diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-10-29 20:24:06 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-10-30 15:30:18 +0100 |
| commit | d287820dec4e6608348256642e991a89b0cc9007 (patch) | |
| tree | 7e08c9ac635198a5c7b3abd3dca0fda5870a1800 /man/systemd.exec.xml | |
| parent | 48e6dd376313c92db06558e061121af8205b55ca (diff) | |
| download | systemd-d287820dec4e6608348256642e991a89b0cc9007.tar.gz systemd-d287820dec4e6608348256642e991a89b0cc9007.tar.bz2 systemd-d287820dec4e6608348256642e991a89b0cc9007.zip | |
man: document that various sandboxing settings are not available in --user services
This is brief and doesn't go into detail, but should at least indicate
to those searching for it that some stuff is not available.
Fixes: #9870
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 5c043497bb..d6f1427dcc 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -759,6 +759,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering, or in containers where support for this is turned off.</para> + <para>Also note that some sandboxing functionality is generally not available in user services (i.e. services run + by the per-user service manager). Specifically, the various settings requiring file system namespacing support + (such as <varname>ProtectSystem=</varname>) are not available, as the underlying kernel functionality is only + accessible to privileged processes.</para> + <variablelist> <varlistentry> |