Merging upstream version 4.23.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 301 insertions, 160 deletions

diff --git a/upstream/opensuse-tumbleweed/man5/systemd.exec.5 b/upstream/opensuse-tumbleweed/man5/systemd.exec.5
index 15e1c509..469948df 100644
--- a/upstream/opensuse-tumbleweed/man5/systemd.exec.5
+++ b/upstream/opensuse-tumbleweed/man5/systemd.exec.5
@@ -1,5 +1,5 @@
 '\" t
-.TH "SYSTEMD\&.EXEC" "5" "" "systemd 254" "systemd.exec"
+.TH "SYSTEMD\&.EXEC" "5" "" "systemd 255" "systemd.exec"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -148,6 +148,8 @@ or
 \fIPassEnvironment=\fR\&. Assigning an empty string removes previous assignments and setting
 \fIExecSearchPath=\fR
 to a value multiple times will append to the previous setting\&.
+.sp
+Added in version 250\&.
 .RE
 .PP
 \fIWorkingDirectory=\fR
@@ -267,6 +269,8 @@ file will be made available for the service (read\-only) as
 \fBsystemd-soft-reboot.service\fR(8)), in case the service is configured to survive it\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 233\&.
 .RE
 .PP
 \fIRootImageOptions=\fR
@@ -289,6 +293,8 @@ Valid partition names follow the
 \fBvar\fR\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fIRootEphemeral=\fR
@@ -302,11 +308,15 @@ is used and the root directory is a subvolume, the ephemeral copy will be create
 To make sure making ephemeral copies can be made efficiently, the root directory or root image should be located on the same filesystem as
 /var/lib/systemd/ephemeral\-trees/\&. When using
 \fIRootEphemeral=\fR
-with root directories, btrfs should be used as the filesystem and the root directory should ideally be a subvolume which
+with root directories,
+\fBbtrfs\fR(5)
+should be used as the filesystem and the root directory should ideally be a subvolume which
 \fBsystemd\fR
 can snapshot to make the ephemeral copy\&. For root images, a filesystem with support for reflinks should be used to ensure an efficient ephemeral copy\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fIRootHash=\fR
@@ -333,6 +343,8 @@ file adjacent to the disk image\&. There\*(Aqs currently no option to configure
 file system via the unit file directly\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 246\&.
 .RE
 .PP
 \fIRootHashSignature=\fR
@@ -355,6 +367,8 @@ file adjacent to the disk image\&. There\*(Aqs currently no option to configure
 via the unit file directly\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 246\&.
 .RE
 .PP
 \fIRootVerity=\fR
@@ -371,6 +385,8 @@ This option is supported only for disk images that contain a single file system,
 \m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 246\&.
 .RE
 .PP
 \fIRootImagePolicy=\fR, \fIMountImagePolicy=\fR, \fIExtensionImagePolicy=\fR
@@ -414,6 +430,8 @@ root=verity+signed+encrypted+unprotected+absent: \e
 .if n \{\
 .RE
 .\}
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fIMountAPIVFS=\fR
@@ -439,6 +457,8 @@ In order to allow propagating mounts at runtime in a safe manner,
 on the host will be used to set up new mounts, and
 /run/host/incoming/
 in the private namespace will be used as an intermediate step to store them before being moved to the final mount point\&.
+.sp
+Added in version 233\&.
 .RE
 .PP
 \fIProtectProc=\fR
@@ -482,6 +502,8 @@ If the kernel doesn\*(Aqt support per\-mount point
 mount options this setting remains without effect, and the unit\*(Aqs processes will be able to access and see other process as if the option was not used\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fIProcSubset=\fR
@@ -509,6 +531,8 @@ this setting is gracefully disabled if the used kernel does not support the
 "subset="
 mount option of
 "procfs"\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fIBindPaths=\fR, \fIBindReadOnlyPaths=\fR
@@ -541,6 +565,8 @@ with
 or
 \fIProtectHome=tmpfs\fR
 should be used instead\&.
+.sp
+Added in version 233\&.
 .RE
 .PP
 \fIMountImages=\fR
@@ -599,6 +625,8 @@ below, as it may change the setting of
 \fIDevicePolicy=\fR\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fIExtensionImages=\fR
@@ -611,7 +639,9 @@ A read\-only OverlayFS will be set up on top of
 /usr/
 and
 /opt/
-hierarchies\&. The order in which the images are listed will determine the order in which the overlay is laid down: images specified first to last will result in overlayfs layers bottom to top\&.
+hierarchies for sysext images and
+/etc/
+hierarchy for confext images\&. The order in which the images are listed will determine the order in which the overlay is laid down: images specified first to last will result in overlayfs layers bottom to top\&.
 .sp
 Mount options may be defined as a single comma\-separated list of options, in which case they will be implicitly applied to the root partition on the image, or a series of colon\-separated tuples of partition name and mount options\&. Valid partition names and mount options are the same as for
 \fIRootImageOptions=\fR
@@ -625,8 +655,10 @@ Each mount definition may be prefixed with
 .sp
 These settings may be used more than once, each usage appends to the unit\*(Aqs list of image paths\&. If the empty string is assigned, the entire list of mount paths defined prior to this is reset\&.
 .sp
-Each image must carry a
+Each sysext image must carry a
 /usr/lib/extension\-release\&.d/extension\-release\&.IMAGE
+file while each confext image must carry a
+/etc/extension\-release\&.d/extension\-release\&.IMAGE
 file, with the appropriate metadata which matches
 \fIRootImage=\fR/\fIRootDirectory=\fR
 or the host\&. See:
@@ -665,6 +697,8 @@ below, as it may change the setting of
 \fIDevicePolicy=\fR\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 248\&.
 .RE
 .PP
 \fIExtensionDirectories=\fR
@@ -677,7 +711,9 @@ A read\-only OverlayFS will be set up on top of
 /usr/
 and
 /opt/
-hierarchies\&. The order in which the directories are listed will determine the order in which the overlay is laid down: directories specified first to last will result in overlayfs layers bottom to top\&.
+hierarchies for sysext images and
+/etc/
+hierarchy for confext images\&. The order in which the directories are listed will determine the order in which the overlay is laid down: directories specified first to last will result in overlayfs layers bottom to top\&.
 .sp
 Each directory listed in
 \fIExtensionDirectories=\fR
@@ -686,8 +722,10 @@ may be prefixed with
 .sp
 These settings may be used more than once, each usage appends to the unit\*(Aqs list of directories paths\&. If the empty string is assigned, the entire list of mount paths defined prior to this is reset\&.
 .sp
-Each directory must contain a
+Each sysext directory must contain a
 /usr/lib/extension\-release\&.d/extension\-release\&.IMAGE
+file while each confext directory must carry a
+/etc/extension\-release\&.d/extension\-release\&.IMAGE
 file, with the appropriate metadata which matches
 \fIRootImage=\fR/\fIRootDirectory=\fR
 or the host\&. See:
@@ -700,6 +738,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 251\&.
