man: document that various sandboxing settings are not available in --user services

This is brief and doesn't go into detail, but should at least indicate
to those searching for it that some stuff is not available.

Fixes: #9870

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 5c043497bbe1da7fb90867df9f4209330d3e1048..d6f1427dcc19c3545b7c3e5558bf074b36b5cac2 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -759,6 +759,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
     <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
     or in containers where support for this is turned off.</para>
 
+    <para>Also note that some sandboxing functionality is generally not available in user services (i.e. services run
+    by the per-user service manager). Specifically, the various settings requiring file system namespacing support
+    (such as <varname>ProtectSystem=</varname>) are not available, as the underlying kernel functionality is only
+    accessible to privileged processes.</para>
+
     <variablelist>
 
       <varlistentry>