man: note that cgroup-based sandboxing is not bypassed by '+'

DeviceAllow= and others are applied to the whole cgroup via bpf, so
using '+' on an Exec line will not bypass them. Explain this in the
manpage.

Fixes systemd#26035

man/cgroup-sandboxing.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+
+<!--
+  SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+<refsect1>
+
+<para id="singular">This option cannot be bypassed by prefixing <literal>+</literal> to the executable path
+in the service unit, as it applies to the whole cgroup.</para>
+
+<para id="plural">These options cannot be bypassed by prefixing <literal>+</literal> to the executable path
+in the service unit, as it applies to the whole cgroup.</para>
+
+</refsect1>

man/systemd.resource-control.xml

@@ -638,6 +638,8 @@
           support is not enabled in the underlying kernel or container manager). These settings will have no effect in
           that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on
           them for IP security.</para>
+
+          <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
         </listitem>
       </varlistentry>
 
@@ -814,6 +816,8 @@ SocketBindDeny=any
 SocketBindAllow=ipv4:udp:10000-65535
 SocketBindDeny=any
 …</programlisting></para>
+
+          <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
         </listitem>
       </varlistentry>
 
@@ -860,6 +864,8 @@ RestrictNetworkInterfaces=eth1 eth2
 RestrictNetworkInterfaces=~eth1</programlisting>
           Programs in the unit will be only able to use the eth2 network interface.
           </para>
+
+          <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
         </listitem>
       </varlistentry>
 
@@ -912,6 +918,7 @@ DeviceAllow=block-loop
 DeviceAllow=/dev/loop-control
 …</programlisting></para>
 
+          <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
         </listitem>
       </varlistentry>
 
@@ -956,6 +963,8 @@ DeviceAllow=/dev/loop-control
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/>
         </listitem>
       </varlistentry>
 

man/systemd.service.xml

@@ -406,7 +406,7 @@
 
               <row>
                 <entry><literal>+</literal></entry>
-                <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines).</entry>
+                <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines). However, note that this will not bypass options that apply to the whole cgroup, such as <varname>DevicePolicy=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the full list.</entry>
               </row>
 
               <row>