 .RE
 .SH "USER/GROUP IDENTITY"
 .PP
@@ -785,6 +825,8 @@ in order to assign a set of writable directories for specific purposes to the se
 and be careful with
 \fBAF_UNIX\fR
 file descriptor passing for directory file descriptors, as this would permit processes to create files or directories owned by the dynamic user/group that are not subject to the lifecycle and access guarantees of the service\&. Note that this option is currently incompatible with D\-Bus policies, thus a service using this option may currently not allocate a D\-Bus service name (note that this does not affect calling into other D\-Bus services)\&. Defaults to off\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fISupplementaryGroups=\fR
@@ -793,6 +835,23 @@ Sets the supplementary Unix groups the processes are executed as\&. This takes a
 "+"\&.
 .RE
 .PP
+\fISetLoginEnvironment=\fR
+.RS 4
+Takes a boolean parameter that controls whether to set
+\fI$HOME\fR,
+\fI$LOGNAME\fR, and
+\fI$SHELL\fR
+environment variables\&. If unset, this is controlled by whether
+\fIUser=\fR
+is set\&. If true, they will always be set for system services, i\&.e\&. even when the default user
+"root"
+is used\&. If false, the mentioned variables are not set by systemd, no matter whether
+\fIUser=\fR
+is used or not\&. This option normally has no effect on user services, since these variables are typically inherited from user manager\*(Aqs own environment anyway\&.
+.sp
+Added in version 255\&.
+.RE
+.PP
 \fIPAMName=\fR
 .RS 4
 Sets the PAM service name to set up a session as\&. If set, the executed process will be registered as a PAM session under the specified service name\&. This is only useful in conjunction with the
@@ -899,6 +958,8 @@ to retain the capabilities over the user change\&.
 \fIAmbientCapabilities=\fR
 does not affect commands prefixed with
 "+"\&.
+.sp
+Added in version 229\&.
 .RE
 .SH "SECURITY"
 .PP
@@ -906,26 +967,7 @@ does not affect commands prefixed with
 .RS 4
 Takes a boolean argument\&. If true, ensures that the service process and all its children can never gain new privileges through
 \fBexecve()\fR
-(e\&.g\&. via setuid or setgid bits, or filesystem capabilities)\&. This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again\&. Defaults to false, but certain settings override this and ignore the value of this setting\&. This is the case when
-\fIDynamicUser=\fR,
-\fILockPersonality=\fR,
-\fIMemoryDenyWriteExecute=\fR,
-\fIPrivateDevices=\fR,
-\fIProtectClock=\fR,
-\fIProtectHostname=\fR,
-\fIProtectKernelLogs=\fR,
-\fIProtectKernelModules=\fR,
-\fIProtectKernelTunables=\fR,
-\fIRestrictAddressFamilies=\fR,
-\fIRestrictNamespaces=\fR,
-\fIRestrictRealtime=\fR,
-\fIRestrictSUIDSGID=\fR,
-\fISystemCallArchitectures=\fR,
-\fISystemCallFilter=\fR, or
-\fISystemCallLog=\fR
-are specified\&. Note that even if this setting is overridden by them,
-\fBsystemctl show\fR
-shows the original value of this setting\&. In case the service will be run in a new mount namespace anyway and SELinux is disabled, all file systems are mounted with
+(e\&.g\&. via setuid or setgid bits, or filesystem capabilities)\&. This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again\&. Defaults to false\&. In case the service will be run in a new mount namespace anyway and SELinux is disabled, all file systems are mounted with
 \fBMS_NOSUID\fR
 flag\&. Also see
 \m[blue]\fBNo New Privileges Flag\fR\m[]\&\s-2\u[4]\d\s+2\&.
@@ -934,6 +976,8 @@ Note that this setting only has an effect on the unit\*(Aqs processes themselves
 \fBat\fR(1),
 \fBcrontab\fR(1),
 \fBsystemd-run\fR(1), or arbitrary IPC services\&.
+.sp
+Added in version 187\&.
 .RE
 .PP
 \fISecureBits=\fR
@@ -962,6 +1006,8 @@ may fail if the policy doesn\*(Aqt allow the transition for the non\-overridden
 "+"\&. See
 \fBsetexeccon\fR(3)
 for details\&.
+.sp
+Added in version 209\&.
 .RE
 .PP
 \fIAppArmorProfile=\fR
@@ -969,6 +1015,8 @@ for details\&.
 Takes a profile name as argument\&. The process executed by the unit will switch to this profile when started\&. Profiles must already be loaded in the kernel, or the unit will fail\&. If prefixed by
 "\-", all errors will be ignored\&. This setting has no effect if AppArmor is not enabled\&. This setting does not affect commands prefixed with
 "+"\&.
+.sp
+Added in version 210\&.
 .RE
 .PP
 \fISmackProcessLabel=\fR
@@ -982,6 +1030,8 @@ label, in which case the process will transition to run under that label\&. When
 The value may be prefixed by
 "\-", in which case all errors will be ignored\&. An empty value may be specified to unset previous assignments\&. This does not affect commands prefixed with
 "+"\&.
+.sp
+Added in version 218\&.
 .RE
 .SH "PROCESS PROPERTIES"
 .PP
@@ -1271,6 +1321,8 @@ CoredumpFilter=default private\-dax shared\-dax
 .if n \{\
 .RE
 .\}
+
+Added in version 246\&.
 .RE
 .PP
 \fIKeyringMode=\fR
@@ -1298,6 +1350,8 @@ to the newly created session keyring\&. Defaults to
 for services of the system service manager and to
 \fBinherit\fR
 for non\-service units and for services of the user service manager\&.
+.sp
+Added in version 235\&.
 .RE
 .PP
 \fIOOMScoreAdjust=\fR
@@ -1350,15 +1404,17 @@ personalities but no others\&. The personality feature is useful when running 32
 (32\-bit only) or
 \fBalpha\fR
 (64\-bit only)\&.
+.sp
+Added in version 209\&.
 .RE
 .PP
 \fIIgnoreSIGPIPE=\fR
 .RS 4
-Takes a boolean argument\&. If true, causes
+Takes a boolean argument\&. If true,
 \fBSIGPIPE\fR
-to be ignored in the executed process\&. Defaults to true because
+is ignored in the executed process\&. Defaults to true since
 \fBSIGPIPE\fR
-generally is useful only in shell pipelines\&.
+is generally only useful in shell pipelines\&.
 .RE
 .SH "SCHEDULING"
 .PP
@@ -1418,6 +1474,8 @@ and
 \fINUMAMask=\fR\&. For more details on each policy please see,
 \fBset_mempolicy\fR(2)\&. For overall overview of NUMA support in Linux see,
 \fBnuma\fR(7)\&.
