1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00
systemd/man/cgroup-sandboxing.xml
Luca Boccassi f2af682cd6 man: note that cgroup-based sandboxing is not bypassed by '+'
DeviceAllow= and others are applied to the whole cgroup via bpf, so
using '+' on an Exec line will not bypass them. Explain this in the
manpage.

Fixes https://github.com/systemd/systemd/issues/26035
2023-01-18 17:59:43 +00:00

17 lines
577 B
XML

<?xml version="1.0"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!--
SPDX-License-Identifier: LGPL-2.1-or-later
-->
<refsect1>
<para id="singular">This option cannot be bypassed by prefixing <literal>+</literal> to the executable path
in the service unit, as it applies to the whole control group.</para>
<para id="plural">These options cannot be bypassed by prefixing <literal>+</literal> to the executable path
in the service unit, as it applies to the whole control group.</para>
</refsect1>