X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=c419424d9d6d0603587dc71b8b8e31baabe8bbeb;hb=2424a4755d38f360cfce2ff192776ff91f739c2d;hp=36643034913c91169fcce52b5b29a416ef42dfa3;hpb=417116f23432073162ebfcb286a7800846482eed;p=elogind.git

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 366430349..c419424d9 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -777,8 +777,8 @@
                                 <term><varname>ReadOnlyDirectories=</varname></term>
                                 <term><varname>InaccessibleDirectories=</varname></term>
 
-                                <listitem><para>Sets up a new
-                                file system namespace for executed
+                                <listitem><para>Sets up a new file
+                                system namespace for executed
                                 processes. These options may be used
                                 to limit access a process might have
                                 to the main file system
@@ -799,16 +799,14 @@
                                 processes inside the namespace. Note
                                 that restricting access with these
                                 options does not extend to submounts
-                                of a directory. You must list
-                                submounts separately in these settings
-                                to ensure the same limited
-                                access. These options may be specified
+                                of a directory that are created later
+                                on. These options may be specified
                                 more than once in which case all
                                 directories listed will have limited
                                 access from within the namespace. If
                                 the empty string is assigned to this
-                                option, the specific list is reset, and
-                                all prior assignments have no
+                                option, the specific list is reset,
+                                and all prior assignments have no
                                 effect.</para>
                                 <para>Paths in
                                 <varname>ReadOnlyDirectories=</varname>
@@ -935,16 +933,20 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ReadOnlySystem=</varname></term>
+                                <term><varname>ProtectSystem=</varname></term>
 
                                 <listitem><para>Takes a boolean
-                                argument. If true, mounts the
-                                <filename>/usr</filename> and
-                                <filename>/boot</filename> directories
-                                read-only for processes invoked by
-                                this unit. This setting ensures that
-                                any modification of the vendor
-                                supplied operating system is
+                                argument or
+                                <literal>full</literal>. If true,
+                                mounts the <filename>/usr</filename>
+                                directory read-only for processes
+                                invoked by this unit. If set to
+                                <literal>full</literal> the
+                                <filename>/etc</filename> is mounted
+                                read-only, too. This setting ensures
+                                that any modification of the vendor
+                                supplied operating system (and
+                                optionally its configuration) is
                                 prohibited for the service. It is
                                 recommended to enable this setting for
                                 all long-running services, unless they
@@ -962,7 +964,7 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ProtectedHome=</varname></term>
+                                <term><varname>ProtectHome=</varname></term>
 
                                 <listitem><para>Takes a boolean
                                 argument or
@@ -977,7 +979,7 @@
                                 instead. It is recommended to enable
                                 this setting for all long-running
                                 services (in particular network-facing
-                                one), to ensure they cannot get access
+                                ones), to ensure they cannot get access
                                 to private user data, unless the
                                 services actually require access to
                                 the user's private data. Note however,