+.sp
+Added in version 243\&.
 .RE
 .PP
 \fINUMAMask=\fR
@@ -1431,6 +1489,8 @@ and
 policies and for
 \fBpreferred\fR
 policy we expect a single NUMA node\&.
+.sp
+Added in version 243\&.
 .RE
 .PP
 \fIIOSchedulingClass=\fR
@@ -1472,6 +1532,12 @@ Also note that some sandboxing functionality is generally not available in user
 \fIProtectSystem=\fR) are not available, as the underlying kernel functionality is only accessible to privileged processes\&. However, most namespacing settings, that will not work on their own in user services, will work when used in conjunction with
 \fIPrivateUsers=\fR\fBtrue\fR\&.
 .PP
+Note that the various options that turn directories read\-only (such as
+\fIProtectSystem=\fR,
+\fIReadOnlyPaths=\fR, \&...) do not affect the ability for programs to connect to and communicate with
+\fBAF_UNIX\fR
+sockets in these directores\&. These options cannot be used to lock down access to IPC services hence\&.
+.PP
 \fIProtectSystem=\fR
 .RS 4
 Takes a boolean argument or the special values
@@ -1496,10 +1562,15 @@ and
 \fIProtectKernelTunables=\fR,
 \fIProtectControlGroups=\fR)\&. This setting ensures that any modification of the vendor\-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service\&. It is recommended to enable this setting for all long\-running services, unless they are involved with system updates or need to modify the operating system in other ways\&. If this option is used,
 \fIReadWritePaths=\fR
-may be used to exclude specific directories from being made read\-only\&. This setting is implied if
+may be used to exclude specific directories from being made read\-only\&. Similar,
+\fIStateDirectory=\fR,
+\fILogsDirectory=\fR, \&... and related directory settings (see below) also exclude the specific directories from the effect of
+\fIProtectSystem=\fR\&. This setting is implied if
 \fIDynamicUser=\fR
 is set\&. This setting cannot ensure protection in all cases\&. In general it has the same limitations as
 \fIReadOnlyPaths=\fR, see below\&. Defaults to off\&.
+.sp
+Added in version 214\&.
 .RE
 .PP
 \fIProtectHome=\fR
@@ -1543,6 +1614,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 214\&.
 .RE
 .PP
 \fIRuntimeDirectory=\fR, \fIStateDirectory=\fR, \fICacheDirectory=\fR, \fILogsDirectory=\fR, \fIConfigurationDirectory=\fR
@@ -1774,6 +1847,8 @@ plus
 /run/baz
 as symlinks to
 /run/foo\&.
+.sp
+Added in version 211\&.
 .RE
 .PP
 \fIRuntimeDirectoryMode=\fR, \fIStateDirectoryMode=\fR, \fICacheDirectoryMode=\fR, \fILogsDirectoryMode=\fR, \fIConfigurationDirectoryMode=\fR
@@ -1787,6 +1862,8 @@ Specifies the access mode of the directories specified in
 \fB0755\fR\&. See "Permissions" in
 \fBpath_resolution\fR(7)
 for a discussion of the meaning of permission bits\&.
+.sp
+Added in version 234\&.
 .RE
 .PP
 \fIRuntimeDirectoryPreserve=\fR
@@ -1807,6 +1884,8 @@ is a mount point of
 "tmpfs", then for system services the directories specified in
 \fIRuntimeDirectory=\fR
 are removed when the system is rebooted\&.
+.sp
+Added in version 235\&.
 .RE
 .PP
 \fITimeoutCleanSec=\fR
@@ -1816,6 +1895,8 @@ Configures a timeout on the clean\-up operation requested through
 \fBsystemctl\fR(1)
 for details\&. Takes the usual time values and defaults to
 \fBinfinity\fR, i\&.e\&. by default no timeout is applied\&. If a timeout is configured the clean operation will be aborted forcibly when the timeout is reached, potentially leaving resources on disk\&.
+.sp
+Added in version 244\&.
 .RE
 .PP
 \fIReadWritePaths=\fR, \fIReadOnlyPaths=\fR, \fIInaccessiblePaths=\fR, \fIExecPaths=\fR, \fINoExecPaths=\fR
@@ -1922,6 +2003,8 @@ These options are only available for system services, or for services running in
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 231\&.
 .RE
 .PP
 \fITemporaryFileSystem=\fR
@@ -1964,6 +2047,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 238\&.
 .RE
 .PP
 \fIPrivateTmp=\fR
@@ -2044,12 +2129,7 @@ of
 instead of using
 \fBMAP_ANON\fR\&. For this setting the same restrictions regarding mount propagation and privileges apply as for
 \fIReadOnlyPaths=\fR
-and related calls, see above\&. If turned on and if running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&.
+and related calls, see above\&.
 .sp
 Note that the implementation of this setting might be impossible (for example if mount namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security\&.
 .sp
@@ -2063,6 +2143,8 @@ When access to some but not all devices must be possible, the
 \fIDeviceAllow=\fR
 setting might be used instead\&. See
 \fBsystemd.resource-control\fR(5)\&.
+.sp
+Added in version 209\&.
 .RE
 .PP
 \fIPrivateNetwork=\fR
@@ -2132,6 +2214,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 242\&.
 .RE
 .PP
 \fIPrivateIPC=\fR
@@ -2159,6 +2243,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 248\&.
 .RE
 .PP
 \fIIPCNamespacePath=\fR
@@ -2180,6 +2266,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 248\&.
 .RE
 .PP
 \fIMemoryKSM=\fR
@@ -2189,7 +2277,9 @@ Takes a boolean argument\&. When set, it enables KSM (kernel samepage merging) f
 in the kernel documentation\&.
 .sp
 Note that this functionality might not be available, for example if KSM is disabled in the kernel, or the kernel doesn\*(Aqt support controlling KSM at the process level through
-\fBprctl()\fR\&.
+\fBprctl\fR(2)\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fIPrivateUsers=\fR
@@ -2221,6 +2311,8 @@ This setting is particularly useful in conjunction with
 and the unit\*(Aqs own user and group\&.
 .sp
 Note that the implementation of this setting might be impossible (for example if user namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fIProtectHostname=\fR
@@ -2231,19 +2323,13 @@ Note that the implementation of this setting might be impossible (for example if
 .sp
 Note that when this option is enabled for a service hostname changes no longer propagate from the system into the service, it is hence not suitable for services that need to take notice of system hostname changes dynamically\&.
 .sp
-If this setting is on, but the unit doesn\*(Aqt have the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. services for which
-\fIUser=\fR
-is set),
-\fINoNewPrivileges=yes\fR
-is implied\&.
-.sp
 This option is only available for system services, or for services running in per\-user instances of the service manager in which case
 \fIPrivateUsers=\fR
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 242\&.
 .RE
 .PP
 \fIProtectClock=\fR
@@ -2259,13 +2345,7 @@ is implied\&. Note that the system calls are blocked altogether, the filter does
 /dev/rtc1, etc\&. are made read\-only to the service\&. See
 \fBsystemd.resource-control\fR(5)
 for the details about
-\fIDeviceAllow=\fR\&. If this setting is on, but the unit doesn\*(Aqt have the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. services for which
-\fIUser=\fR
-is set),
-\fINoNewPrivileges=yes\fR
-is implied\&.
+\fIDeviceAllow=\fR\&.
 .sp
 It is recommended to turn this on for most services that do not need modify the clock or check its state\&.
 .sp
@@ -2274,6 +2354,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 245\&.
 .RE
 .PP
 \fIProtectKernelTunables=\fR
@@ -2292,13 +2374,7 @@ will be made read\-only to all processes of the unit\&. Usually, tunable kernel
 \fBsysctl.d\fR(5)
 mechanism\&. Few services need to write to these at runtime; it is hence recommended to turn this on for most services\&. For this setting the same restrictions regarding mount propagation and privileges apply as for
 \fIReadOnlyPaths=\fR
-and related calls, see above\&. Defaults to off\&. If this setting is on, but the unit doesn\*(Aqt have the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. services for which
-\fIUser=\fR
-is set),
-\fINoNewPrivileges=yes\fR
-is implied\&. Note that this option does not prevent indirect changes to kernel tunables effected by IPC calls to other processes\&. However,
+and related calls, see above\&. Defaults to off\&. Note that this option does not prevent indirect changes to kernel tunables effected by IPC calls to other processes\&. However,
 \fIInaccessiblePaths=\fR
 may be used to make relevant IPC file system objects inaccessible\&. If
 \fIProtectKernelTunables=\fR
@@ -2311,6 +2387,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fIProtectKernelModules=\fR
@@ -2326,19 +2404,15 @@ and related calls, see above\&. Note that limited automatic module loading due t
 \fBkernel\&.modules_disabled\fR
 mechanism and
 /proc/sys/kernel/modules_disabled
-documentation\&. If this setting is on, but the unit doesn\*(Aqt have the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. services for which
-\fIUser=\fR
-is set),
-\fINoNewPrivileges=yes\fR
-is implied\&.
+documentation\&.
 .sp
 This option is only available for system services, or for services running in per\-user instances of the service manager in which case
 \fIPrivateUsers=\fR
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fIProtectKernelLogs=\fR
@@ -2352,19 +2426,15 @@ system call (not to be confused with the libc API
 for userspace logging)\&. The kernel exposes its log buffer to userspace via
 /dev/kmsg
 and
-/proc/kmsg\&. If enabled, these are made inaccessible to all the processes in the unit\&. If this setting is on, but the unit doesn\*(Aqt have the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. services for which
-\fIUser=\fR
-is set),
-\fINoNewPrivileges=yes\fR
-is implied\&.
+/proc/kmsg\&. If enabled, these are made inaccessible to all the processes in the unit\&.
 .sp
 This option is only available for system services, or for services running in per\-user instances of the service manager in which case
 \fIPrivateUsers=\fR
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 244\&.
 .RE
 .PP
 \fIProtectControlGroups=\fR
@@ -2380,6 +2450,8 @@ is set,
 is implied\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fIRestrictAddressFamilies=\fR
@@ -2400,12 +2472,7 @@ system call only\&. Sockets passed into the process by other means (for example,
 \fBsocketpair()\fR
 (which creates connected AF_UNIX sockets only) are unaffected\&. Note that this option has no effect on 32\-bit x86, s390, s390x, mips, mips\-le, ppc, ppc\-le, ppc64, ppc64\-le and is ignored (but works correctly on other ABIs, including x86\-64)\&. Note that on systems supporting multiple ABIs (such as x86/x86\-64) it is recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this option\&. Specifically, it is recommended to combine this option with
 \fISystemCallArchitectures=native\fR
-or similar\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&. By default, no restrictions apply, all address families are accessible to processes\&. If assigned the empty string, any previous address family restriction changes are undone\&. This setting does not affect commands prefixed with
+or similar\&. By default, no restrictions apply, all address families are accessible to processes\&. If assigned the empty string, any previous address family restriction changes are undone\&. This setting does not affect commands prefixed with
 "+"\&.
 .sp
 Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive network protocols, such as
@@ -2414,6 +2481,8 @@ Use this option to limit exposure of processes to remote access, in particular v
 address family should be included in the configured allow list as it is frequently used for local communication, including for
 \fBsyslog\fR(2)
 logging\&.
+.sp
+Added in version 211\&.
 .RE
 .PP
 \fIRestrictFileSystems=\fR
@@ -2554,6 +2623,8 @@ Note that this setting might not be supported on some systems (for example if th
 This option cannot be bypassed by prefixing
 "+"
 to the executable path in the service unit, as it applies to the whole control group\&.
+.sp
+Added in version 250\&.
 .RE
 .PP
 \fIRestrictNamespaces=\fR
@@ -2579,12 +2650,7 @@ and
 \fBsetns\fR(2)
 system calls, taking the specified flags parameters into account\&. Note that \(em if this option is used \(em in addition to restricting creation and switching of the specified types of namespaces (or all of them, if true) access to the
 \fBsetns()\fR
-system call with a zero flags parameter is prohibited\&. This setting is only supported on x86, x86\-64, mips, mips\-le, mips64, mips64\-le, mips64\-n32, mips64\-le\-n32, ppc64, ppc64\-le, s390 and s390x, and enforces no restrictions on other architectures\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&.
+system call with a zero flags parameter is prohibited\&. This setting is only supported on x86, x86\-64, mips, mips\-le, mips64, mips64\-le, mips64\-n32, mips64\-le\-n32, ppc64, ppc64\-le, s390 and s390x, and enforces no restrictions on other architectures\&.
 .sp
 Example: if a unit has the following,
 .sp
@@ -2620,6 +2686,8 @@ RestrictNamespaces=~cgroup net
 then, only
 \fBipc\fR
 is set\&.
+.sp
+Added in version 233\&.
 .RE
 .PP
 \fILockPersonality=\fR
@@ -2628,12 +2696,9 @@ Takes a boolean argument\&. If set, locks down the
 \fBpersonality\fR(2)
 system call so that the kernel execution domain may not be changed from the default or the personality selected with
 \fIPersonality=\fR
-directive\&. This may be useful to improve security, because odd personality emulations may be poorly tested and source of vulnerabilities\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&.
+directive\&. This may be useful to improve security, because odd personality emulations may be poorly tested and source of vulnerabilities\&.
+.sp
+Added in version 235\&.
