Adding upstream version 4.23.0.upstream/4.23.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 14 insertions, 1 deletions

diff --git a/upstream/mageia-cauldron/man5/systemd.exec.5 b/upstream/mageia-cauldron/man5/systemd.exec.5
index 32439ce0..469948df 100644
--- a/upstream/mageia-cauldron/man5/systemd.exec.5
+++ b/upstream/mageia-cauldron/man5/systemd.exec.5
@@ -1532,6 +1532,12 @@ Also note that some sandboxing functionality is generally not available in user
 \fIProtectSystem=\fR) are not available, as the underlying kernel functionality is only accessible to privileged processes\&. However, most namespacing settings, that will not work on their own in user services, will work when used in conjunction with
 \fIPrivateUsers=\fR\fBtrue\fR\&.
 .PP
+Note that the various options that turn directories read\-only (such as
+\fIProtectSystem=\fR,
+\fIReadOnlyPaths=\fR, \&...) do not affect the ability for programs to connect to and communicate with
+\fBAF_UNIX\fR
+sockets in these directores\&. These options cannot be used to lock down access to IPC services hence\&.
+.PP
 \fIProtectSystem=\fR
 .RS 4
 Takes a boolean argument or the special values
@@ -1556,7 +1562,10 @@ and
 \fIProtectKernelTunables=\fR,
 \fIProtectControlGroups=\fR)\&. This setting ensures that any modification of the vendor\-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service\&. It is recommended to enable this setting for all long\-running services, unless they are involved with system updates or need to modify the operating system in other ways\&. If this option is used,
 \fIReadWritePaths=\fR
-may be used to exclude specific directories from being made read\-only\&. This setting is implied if
+may be used to exclude specific directories from being made read\-only\&. Similar,
+\fIStateDirectory=\fR,
+\fILogsDirectory=\fR, \&... and related directory settings (see below) also exclude the specific directories from the effect of
+\fIProtectSystem=\fR\&. This setting is implied if
 \fIDynamicUser=\fR
 is set\&. This setting cannot ensure protection in all cases\&. In general it has the same limitations as
 \fIReadOnlyPaths=\fR, see below\&. Defaults to off\&.
@@ -3678,6 +3687,8 @@ separated by whitespace\&. See
 for details on the journal field concept\&. Even though the underlying journal implementation permits binary field values, this setting accepts only valid UTF\-8 values\&. To include space characters in a journal field value, enclose the assignment in double quotes (")\&.
 The usual specifiers are expanded in all assignments (see below)\&. Note that this setting is not only useful for attaching additional metadata to log records of a unit, but given that all fields and values are indexed may also be used to implement cross\-unit log record matching\&. Assign an empty string to reset the list\&.
 .sp
+Note that this functionality is currently only available in system services, not in per\-user services\&.
+.sp
 Added in version 236\&.
 .RE
 .PP
@@ -3735,6 +3746,8 @@ is defined, meaning log messages coming from
 \fBsystemd\fR(1)
 about the unit are not taken into account\&. Filtered log messages won\*(Aqt be forwarded to traditional syslog daemons, the kernel log buffer (kmsg), the systemd console, or sent as wall messages to all logged\-in users\&.
 .sp
+Note that this functionality is currently only available in system services, not in per\-user services\&.
+.sp
 Added in version 253\&.
 .RE
 .PP