mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
man: document that most sandboxing options are best effort only
This commit is contained in:
parent
1beab8b0d0
commit
2d2224e407
@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||
<refsect1>
|
||||
<title>Sandboxing</title>
|
||||
|
||||
<para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's
|
||||
processes. It is recommended to turn on as many of these options for each unit as is possible without negatively
|
||||
affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on
|
||||
systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname>
|
||||
has no effect if the kernel is built without file system namespacing or if the service manager runs in a container
|
||||
manager that makes file system namespacing unavailable to its payload. Similar,
|
||||
<varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
|
||||
or in containers where support for this is turned off.</para>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
|
Loading…
Reference in New Issue
Block a user