 .RE
 .PP
 \fIMemoryDenyWriteExecute=\fR
@@ -2664,12 +2729,9 @@ set\&. Note that this option is incompatible with programs and libraries that ge
 \fBshmat()\fR
 protection is not available on x86\&. Note that on systems supporting multiple ABIs (such as x86/x86\-64) it is recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this option\&. Specifically, it is recommended to combine this option with
 \fISystemCallArchitectures=native\fR
-or similar\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&.
+or similar\&.
+.sp
+Added in version 231\&.
 .RE
 .PP
 \fIRestrictRealtime=\fR
@@ -2680,25 +2742,19 @@ Takes a boolean argument\&. If set, any attempts to enable realtime scheduling i
 or
 \fBSCHED_DEADLINE\fR\&. See
 \fBsched\fR(7)
-for details about these scheduling policies\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&. Realtime scheduling policies may be used to monopolize CPU time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial\-of\-Service situations on the system\&. It is hence recommended to restrict access to realtime scheduling to the few programs that actually require them\&. Defaults to off\&.
+for details about these scheduling policies\&. Realtime scheduling policies may be used to monopolize CPU time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial\-of\-Service situations on the system\&. It is hence recommended to restrict access to realtime scheduling to the few programs that actually require them\&. Defaults to off\&.
+.sp
+Added in version 231\&.
 .RE
 .PP
 \fIRestrictSUIDSGID=\fR
 .RS 4
 Takes a boolean argument\&. If set, any attempts to set the set\-user\-ID (SUID) or set\-group\-ID (SGID) bits on files or directories will be denied (for details on these bits see
-\fBinode\fR(7))\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&. As the SUID/SGID bits are mechanisms to elevate privileges, and allow users to acquire the identity of other users, it is recommended to restrict creation of SUID/SGID files to the few programs that actually require them\&. Note that this restricts marking of any type of file system object with these bits, including both regular files and directories (where the SGID is a different meaning than for files, see documentation)\&. This option is implied if
+\fBinode\fR(7))\&. As the SUID/SGID bits are mechanisms to elevate privileges, and allow users to acquire the identity of other users, it is recommended to restrict creation of SUID/SGID files to the few programs that actually require them\&. Note that this restricts marking of any type of file system object with these bits, including both regular files and directories (where the SGID is a different meaning than for files, see documentation)\&. This option is implied if
 \fIDynamicUser=\fR
 is enabled\&. Defaults to off\&.
+.sp
+Added in version 242\&.
 .RE
 .PP
 \fIRemoveIPC=\fR
@@ -2713,6 +2769,8 @@ are used\&. It has no effect on IPC objects owned by the root user\&. Specifical
 is set\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fIPrivateMounts=\fR
@@ -2755,6 +2813,8 @@ This option is only available for system services, or for services running in pe
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
 "kernel\&.unprivileged_userns_clone="
 sysctl)\&.
+.sp
+Added in version 239\&.
 .RE
 .PP
 \fIMountFlags=\fR
@@ -2817,12 +2877,7 @@ or
 for a full list)\&. This value will be returned when a deny\-listed system call is triggered, instead of terminating the processes immediately\&. Special setting
 "kill"
 can be used to explicitly specify killing\&. This value takes precedence over the one given in
-\fISystemCallErrorNumber=\fR, see below\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&. This feature makes use of the Secure Computing Mode 2 interfaces of the kernel (\*(Aqseccomp filtering\*(Aq) and is useful for enforcing a minimal sandboxing environment\&. Note that the
+\fISystemCallErrorNumber=\fR, see below\&. This feature makes use of the Secure Computing Mode 2 interfaces of the kernel (\*(Aqseccomp filtering\*(Aq) and is useful for enforcing a minimal sandboxing environment\&. Note that the
 \fBexecve()\fR,
 \fBexit()\fR,
 \fBexit_group()\fR,
@@ -3086,6 +3141,8 @@ It is recommended to combine the file system namespacing related options with
 \fIInaccessiblePaths=\fR
 and
 \fIReadWritePaths=\fR\&.
+.sp
+Added in version 187\&.
 .RE
 .PP
 \fISystemCallErrorNumber=\fR
@@ -3103,6 +3160,8 @@ is triggered, instead of terminating the process immediately\&. See
 for a full list of error codes\&. When this setting is not used, or when the empty string or the special setting
 "kill"
 is assigned, the process will be terminated immediately when the filter is triggered\&.
+.sp
+Added in version 209\&.
 .RE
 .PP
 \fISystemCallArchitectures=\fR
@@ -3116,12 +3175,7 @@ described in
 \fBmips64\-le\-n32\fR, and the special identifier
 \fBnative\fR\&. The special identifier
 \fBnative\fR
-implicitly maps to the native architecture of the system (or more precisely: to the architecture the system manager is compiled for)\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&. By default, this option is set to the empty list, i\&.e\&. no filtering is applied\&.
+implicitly maps to the native architecture of the system (or more precisely: to the architecture the system manager is compiled for)\&. By default, this option is set to the empty list, i\&.e\&. no filtering is applied\&.
 .sp
 If this setting is used, processes of this unit will only be permitted to call native system calls, and system calls of the specified architectures\&. For the purposes of this option, the x32 architecture is treated as including x86\-64 system calls\&. However, this setting still fulfills its purpose, as explained below, on x32\&.
 .sp
@@ -3134,18 +3188,17 @@ System call architectures may also be restricted system\-wide via the
 option in the global configuration\&. See
 \fBsystemd-system.conf\fR(5)
 for details\&.
+.sp
+Added in version 209\&.
 .RE
 .PP
 \fISystemCallLog=\fR
 .RS 4
 Takes a space\-separated list of system call names\&. If this setting is used, all system calls executed by the unit processes for the listed ones will be logged\&. If the first character of the list is
-"~", the effect is inverted: all system calls except the listed system calls will be logged\&. If running in user mode, or in system mode, but without the
-\fBCAP_SYS_ADMIN\fR
-capability (e\&.g\&. setting
-\fIUser=\fR),
-\fINoNewPrivileges=yes\fR
-is implied\&. This feature makes use of the Secure Computing Mode 2 interfaces of the kernel (\*(Aqseccomp filtering\*(Aq) and is useful for auditing or setting up a minimal sandboxing environment\&. This option may be specified more than once, in which case the filter masks are merged\&. If the empty string is assigned, the filter is reset, all prior assignments will have no effect\&. This does not affect commands prefixed with
+"~", the effect is inverted: all system calls except the listed system calls will be logged\&. This feature makes use of the Secure Computing Mode 2 interfaces of the kernel (\*(Aqseccomp filtering\*(Aq) and is useful for auditing or setting up a minimal sandboxing environment\&. This option may be specified more than once, in which case the filter masks are merged\&. If the empty string is assigned, the filter is reset, all prior assignments will have no effect\&. This does not affect commands prefixed with
 "+"\&.
