man: document that too strict system call filters may affect the service manager

author Lennart Poettering <lennart@poettering.net>

Tue, 25 Oct 2016 14:08:38 +0000 (16:08 +0200)

committer Lennart Poettering <lennart@poettering.net>

Wed, 2 Nov 2016 14:55:24 +0000 (08:55 -0600)
author Lennart Poettering <lennart@poettering.net>
Tue, 25 Oct 2016 14:08:38 +0000 (16:08 +0200)
committer Lennart Poettering <lennart@poettering.net>
Wed, 2 Nov 2016 14:55:24 +0000 (08:55 -0600)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 7daa3ae78ea875ba283e7e158d36a13fb6fa3d52..3c350df11fb1c3aa0602abf9047e313e3dd74577 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1270,6 +1270,14 @@
          filter is reset, all prior assignments will have no effect. This does not affect commands prefixed with
          <literal>+</literal>.</para>
  
+        <para>Note that strict system call filters may impact execution and error handling code paths of the service
+        invocation. Specifically, access to the <function>execve</function> system call is required for the execution
+        of the service binary — if it is blocked service invocation will necessarily fail. Also, if execution of the
+        service binary fails for some reason (for example: missing service executable), the error handling logic might
+        require access to an additional set of system calls in order to process and log this failure correctly. It
+        might be necessary to temporarily disable system call filters in order to simplify debugging of such
+        failures.</para>
+
          <para>If you specify both types of this option (i.e.
          whitelisting and blacklisting), the first encountered will
          take precedence and will dictate the default action
author	Lennart Poettering <lennart@poettering.net>
	Tue, 25 Oct 2016 14:08:38 +0000 (16:08 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 2 Nov 2016 14:55:24 +0000 (08:55 -0600)