From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Wed, 29 Apr 2020 16:22:46 +0000 (+0200)
Subject: man: mention that ProtectSystem= also takes care of /efi
X-Git-Tag: v246-rc1~439^2~13
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=26b8190841fa6e00a66a4a46b343bde117b855fc;p=thirdparty%2Fsystemd.git

man: mention that ProtectSystem= also takes care of /efi
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3e2ae93bf0e..4818f3423c4 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -891,10 +891,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         <term><varname>ProtectSystem=</varname></term>
 
         <listitem><para>Takes a boolean argument or the special values <literal>full</literal> or
-        <literal>strict</literal>. If true, mounts the <filename>/usr</filename> and <filename>/boot</filename>
-        directories read-only for processes invoked by this unit. If set to <literal>full</literal>, the
-        <filename>/etc</filename> directory is mounted read-only, too. If set to <literal>strict</literal> the entire
-        file system hierarchy is mounted read-only, except for the API file system subtrees <filename>/dev</filename>,
+        <literal>strict</literal>. If true, mounts the <filename>/usr</filename> and the boot loader
+        directories (<filename>/boot</filename> and <filename>/efi</filename>) read-only for processes
+        invoked by this unit. If set to <literal>full</literal>, the <filename>/etc</filename> directory is
+        mounted read-only, too. If set to <literal>strict</literal> the entire file system hierarchy is
+        mounted read-only, except for the API file system subtrees <filename>/dev</filename>,
         <filename>/proc</filename> and <filename>/sys</filename> (protect these directories using
         <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
         <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied