diff --git a/config-linux.md b/config-linux.md
index a6fcfee61..d01f88e08 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -206,6 +206,11 @@ Runtimes SHOULD NOT change the ownership of container cgroups when
 cgroups v1 is in use.  Cgroup delegation is not secure in cgroups
 v1.
 
+A runtime SHOULD NOT change the ownership of a container cgroup
+unless it will also create a new cgroup namespace for the container.
+Typically this occurs when the `linux.namespaces` array contains an
+object with `type` equal to `"cgroup"` and `path` unset.
+
 Runtimes SHOULD change the cgroup ownership if and only if the
 cgroup filesystem is to be mounted read/write; that is, when the
 configuration's `mounts` array contains an object where: