diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2019-01-23 21:24:06 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2019-01-23 22:17:17 +0100 |
| commit | 87b18a8b6375c62fc0ba6ca825e55176d91a47a3 (patch) | |
| tree | 60e7a2d34817ada38a513c0a98c37980e95d2849 /man7/cgroups.7 | |
| parent | e366c4d48dae9a4e0c735b3a0cd802a8780be7be (diff) | |
| download | man-pages-87b18a8b6375c62fc0ba6ca825e55176d91a47a3.tar.gz | |
cgroups.7: Soften the discussion about delegation in cgroups v1
Balbir pointed out that v1 delegation was not an accidental
feature.
Reported-by: Balbir Singh <bsingharora@gmail.com>
Reported-by: Marcus Gelderie <redmnic@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/cgroups.7')
| -rw-r--r-- | man7/cgroups.7 | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/man7/cgroups.7 b/man7/cgroups.7 index b6ea3b0250..3399611084 100644 --- a/man7/cgroups.7 +++ b/man7/cgroups.7 @@ -874,9 +874,10 @@ The default value in this file is In the context of cgroups, delegation means passing management of some subtree of the cgroup hierarchy to a nonprivileged process. -Cgroups v1 provides support for delegation that was -accidental and not fully secure. -Cgroups v2 supports delegation by explicit design. +Cgroups v1 provides support for delegation based on file permissions +in the cgroup hierarchy but with less strict containment rules than v2 +(as noted below). +Cgroups v2 supports delegation with containment by explicit design. .PP Some terminology is required in order to describe delegation. A @@ -1087,6 +1088,7 @@ The writer has write permission on the file in the nearest common ancestor of the source and destination cgroups. Note that in some cases, the nearest common ancestor may be the source or destination cgroup itself. +(This requirement is not enforced for cgroups v1 hierarchies.) .IP * If the cgroup v2 filesystem was mounted with the .I nsdelegate |