From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 29 Oct 2018 19:24:06 +0000 (+0100)
Subject: man: document that various sandboxing settings are not available in --user services
X-Git-Tag: v240~441^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d287820dec4e6608348256642e991a89b0cc9007;p=thirdparty%2Fsystemd.git

man: document that various sandboxing settings are not available in --user services

This is brief and doesn't go into detail, but should at least indicate
to those searching for it that some stuff is not available.

Fixes: #9870
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 5c043497bbe..d6f1427dcc1 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -759,6 +759,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
     <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
     or in containers where support for this is turned off.</para>
 
+    <para>Also note that some sandboxing functionality is generally not available in user services (i.e. services run
+    by the per-user service manager). Specifically, the various settings requiring file system namespacing support
+    (such as <varname>ProtectSystem=</varname>) are not available, as the underlying kernel functionality is only
+    accessible to privileged processes.</para>
+
     <variablelist>
 
       <varlistentry>