1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

man: document that most sandboxing options are best effort only

This commit is contained in:
Lennart Poettering 2018-08-10 15:26:32 +02:00 committed by Zbigniew Jędrzejewski-Szmek
parent 1beab8b0d0
commit 2d2224e407

View File

@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
<refsect1> <refsect1>
<title>Sandboxing</title> <title>Sandboxing</title>
<para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's
processes. It is recommended to turn on as many of these options for each unit as is possible without negatively
affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on
systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname>
has no effect if the kernel is built without file system namespacing or if the service manager runs in a container
manager that makes file system namespacing unavailable to its payload. Similar,
<varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
or in containers where support for this is turned off.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>