From 183dd28c289fd36ae37b597d34093014d3dd0698 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 23 Sep 2021 16:02:44 +1000 Subject: [PATCH] chown cgroup only when new cgroupns also specified --- config-linux.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config-linux.md b/config-linux.md index a6fcfee61..d01f88e08 100644 --- a/config-linux.md +++ b/config-linux.md @@ -206,6 +206,11 @@ Runtimes SHOULD NOT change the ownership of container cgroups when cgroups v1 is in use. Cgroup delegation is not secure in cgroups v1. +A runtime SHOULD NOT change the ownership of a container cgroup +unless it will also create a new cgroup namespace for the container. +Typically this occurs when the `linux.namespaces` array contains an +object with `type` equal to `"cgroup"` and `path` unset. + Runtimes SHOULD change the cgroup ownership if and only if the cgroup filesystem is to be mounted read/write; that is, when the configuration's `mounts` array contains an object where: