diff --git a/config-linux.md b/config-linux.md
index b4f8b7c67..c427748a0 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -171,6 +171,14 @@ Also known as cgroups, they are used to restrict resource usage for a container
 cgroups provide controls (through controllers) to restrict cpu, memory, IO, pids, network and RDMA resources for the container.
 For more information, see the [kernel cgroups documentation][cgroup-v1].
 
+A runtime MAY refuse to create or start a new container, or a process inside an
+existing container, if its cgroup (the one which the container process is to be
+put in) is considered not fit for purpose. Examples include an existing frozen
+or (for a new container) non-empty cgroup. The reason for this is that
+accepting such configurations could cause container operation outcomes that
+users may not anticipate or understand, such as operation on one container
+inadvertently affecting other containers.
+
 ### <a name="configLinuxCgroupsPath" />Cgroups Path
 
 **`cgroupsPath`** (string, OPTIONAL) path to the cgroups.