From 1ce8de2d93066d29e57ca2bb9cc0e0ff321f2043 Mon Sep 17 00:00:00 2001
From: Tim Duesterhus <tim@bastelstu.be>
Date: Tue, 27 Feb 2018 20:19:03 +0100
Subject: [PATCH] MINOR: systemd: Add section for SystemD sandboxing to unit
 file

This commit adds a warning for settings that possibly provide better
sandboxing and explains their tradeoffs.
---
 contrib/systemd/haproxy.service.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 804be3583c..5d8eecf06b 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in
@@ -12,5 +12,11 @@ KillMode=mixed
 Restart=always
 Type=notify
 
+# The following lines leverage SystemD's sandboxing options to provide
+# defense in depth protection at the expense of restricting some flexibility
+# in your setup (e.g. placement of your configuration files) or possibly
+# reduced performance. See systemd.service(5) and systemd.exec(5) for further
+# information.
+
 [Install]
 WantedBy=multi-user.target
-- 
2.47.3