diff options
author | Luca Boccassi <bluca@debian.org> | 2023-01-15 18:54:16 +0000 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-01-18 17:59:43 +0000 |
commit | f2af682cd6308f9b26035b83063e6aa8593e468c (patch) | |
tree | daae756d5864fc7978122d242752087be2b1ca82 /man/systemd.exec.xml | |
parent | db5310cfc19b5c7bd6aca840d652ee7d9b1ea649 (diff) | |
download | systemd-f2af682cd6308f9b26035b83063e6aa8593e468c.tar.gz |
man: note that cgroup-based sandboxing is not bypassed by '+'
DeviceAllow= and others are applied to the whole cgroup via bpf, so
using '+' on an Exec line will not bypass them. Explain this in the
manpage.
Fixes https://github.com/systemd/systemd/issues/26035
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 3ee0484e94..0bb5569c33 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2007,7 +2007,9 @@ RestrictFileSystems=ext4</programlisting> <para>Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting - has no effect.</para></listitem> + has no effect.</para> + + <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> |