From 87b18a8b6375c62fc0ba6ca825e55176d91a47a3 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Wed, 23 Jan 2019 21:24:06 +0100 Subject: [PATCH] cgroups.7: Soften the discussion about delegation in cgroups v1 Balbir pointed out that v1 delegation was not an accidental feature. Reported-by: Balbir Singh Reported-by: Marcus Gelderie Signed-off-by: Michael Kerrisk --- man7/cgroups.7 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/man7/cgroups.7 b/man7/cgroups.7 index b6ea3b025..339961108 100644 --- a/man7/cgroups.7 +++ b/man7/cgroups.7 @@ -874,9 +874,10 @@ The default value in this file is In the context of cgroups, delegation means passing management of some subtree of the cgroup hierarchy to a nonprivileged process. -Cgroups v1 provides support for delegation that was -accidental and not fully secure. -Cgroups v2 supports delegation by explicit design. +Cgroups v1 provides support for delegation based on file permissions +in the cgroup hierarchy but with less strict containment rules than v2 +(as noted below). +Cgroups v2 supports delegation with containment by explicit design. .PP Some terminology is required in order to describe delegation. A @@ -1087,6 +1088,7 @@ The writer has write permission on the file in the nearest common ancestor of the source and destination cgroups. Note that in some cases, the nearest common ancestor may be the source or destination cgroup itself. +(This requirement is not enforced for cgroups v1 hierarchies.) .IP * If the cgroup v2 filesystem was mounted with the .I nsdelegate