diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-08-10 15:26:32 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-08-21 20:00:33 +0200 |
| commit | 2d2224e407c553d68c2b556f3abc8225f68ad803 (patch) | |
| tree | 638bcfdb0825a4840ac5dad7ee78161a827973c9 /man/systemd.exec.xml | |
| parent | 1beab8b0d0ff2d7d1436b52d4a0c3d56dc908962 (diff) | |
| download | systemd-2d2224e407c553d68c2b556f3abc8225f68ad803.tar.gz systemd-2d2224e407c553d68c2b556f3abc8225f68ad803.tar.bz2 systemd-2d2224e407c553d68c2b556f3abc8225f68ad803.zip | |
man: document that most sandboxing options are best effort only
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 0b650fc67a..4cee4a508a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <refsect1> <title>Sandboxing</title> + <para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's + processes. It is recommended to turn on as many of these options for each unit as is possible without negatively + affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on + systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname> + has no effect if the kernel is built without file system namespacing or if the service manager runs in a container + manager that makes file system namespacing unavailable to its payload. Similar, + <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering, + or in containers where support for this is turned off.</para> + <variablelist> <varlistentry> |