Merging upstream version 4.23.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 25 insertions, 7 deletions

diff --git a/upstream/opensuse-leap-15-6/man5/systemd.exec.5 b/upstream/opensuse-leap-15-6/man5/systemd.exec.5
index d3ee2537..433926f4 100644
--- a/upstream/opensuse-leap-15-6/man5/systemd.exec.5
+++ b/upstream/opensuse-leap-15-6/man5/systemd.exec.5
@@ -435,7 +435,7 @@ file system of the host is bind mounted if this option is used without
 \fIPrivateDevices=\fR\&.
 .sp
 In order to allow propagating mounts at runtime in a safe manner,
-/run/systemd/propagate
+/run/systemd/propagate/
 on the host will be used to set up new mounts, and
 /run/host/incoming/
 in the private namespace will be used as an intermediate step to store them before being moved to the final mount point\&.
@@ -1354,11 +1354,11 @@ personalities but no others\&. The personality feature is useful when running 32
 .PP
 \fIIgnoreSIGPIPE=\fR
 .RS 4
-Takes a boolean argument\&. If true, causes
+Takes a boolean argument\&. If true,
 \fBSIGPIPE\fR
-to be ignored in the executed process\&. Defaults to true because
+is ignored in the executed process\&. Defaults to true since
 \fBSIGPIPE\fR
-generally is useful only in shell pipelines\&.
+is generally only useful in shell pipelines\&.
 .RE
 .SH "SCHEDULING"
 .PP
@@ -1835,7 +1835,13 @@ in order to provide writable subdirectories within read\-only directories\&. Use
 \fIReadWritePaths=\fR
 in order to allow\-list specific paths for write access if
 \fIProtectSystem=strict\fR
-is used\&.
+is used\&. Note that
+\fIReadWritePaths=\fR
+cannot be used to gain write access to a file system whose superblock is mounted read\-only\&. On Linux, for each mount point write access is granted only if the mount point itself
+\fIand\fR
+the file system superblock backing it are not marked read\-only\&.
+\fIReadWritePaths=\fR
+only controls the former, not the latter, hence a read\-only file system superblock remains protected\&.
 .sp
 Paths listed in
 \fIInaccessiblePaths=\fR
@@ -1889,6 +1895,11 @@ Note that the effect of these settings may be undone by privileged processes\&.
 or
 \fISystemCallFilter=~@mount\fR\&.
 .sp
+Please be extra careful when applying these options to API file systems (a list of them could be found in
+\fIMountAPIVPS=\fR), since they may be required for basic system functionalities\&. Moreover,
+/run/
+needs to be writable for setting up mount namespace and propagation\&.
+.sp
 Simple allow\-list example using these directives:
 .sp
 .if n \{\
@@ -3343,7 +3354,10 @@ for details) to have
 \fIAccept=yes\fR
 set, or to specify a single socket only\&. If this option is set, standard input will be connected to the socket the service was activated from, which is primarily useful for compatibility with daemons designed for use with the traditional
 \fBinetd\fR(8)
-socket activation daemon\&.
+socket activation daemon (\fI$LISTEN_FDS\fR
+(and related) environment variables are not passed when
+\fBsocket\fR
+value is configured)\&.
 .sp
 The
 \fBfd:\fR\fB\fIname\fR\fR
@@ -3908,7 +3922,11 @@ command line use
 \fIEnvironment=\fR
 line use
 "%d/mycred", e\&.g\&.
-"Environment=MYCREDPATH=%d/mycred"\&.
+"Environment=MYCREDPATH=%d/mycred"\&. For system services the path may also be referenced as
+"/run/credentials/\fIUNITNAME\fR"
+in cases where no interpolation is possible, e\&.g\&. configuration files of software that does not yet support credentials natively\&.
+\fI$CREDENTIALS_DIRECTORY\fR
+is considered the primary interface to look for credentials, though, since it also works for user services\&.
 .sp
 Currently, an accumulated credential size limit of 1 MB per unit is enforced\&.
 .sp