '%s_rw_dirs' % opt_prefix)
-        ro_dirs = ro_dirs.split(":") if ro_dirs else []
-        rw_dirs = rw_dirs.split(":") if rw_dirs else []
+        ro_paths = get_default(self.executor_server.config, 'executor',
+                               '%s_ro_paths' % opt_prefix)
+        rw_paths = get_default(self.executor_server.config, 'executor',
+                               '%s_rw_paths' % opt_prefix)
+        ro_paths = ro_paths.split(":") if ro_paths else []
+        rw_paths = rw_paths.split(":") if rw_paths else []
 
-        ro_dirs.append(self.executor_server.ansible_dir)
+        ro_paths.append(self.executor_server.ansible_dir)
 
         if self.executor_variables_file:
-            ro_dirs.append(self.executor_variables_file)
+            ro_paths.append(self.executor_variables_file)
 
-        self.executor_server.execution_wrapper.setMountsMap(ro_dirs,
-                                                            rw_dirs)
+        self.executor_server.execution_wrapper.setMountsMap(ro_paths,
+                                                            rw_paths)
 
         popen = self.executor_server.execution_wrapper.getPopen(
             work_dir=self.jobdir.root,