From 2d2224e407c553d68c2b556f3abc8225f68ad803 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 10 Aug 2018 15:26:32 +0200
Subject: [PATCH] man: document that most sandboxing options are best effort
 only

---
 man/systemd.exec.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 0b650fc67a..4cee4a508a 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
   <refsect1>
     <title>Sandboxing</title>
 
+    <para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's
+    processes. It is recommended to turn on as many of these options for each unit as is possible without negatively
+    affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on
+    systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname>
+    has no effect if the kernel is built without file system namespacing or if the service manager runs in a container
+    manager that makes file system namespacing unavailable to its payload. Similar,
+    <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
+    or in containers where support for this is turned off.</para>
+
     <variablelist>
 
       <varlistentry>