X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=5b0d2ce37b74de68d5d355912b904c9913a32833;hb=32d0463d5c9982cc0c98a6e2867f94c764a496c2;hp=f96d181a9e83ad82358dfe510f8a5955df70b674;hpb=f1779fd27b49d7ac9e04e0e83daf5f5f3efd9d8a;p=elogind.git

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f96d181a9..5b0d2ce37 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -558,7 +558,10 @@
                                 various resource limits for executed
                                 processes. See
                                 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-                                for details.</para></listitem>
+                                for details. Use the string
+                                <varname>infinity</varname> to
+                                configure no limit on a specific
+                                resource.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
@@ -597,16 +600,34 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>Capabilities=</varname></term>
-                                <listitem><para>Controls the
+                                <term><varname>CapabilityBoundingSet=</varname></term>
+
+                                <listitem><para>Controls which
+                                capabilities to include in the
+                                capability bounding set for the
+                                executed process. See
                                 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
-                                set for the executed process. Take a
-                                capability string as described in
-                                <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
-                                Note that this capability set is
-                                usually influenced by the capabilities
-                                attached to the executed
-                                file.</para></listitem>
+                                for details. Takes a whitespace
+                                seperated list of capability names as
+                                read by
+                                <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+                                Capabilities listed will be included
+                                in the bounding set, all others are
+                                removed. If the list of capabilities
+                                is prefixed with ~ all but the listed
+                                capabilities will be included, the
+                                effect of this assignment
+                                inverted. Note that this option does
+                                not actually set or unset any
+                                capabilities in the effective,
+                                permitted or inherited capability
+                                sets. That's what
+                                <varname>Capabilities=</varname> is
+                                for. If this option is not used the
+                                capability bounding set is not
+                                modified on process execution, hence
+                                no limits on the capabilities of the
+                                process are enforced.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
@@ -625,16 +646,21 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>CapabilityBoundingSetDrop=</varname></term>
-
+                                <term><varname>Capabilities=</varname></term>
                                 <listitem><para>Controls the
-                                capability bounding set drop set for
-                                the executed process. See
                                 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
-                                for details. Takes a list of
-                                capability names as read by
-                                <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
-                                </para></listitem>
+                                set for the executed process. Take a
+                                capability string describing the
+                                effective, permitted and inherited
+                                capability sets as documented in
+                                <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+                                Note that these capability sets are
+                                usually influenced by the capabilities
+                                attached to the executed file. Due to
+                                that
+                                <varname>CapabilityBoundingSet=</varname>
+                                is probably the much more useful
+                                setting.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>