From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 10 Aug 2018 13:26:32 +0000 (+0200)
Subject: man: document that most sandboxing options are best effort only
X-Git-Tag: v240~818^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2d2224e407c553d68c2b556f3abc8225f68ad803;p=thirdparty%2Fsystemd.git

man: document that most sandboxing options are best effort only
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 0b650fc67a6..4cee4a508af 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
   <refsect1>
     <title>Sandboxing</title>
 
+    <para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's
+    processes. It is recommended to turn on as many of these options for each unit as is possible without negatively
+    affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on
+    systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname>
+    has no effect if the kernel is built without file system namespacing or if the service manager runs in a container
+    manager that makes file system namespacing unavailable to its payload. Similar,
+    <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
+    or in containers where support for this is turned off.</para>
+
     <variablelist>
 
       <varlistentry>