1 files changed, 12 insertions, 9 deletions

diff --git a/NEWS b/NEWS
index 4924d7c4b6..6378e596f6 100644
--- a/NEWS
+++ b/NEWS
@@ -5,16 +5,19 @@ CHANGES WITH 232 in spe
         * The new RemoveIPC= option can be used to remove IPC objects owned by
           the user or group of a service when that service exits.
 
+        * The new ProtectKernelModules= option can be used to disable explicit
+          load and unload operations of kernel modules by a service.
+
         * ProtectSystem= option gained a new value "strict", which causes the
           whole file system tree with the exception of /dev, /proc, and /sys,
           to be remounted read-only for a service.
 
-          The new ProtectedKernelTunables= options can be used to disable
+        * The new ProtectedKernelTunables= option can be used to disable
           modification of configuration files in /sys and /proc by a service.
           Various directories and files are remounted read-only, so access is
           restricted even if the file permissions would allow it.
 
-          The new ProtectControlGroups= option can be used to disable write
+        * The new ProtectControlGroups= option can be used to disable write
           access by a service to /sys/fs/cgroup.
 
         * Various systemd services have been hardened with
@@ -569,13 +572,13 @@ CHANGES WITH 230:
           of the owners and the ACLs of all files and directories in a
           container tree to match the UID/GID user namespacing range selected
           for the container invocation. This mode is enabled via the new
-          --private-user-chown switch. It also gained support for automatically
-          choosing a free, previously unused UID/GID range when starting a
-          container, via the new --private-users=pick setting (which implies
-          --private-user-chown). Together, these options for the first time
-          make user namespacing for nspawn containers fully automatic and thus
-          deployable. The systemd-nspawn@.service template unit file has been
-          changed to use this functionality by default.
+          --private-users-chown switch. It also gained support for
+          automatically choosing a free, previously unused UID/GID range when
+          starting a container, via the new --private-users=pick setting (which
+          implies --private-users-chown). Together, these options for the first
+          time make user namespacing for nspawn containers fully automatic and
+          thus deployable. The systemd-nspawn@.service template unit file has
+          been changed to use this functionality by default.
 
         * systemd-nspawn gained a new --network-zone= switch, that allows
           creating ad-hoc virtual Ethernet links between multiple containers,