+.sp
+Added in version 247\&.
 .RE
 .SH "ENVIRONMENT"
 .PP
@@ -3204,17 +3257,21 @@ separator, or lines starting with
 ";"
 or
 "#"
-will be ignored, which may be used for commenting\&. The file must be UTF\-8 encoded\&. Valid characters are
+will be ignored, which may be used for commenting\&. The file must be encoded with UTF\-8\&. Valid characters are
 \m[blue]\fBunicode scalar values\fR\m[]\&\s-2\u[8]\d\s+2
 other than
-\m[blue]\fBnoncharacters\fR\m[]\&\s-2\u[9]\d\s+2, U+0000 NUL, and U+FEFF
-\m[blue]\fBbyte order mark\fR\m[]\&\s-2\u[10]\d\s+2\&. Control codes other than NUL are allowed\&.
+\m[blue]\fBunicode noncharacters\fR\m[]\&\s-2\u[9]\d\s+2,
+\fBU+0000\fR
+\fBNUL\fR, and
+\fBU+FEFF\fR
+\m[blue]\fBunicode byte order mark\fR\m[]\&\s-2\u[10]\d\s+2\&. Control codes other than
+\fBNUL\fR
+are allowed\&.
 .sp
 In the file, an unquoted value after the
 "="
 is parsed with the same backslash\-escape rules as
-\m[blue]\fBunquoted text\fR\m[]\&\s-2\u[11]\d\s+2
-in a POSIX shell, but unlike in a shell, interior whitespace is preserved and quotes after the first non\-whitespace character are preserved\&. Leading and trailing whitespace (space, tab, carriage return) is discarded, but interior whitespace within the line is preserved verbatim\&. A line ending with a backslash will be continued to the following one, with the newline itself discarded\&. A backslash
+\m[blue]\fBPOSIX shell unquoted text\fR\m[]\&\s-2\u[11]\d\s+2, but unlike in a shell, interior whitespace is preserved and quotes after the first non\-whitespace character are preserved\&. Leading and trailing whitespace (space, tab, carriage return) is discarded, but interior whitespace within the line is preserved verbatim\&. A line ending with a backslash will be continued to the following one, with the newline itself discarded\&. A backslash
 "\e"
 followed by any character other than newline will preserve the following character, so that
 "\e\e"
@@ -3225,15 +3282,13 @@ In the file, a
 "\*(Aq"\-quoted value after the
 "="
 can span multiple lines and contain any character verbatim other than single quote, like
-\m[blue]\fBsingle\-quoted text\fR\m[]\&\s-2\u[12]\d\s+2
-in a POSIX shell\&. No backslash\-escape sequences are recognized\&. Leading and trailing whitespace outside of the single quotes is discarded\&.
+\m[blue]\fBPOSIX shell single\-quoted text\fR\m[]\&\s-2\u[12]\d\s+2\&. No backslash\-escape sequences are recognized\&. Leading and trailing whitespace outside of the single quotes is discarded\&.
 .sp
 In the file, a
 """\-quoted value after the
 "="
 can span multiple lines, and the same escape sequences are recognized as in
-\m[blue]\fBdouble\-quoted text\fR\m[]\&\s-2\u[13]\d\s+2
-of a POSIX shell\&. Backslash ("\e") followed by any of
+\m[blue]\fBPOSIX shell double\-quoted text\fR\m[]\&\s-2\u[13]\d\s+2\&. Backslash ("\e") followed by any of
 ""\e`$"
 will preserve that character\&. A backslash followed by newline is a line continuation, and the newline itself is discarded\&. A backslash followed by any other character is ignored; both the backslash and the following character are preserved verbatim\&. Leading and trailing whitespace outside of the double quotes is discarded\&.
 .sp
@@ -3276,6 +3331,8 @@ with the values set for those variables in PID1\&.
 See
 \fBenviron\fR(7)
 for details about environment variables\&.
+.sp
+Added in version 228\&.
 .RE
 .PP
 \fIUnsetEnvironment=\fR
@@ -3298,6 +3355,8 @@ is used)\&.
 See "Environment Variables in Spawned Processes" below for a description of how those settings combine to form the inherited environment\&. See
 \fBenviron\fR(7)
 for general information about environment variables\&.
+.sp
+Added in version 235\&.
 .RE
 .SH "LOGGING AND STANDARD INPUT/OUTPUT"
 .PP
@@ -3585,6 +3644,8 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
 .if n \{\
 .RE
 .\}
+.sp
+Added in version 236\&.
 .RE
 .PP
 \fILogLevelMax=\fR
@@ -3613,6 +3674,8 @@ configured in
 might prohibit messages of higher log levels to be stored on disk, even though the per\-unit
 \fILogLevelMax=\fR
 permitted it to be processed\&.
+.sp
+Added in version 236\&.
 .RE
 .PP
 \fILogExtraFields=\fR
@@ -3623,6 +3686,10 @@ separated by whitespace\&. See
 \fBsystemd.journal-fields\fR(7)
 for details on the journal field concept\&. Even though the underlying journal implementation permits binary field values, this setting accepts only valid UTF\-8 values\&. To include space characters in a journal field value, enclose the assignment in double quotes (")\&.
 The usual specifiers are expanded in all assignments (see below)\&. Note that this setting is not only useful for attaching additional metadata to log records of a unit, but given that all fields and values are indexed may also be used to implement cross\-unit log record matching\&. Assign an empty string to reset the list\&.
+.sp
+Note that this functionality is currently only available in system services, not in per\-user services\&.
+.sp
+Added in version 236\&.
 .RE
 .PP
 \fILogRateLimitIntervalSec=\fR, \fILogRateLimitBurst=\fR
@@ -3640,12 +3707,13 @@ and
 \fIRateLimitBurst=\fR
 configured in
 \fBjournald.conf\fR(5)\&. Note that this only applies to log messages that are processed by the logging subsystem, i\&.e\&. by
-\fBsystemd-journald.service\fR(8)
-This means that if you connect a service\*(Aqs stderr directly to a file via
+\fBsystemd-journald.service\fR(8)\&. This means that if you connect a service\*(Aqs stderr directly to a file via
 \fIStandardOutput=file:\&...\fR
 or a similar setting, the rate limiting will not be applied to messages written that way (but it will be enforced for messages generated via
 \fBsyslog\fR(3)
 and similar functions)\&.
+.sp
+Added in version 240\&.
 .RE
 .PP
 \fILogFilterPatterns=\fR
@@ -3677,6 +3745,10 @@ Filtering is based on the unit for which
 is defined, meaning log messages coming from
 \fBsystemd\fR(1)
 about the unit are not taken into account\&. Filtered log messages won\*(Aqt be forwarded to traditional syslog daemons, the kernel log buffer (kmsg), the systemd console, or sent as wall messages to all logged\-in users\&.
