man: note that cgroup-based sandboxing is not bypassed by '+' - systemd

diff options

author	Luca Boccassi <bluca@debian.org>	2023-01-15 19:54:16 +0100
committer	Luca Boccassi <luca.boccassi@gmail.com>	2023-01-18 18:59:43 +0100
commit	f2af682cd6308f9b26035b83063e6aa8593e468c (patch)
tree	daae756d5864fc7978122d242752087be2b1ca82 /.clusterfuzzlite
parent	Merge pull request #25790 from joshua-zivkovic/JZ/plotjson-main (diff)
download	systemd-f2af682cd6308f9b26035b83063e6aa8593e468c.tar.xz systemd-f2af682cd6308f9b26035b83063e6aa8593e468c.zip

man: note that cgroup-based sandboxing is not bypassed by '+'

DeviceAllow= and others are applied to the whole cgroup via bpf, so using '+' on an Exec line will not bypass them. Explain this in the manpage. Fixes https://github.com/systemd/systemd/issues/26035

Diffstat (limited to '.clusterfuzzlite')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: