+ * 3. cgroup core doesn't allow tasks to be migrated by users that have + * write access to two subtrees unless they also have write access to + * the common ancestor of the two subtrees. Thus you cannot use a + * complicit process in less restrictive cgroup to overcome your own + * cgroup restriction.
It appears this restriction isn't actually being applied on cgroupv1. I'll send an updated patch which makes sure the cgroup.proc common ancestor restriction is enforced for all hierarchies.
-- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
