man: document that most sandboxing options are best effort only

2018-08-10 15:26:32 +02:00 · 2018-08-10 15:26:32 +02:00 · 2d2224e407
parent 1beab8b0d0
commit 2d2224e407
1 changed files with 9 additions and 0 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
  <refsect1>
    <title>Sandboxing</title>

+    <para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's
+    processes. It is recommended to turn on as many of these options for each unit as is possible without negatively
+    affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on
+    systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname>
+    has no effect if the kernel is built without file system namespacing or if the service manager runs in a container
+    manager that makes file system namespacing unavailable to its payload. Similar,
+    <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
+    or in containers where support for this is turned off.</para>
+
    <variablelist>

      <varlistentry>