cgroups.7: Soften the discussion about delegation in cgroups v1

Balbir pointed out that v1 delegation was not an accidental feature. Reported-by: Balbir Singh <bsingharora@gmail.com> Reported-by: Marcus Gelderie <redmnic@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-01-23 21:24:06 +01:00 · 2019-01-23 21:24:06 +01:00 · 87b18a8b63
parent e366c4d48d
commit 87b18a8b63
1 changed files with 5 additions and 3 deletions
--- a/man7/cgroups.7
+++ b/man7/cgroups.7
@ -874,9 +874,10 @@ The default value in this file is
 In the context of cgroups,
 delegation means passing management of some subtree
 of the cgroup hierarchy to a nonprivileged process.
-Cgroups v1 provides support for delegation that was
-accidental and not fully secure.
-Cgroups v2 supports delegation by explicit design.
+Cgroups v1 provides support for delegation based on file permissions
+in the cgroup hierarchy but with less strict containment rules than v2
+(as noted below).
+Cgroups v2 supports delegation with containment by explicit design.
 .PP
 Some terminology is required in order to describe delegation.
 A
@ -1087,6 +1088,7 @@ The writer has write permission on the
 file in the nearest common ancestor of the source and destination cgroups.
 Note that in some cases,
 the nearest common ancestor may be the source or destination cgroup itself.
+(This requirement is not enforced for cgroups v1 hierarchies.)
 .IP *
 If the cgroup v2 filesystem was mounted with the
 .I nsdelegate