Merging upstream version 4.23.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 12 insertions, 3 deletions

diff --git a/upstream/mageia-cauldron/man5/systemd.resource-control.5 b/upstream/mageia-cauldron/man5/systemd.resource-control.5
index 3e1a9ae0..19e7171b 100644
--- a/upstream/mageia-cauldron/man5/systemd.resource-control.5
+++ b/upstream/mageia-cauldron/man5/systemd.resource-control.5
@@ -702,6 +702,8 @@ The system default for this setting may be controlled with
 in
 \fBsystemd-system.conf\fR(5)\&.
 .sp
+Note that this functionality is currently only available for system services, not for per\-user services\&.
+.sp
 Added in version 235\&.
 .RE
 .PP
@@ -833,9 +835,9 @@ Added in version 235\&.
 .PP
 \fISocketBindAllow=\fR\fI\fIbind\-rule\fR\fR, \fISocketBindDeny=\fR\fI\fIbind\-rule\fR\fR
 .RS 4
-Allow or deny binding a socket address to a socket by matching it with the
-\fIbind\-rule\fR
-and applying a corresponding action if there is a match\&.
+Configures restrictions on the ability of unit processes to invoke
+\fBbind\fR(2)
+on a socket\&. Both allow and deny rules may defined that restrict which addresses a socket may be bound to\&.
 .sp
 \fIbind\-rule\fR
 describes socket properties such as
@@ -964,6 +966,11 @@ and
 \fBcgroup/bind6\fR
 cgroup\-bpf hooks\&.
 .sp
+Note that these settings apply to any
+\fBbind\fR(2)
+system call invocation by the unit processes, regardless in which network namespace they are placed\&. Or in other words: changing the network namespace is not a suitable mechanism for escaping these restrictions on
+\fBbind()\fR\&.
+.sp
 Examples:
 .sp
 .if n \{\
@@ -1190,6 +1197,8 @@ table inet filter {
 .RE
 .\}
 .sp
+This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
 Added in version 255\&.
 .RE
 .SS "BPF Programs"