+ * 3. cgroup core doesn't allow tasks to be migrated by users that have + * write access to two subtrees unless they also have write access to + * the common ancestor of the two subtrees. Thus you cannot use a + * complicit process in less restrictive cgroup to overcome your own + * cgroup restriction.
It appears this restriction isn't actually being applied on cgroupv1. I'll send an updated patch which makes sure the cgroup.proc common ancestor restriction is enforced for all hierarchies.
-- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/
