man: document that most sandboxing options are best effort only

author Lennart Poettering <lennart@poettering.net>

Fri, 10 Aug 2018 13:26:32 +0000 (15:26 +0200)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Tue, 21 Aug 2018 18:00:33 +0000 (20:00 +0200)
author Lennart Poettering <lennart@poettering.net>
Fri, 10 Aug 2018 13:26:32 +0000 (15:26 +0200)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 21 Aug 2018 18:00:33 +0000 (20:00 +0200)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 0b650fc67a659100d3aefbd81c4a77b49adf64cc..4cee4a508af91d77dcd4b5247048ead07d6b748c 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
    <refsect1>
      <title>Sandboxing</title>
  
+    <para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's
+    processes. It is recommended to turn on as many of these options for each unit as is possible without negatively
+    affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on
+    systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname>
+    has no effect if the kernel is built without file system namespacing or if the service manager runs in a container
+    manager that makes file system namespacing unavailable to its payload. Similar,
+    <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
+    or in containers where support for this is turned off.</para>
+
      <variablelist>
  
        <varlistentry>
author	Lennart Poettering <lennart@poettering.net>
	Fri, 10 Aug 2018 13:26:32 +0000 (15:26 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 21 Aug 2018 18:00:33 +0000 (20:00 +0200)