+.sp
+Note that this functionality is currently only available in system services, not in per\-user services\&.
+.sp
+Added in version 253\&.
 .RE
 .PP
 \fILogNamespace=\fR
@@ -3704,6 +3776,8 @@ output, unless the
 option is used\&.
 .sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
+.sp
+Added in version 245\&.
 .RE
 .PP
 \fISyslogIdentifier=\fR
@@ -3831,6 +3905,8 @@ before and after execution\&. Defaults to
 .RS 4
 Configure the size of the TTY specified with
 \fITTYPath=\fR\&. If unset or set to the empty string, the kernel default is used\&.
+.sp
+Added in version 250\&.
 .RE
 .PP
 \fITTYVTDisallocate=\fR
@@ -3984,6 +4060,8 @@ is requested for a unit
 For further information see
 \m[blue]\fBSystem and Service Credentials\fR\m[]\&\s-2\u[18]\d\s+2
 documentation\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fIImportCredential=\fR\fIGLOB\fR
@@ -4014,6 +4092,8 @@ and
 \fILoadCredentialEncrypted=\fR
 take priority over credentials found by
 \fIImportCredential=\fR\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fISetCredential=\fR\fIID\fR:\fIVALUE\fR, \fISetCredentialEncrypted=\fR\fIID\fR:\fIVALUE\fR
@@ -4057,6 +4137,8 @@ will act as default if no credentials are found by any of the former\&. In this
 or
 \fILoadCredentialEncrypted=\fR
 is not considered fatal\&.
+.sp
+Added in version 247\&.
 .RE
 .SH "SYSTEM V COMPATIBILITY"
 .PP
@@ -4105,6 +4187,8 @@ entry and finally a
 \fBUSER_PROCESS\fR
 entry is generated\&. In this case, the invoked process may be any process that is suitable to be run as session leader\&. Defaults to
 "init"\&.
+.sp
+Added in version 225\&.
 .RE
 .SH "ENVIRONMENT VARIABLES IN SPAWNED PROCESSES"
 .PP
@@ -4217,13 +4301,10 @@ Colon\-separated list of directories to use when launching executables\&.
 \fBsystemd\fR
 uses a fixed value of
 "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
-in the system manager\&. When compiled for systems with "unmerged
-/usr/" (/bin
-is not a symlink to
-/usr/bin),
-":/sbin:/bin"
-is appended\&. In case of the user manager, a different path may be configured by the distribution\&. It is recommended to not rely on the order of entries, and have only one program with a given name in
+in the system manager\&. In case of the user manager, a different path may be configured by the distribution\&. It is recommended to not rely on the order of entries, and have only one program with a given name in
 \fI$PATH\fR\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fI$LANG\fR
@@ -4234,21 +4315,33 @@ or on the kernel command line (see
 \fBsystemd\fR(1)
 and
 \fBkernel-command-line\fR(7))\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fI$USER\fR, \fI$LOGNAME\fR, \fI$HOME\fR, \fI$SHELL\fR
 .RS 4
-User name (twice), home directory, and the login shell\&. The variables are set for the units that have
+User name (twice), home directory, and the login shell\&.
+\fI$USER\fR
+is set unconditionally, while
+\fI$HOME\fR,
+\fI$LOGNAME\fR, and
+\fI$SHELL\fR
+are only set for the units that have
 \fIUser=\fR
-set, which includes user
-\fBsystemd\fR
-instances\&. See
+set and
+\fISetLoginEnvironment=\fR
+unset or set to true\&. For user services, these variables are typically inherited from the user manager itself\&. See
 \fBpasswd\fR(5)\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fI$INVOCATION_ID\fR
 .RS 4
 Contains a randomized, unique 128\-bit ID identifying each runtime cycle of the unit, formatted as 32 character hexadecimal string\&. A new ID is assigned each time the unit changes from an inactive state into an activating or active state, and may be used to identify this specific runtime cycle, in particular in data stored offline, such as the journal\&. The same ID is passed to all processes run as part of the unit\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fI$XDG_RUNTIME_DIR\fR
@@ -4261,6 +4354,8 @@ with a PAM stack that includes
 \fBpam_systemd\fR\&. See below and
 \fBpam_systemd\fR(8)
 for more information\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fI$RUNTIME_DIRECTORY\fR, \fI$STATE_DIRECTORY\fR, \fI$CACHE_DIRECTORY\fR, \fI$LOGS_DIRECTORY\fR, \fI$CONFIGURATION_DIRECTORY\fR
@@ -4272,6 +4367,8 @@ Absolute paths to the directories defined with
 \fILogsDirectory=\fR, and
 \fIConfigurationDirectory=\fR
 when those settings are used\&.
+.sp
+Added in version 244\&.
 .RE
 .PP
 \fI$CREDENTIALS_DIRECTORY\fR
@@ -4282,6 +4379,8 @@ An absolute path to the per\-unit directory with credentials configured via
 or
 \fIDynamicUser=\fR
 (and the superuser)\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fI$MAINPID\fR
@@ -4289,6 +4388,8 @@ or
 The PID of the unit\*(Aqs main process if it is known\&. This is only set for control processes as invoked by
 \fIExecReload=\fR
 and similar\&.
+.sp
+Added in version 209\&.
 .RE
 .PP
 \fI$MANAGERPID\fR
@@ -4296,12 +4397,16 @@ and similar\&.
 The PID of the user
 \fBsystemd\fR
 instance, set for processes spawned by it\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fI$LISTEN_FDS\fR, \fI$LISTEN_PID\fR, \fI$LISTEN_FDNAMES\fR
 .RS 4
 Information about file descriptors passed to a service for socket activation\&. See
 \fBsd_listen_fds\fR(3)\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fI$NOTIFY_SOCKET\fR
@@ -4310,12 +4415,16 @@ The socket
 \fBsd_notify()\fR
 talks to\&. See
 \fBsd_notify\fR(3)\&.
+.sp
+Added in version 229\&.
 .RE
 .PP
 \fI$WATCHDOG_PID\fR, \fI$WATCHDOG_USEC\fR
 .RS 4
 Information about watchdog keep\-alive notifications\&. See
 \fBsd_watchdog_enabled\fR(3)\&.
+.sp
+Added in version 229\&.
 .RE
 .PP
 \fI$SYSTEMD_EXEC_PID\fR
@@ -4327,6 +4436,8 @@ with
 \fI$LISTEN_PID\fR
 and
 \fI$LISTEN_FDS\fR)\&.
+.sp
+Added in version 248\&.
 .RE
 .PP
 \fI$TERM\fR
@@ -4335,6 +4446,8 @@ Terminal type, set only for units connected to a terminal (\fIStandardInput=tty\
 \fIStandardOutput=tty\fR, or
 \fIStandardError=tty\fR)\&. See
 \fBtermcap\fR(5)\&.
