mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
man: document that most sandboxing options are best effort only
This commit is contained in:
parent
1beab8b0d0
commit
2d2224e407
@ -750,6 +750,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Sandboxing</title>
|
<title>Sandboxing</title>
|
||||||
|
|
||||||
|
<para>The following sandboxing options are an effective way to limit the exposure of the system towards the unit's
|
||||||
|
processes. It is recommended to turn on as many of these options for each unit as is possible without negatively
|
||||||
|
affecting the process' ability to operate. Note that many of these sandboxing features are gracefully turned off on
|
||||||
|
systems where the underlying security mechanism is not available. For example, <varname>ProtectSystem=</varname>
|
||||||
|
has no effect if the kernel is built without file system namespacing or if the service manager runs in a container
|
||||||
|
manager that makes file system namespacing unavailable to its payload. Similar,
|
||||||
|
<varname>RestrictRealtime=</varname> has no effect on systems that lack support for SECCOMP system call filtering,
|
||||||
|
or in containers where support for this is turned off.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
Loading…
Reference in New Issue
Block a user