man: note that cgroup-based sandboxing is not bypassed by '+'

DeviceAllow= and others are applied to the whole cgroup via bpf, so using '+' on an Exec line will not bypass them. Explain this in the manpage. Fixes https://github.com/systemd/systemd/issues/26035
author: Luca Boccassi <bluca@debian.org> 2023-01-15 18:54:16 +0000
committer: Luca Boccassi <luca.boccassi@gmail.com> 2023-01-18 17:59:43 +0000
commit: f2af682cd6308f9b26035b83063e6aa8593e468c (patch)
tree: daae756d5864fc7978122d242752087be2b1ca82 /man/systemd.exec.xml
parent: db5310cfc19b5c7bd6aca840d652ee7d9b1ea649 (diff)
download: systemd-f2af682cd6308f9b26035b83063e6aa8593e468c.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3ee0484e94..0bb5569c33 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2007,7 +2007,9 @@ RestrictFileSystems=ext4</programlisting>
 
         <para>Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is
         not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting
-        has no effect.</para></listitem>
+        has no effect.</para>
+
+        <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/></listitem>
       </varlistentry>
 
       <varlistentry>
author	Luca Boccassi <bluca@debian.org>	2023-01-15 18:54:16 +0000
committer	Luca Boccassi <luca.boccassi@gmail.com>	2023-01-18 17:59:43 +0000
commit	f2af682cd6308f9b26035b83063e6aa8593e468c (patch)
tree	daae756d5864fc7978122d242752087be2b1ca82 /man/systemd.exec.xml
parent	db5310cfc19b5c7bd6aca840d652ee7d9b1ea649 (diff)
download	systemd-f2af682cd6308f9b26035b83063e6aa8593e468c.tar.gz