+.sp
+Added in version 209\&.
 .RE
 .PP
 \fI$LOG_NAMESPACE\fR
@@ -4342,6 +4455,8 @@ Terminal type, set only for units connected to a terminal (\fIStandardInput=tty\
 Contains the name of the selected logging namespace when the
 \fILogNamespace=\fR
 service setting is used\&.
+.sp
+Added in version 246\&.
 .RE
 .PP
 \fI$JOURNAL_STREAM\fR
@@ -4358,6 +4473,8 @@ If both standard output and standard error of the executed processes are connect
 This environment variable is primarily useful to allow services to optionally upgrade their used log protocol to the native journal protocol (using
 \fBsd_journal_print\fR(3)
 and other functions) if their standard output or standard error output is connected to the journal anyway, thus enabling delivery of structured metadata along with logged messages\&.
+.sp
+Added in version 231\&.
 .RE
 .PP
 \fI$SERVICE_RESULT\fR
@@ -4390,6 +4507,8 @@ l l
 l l
 l l
 l l
+l l
+l l
 l l.
 T{
 "success"
@@ -4427,6 +4546,16 @@ T}:T{
 Watchdog keep\-alive ping was enabled for the service, but the deadline was missed\&.
 T}
 T{
+"exec\-condition"
+T}:T{
+Service did not run because \fIExecCondition=\fR failed\&.
+T}
+T{
+"oom\-kill"
+T}:T{
+A service process was terminated by the Out\-Of\-Memory (OOM) killer\&.
+T}
+T{
 "start\-limit\-hit"
 T}:T{
 A start limit was defined for the unit and it was hit, causing the unit to fail to start\&. See \fBsystemd.unit\fR(5)\*(Aqs \fIStartLimitIntervalSec=\fR and \fIStartLimitBurst=\fR for details\&.
@@ -4442,6 +4571,8 @@ This environment variable is useful to monitor failure or successful termination
 \fIExecStop=\fR
 and
 \fIExecStopPost=\fR, it is usually a better choice to place monitoring tools in the latter, as the former is only invoked for services that managed to start up correctly, and the latter covers both services that failed during their start\-up and those which failed during their runtime\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fI$EXIT_CODE\fR, \fI$EXIT_STATUS\fR
@@ -4602,6 +4733,7 @@ Note: the process may be also terminated by a signal not sent by systemd\&. In p
 T}
 .TE
 .sp 1
+Added in version 232\&.
 .RE
 .PP
 \fI$MONITOR_SERVICE_RESULT\fR, \fI$MONITOR_EXIT_CODE\fR, \fI$MONITOR_EXIT_STATUS\fR, \fI$MONITOR_INVOCATION_ID\fR, \fI$MONITOR_UNIT\fR
@@ -4638,6 +4770,8 @@ be passed\&. Consider using a template handler unit for that case instead:
 for non\-templated units, or
 "OnFailure=\fIhandler\fR@%p\-%i\&.service"
 for templated units\&.
+.sp
+Added in version 251\&.
 .RE
 .PP
 \fI$PIDFILE\fR
@@ -4647,17 +4781,23 @@ The path to the configured PID file, in case the process is forked off on behalf
 setting, see
 \fBsystemd.service\fR(5)
 for details\&. Service code may use this environment variable to automatically generate a PID file at the location configured in the unit file\&. This field is set to an absolute path in the file system\&.
+.sp
+Added in version 242\&.
 .RE
 .PP
 \fI$REMOTE_ADDR\fR, \fI$REMOTE_PORT\fR
 .RS 4
 If this is a unit started via per\-connection socket activation (i\&.e\&. via a socket unit with
 \fIAccept=yes\fR), these environment variables contain the IP address and port number of the remote peer of the socket connection\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fI$TRIGGER_UNIT\fR, \fI$TRIGGER_PATH\fR, \fI$TRIGGER_TIMER_REALTIME_USEC\fR, \fI$TRIGGER_TIMER_MONOTONIC_USEC\fR
 .RS 4
 If the unit was activated dynamically (e\&.g\&.: a corresponding path unit or timer unit), the unit that triggered it and other type\-dependent information will be passed via these variables\&. Note that this information is provided in a best\-effort way\&. For example, multiple triggers happening one after another will be coalesced and only one will be reported, with no guarantee as to which one it will be\&. Because of this, in most cases this variable will be primarily informational, i\&.e\&. useful for debugging purposes, is lossy, and should not be relied upon to propagate a comprehensive reason for activation\&.
+.sp
+Added in version 252\&.
 .RE
 .PP
 \fI$MEMORY_PRESSURE_WATCH\fR, \fI$MEMORY_PRESSURE_WRITE\fR
@@ -4665,19 +4805,20 @@ If the unit was activated dynamically (e\&.g\&.: a corresponding path unit or ti
 If memory pressure monitoring is enabled for this service unit, the path to watch and the data to write into it\&. See
 \m[blue]\fBMemory Pressure Handling\fR\m[]\&\s-2\u[19]\d\s+2
 for details about these variables and the service protocol data they convey\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fI$FDSTORE\fR
 .RS 4
-If the file descriptor store is enabled for a service (i\&.e\&.
+The maximum number of file descriptors that may be stored in the manager for the service\&. This variable is set when the file descriptor store is enabled for the service, i\&.e\&.
 \fIFileDescriptorStoreMax=\fR
-is set to a non\-zero value, see
+is set to a non\-zero value (see
 \fBsystemd.service\fR(5)
-for details), this environment variable will be set to the maximum number of permitted entries, as per the setting\&. Applications may check this environment variable before sending file descriptors to the service manager via
-\fBsd_pid_notify_with_fds()\fR
-(see
-\fBsd_notify\fR(3)
-for details)\&.
+for details)\&. Applications may check this environment variable before sending file descriptors to the service manager via
+\fBsd_pid_notify_with_fds\fR(3)\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 For system services, when
@@ -5478,27 +5619,27 @@ unicode scalar values
 \%https://www.unicode.org/glossary/#unicode_scalar_value
 .RE
 .IP " 9." 4
-noncharacters
+unicode noncharacters
 .RS 4
 \%https://www.unicode.org/glossary/#noncharacter
 .RE
 .IP "10." 4
-byte order mark
+unicode byte order mark
 .RS 4
 \%https://www.unicode.org/glossary/#byte_order_mark
 .RE
 .IP "11." 4
-unquoted text
+POSIX shell unquoted text
 .RS 4
 \%https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_01
 .RE
 .IP "12." 4
-single-quoted text
+POSIX shell single-quoted text
 .RS 4
 \%https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_02
 .RE
 .IP "13." 4
-double-quoted text
+POSIX shell double-quoted text
 .RS 4
 \%https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_03
 .RE