5 files changed, 54 insertions, 20 deletions

diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml
index 61a5f8937f..996c2fa256 100644
--- a/man/systemd-detect-virt.xml
+++ b/man/systemd-detect-virt.xml
@@ -50,7 +50,8 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>systemd-detect-virt <arg choice="opt" rep="repeat">OPTIONS</arg></command>
+      <command>systemd-detect-virt</command>
+      <arg choice="opt" rep="repeat">OPTIONS</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -218,6 +219,16 @@
       </varlistentry>
 
       <varlistentry>
+        <term><option>--private-users</option></term>
+
+        <listitem><para>Detect whether invoked in a user namespace.  In this mode, no
+        output is written, but the return value indicates whether the process was invoked
+        inside of a user namespace or not. See
+        <citerefentry project='man-pages'><refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+        for more information.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><option>-q</option></term>
         <term><option>--quiet</option></term>
 
@@ -243,7 +254,8 @@
     <para>
       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>
     </para>
   </refsect1>
 
diff --git a/man/systemd-vconsole-setup.service.xml b/man/systemd-vconsole-setup.service.xml
index e048258621..f2da2a7b77 100644
--- a/man/systemd-vconsole-setup.service.xml
+++ b/man/systemd-vconsole-setup.service.xml
@@ -43,23 +43,35 @@
   <refnamediv>
     <refname>systemd-vconsole-setup.service</refname>
     <refname>systemd-vconsole-setup</refname>
-    <refpurpose>Configure the virtual console at boot</refpurpose>
+    <refpurpose>Configure the virtual consoles</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
     <para><filename>systemd-vconsole-setup.service</filename></para>
-    <para><filename>/usr/lib/systemd/systemd-vconsole-setup</filename></para>
+    <cmdsynopsis>
+      <command>/usr/lib/systemd/systemd-vconsole-setup</command>
+      <arg choice="opt">TTY</arg>
+    </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsect1>
     <title>Description</title>
 
-    <para><filename>systemd-vconsole-setup.service</filename> is an
-    early boot service that configures the virtual console font and
-    console keymap. Internally it calls
-    <citerefentry project='mankier'><refentrytitle>loadkeys</refentrytitle><manvolnum>1</manvolnum></citerefentry>
-    and
-    <citerefentry project='die-net'><refentrytitle>setfont</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+    <para><filename>systemd-vconsole-setup</filename> is a helper used to prepare either all virtual consoles, or — if
+      the optional <replaceable>TTY</replaceable> parameter is provided — a specific one. When the system is booting up
+      it's called by <citerefentry><command>udev</command></citerefentry> during vtconsole subsystem initialization.
+      <productname>Systemd</productname> also calls it internally as needed via
+      <filename>systemd-vconsole-setup.service</filename>. The helper calls
+      <citerefentry project='mankier'><refentrytitle>loadkeys</refentrytitle><manvolnum>1</manvolnum></citerefentry> and
+      <citerefentry project='die-net'><refentrytitle>setfont</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+      internally.
+    </para>
+
+    <para>
+      You may want to use this helper whenever you change <filename>vconsole.conf</filename> to
+      refresh the settings on your consoles — either through the <command>systemctl restart</command> /
+      <command>systemctl start</command> command or directly through the executable.
+    </para>
 
     <para>See
     <citerefentry><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f9a15d8db0..54ec7e29ca 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1234,13 +1234,22 @@
       <varlistentry>
         <term><varname>NoNewPrivileges=</varname></term>
 
-        <listitem><para>Takes a boolean argument. If true, ensures
-        that the service process and all its children can never gain
-        new privileges. This option is more powerful than the
-        respective secure bits flags (see above), as it also prohibits
-        UID changes of any kind. This is the simplest, most effective
-        way to ensure that a process and its children can never
-        elevate privileges again.</para></listitem>
+        <listitem><para>Takes a boolean argument. If true, ensures that the service
+        process and all its children can never gain new privileges. This option is more
+        powerful than the respective secure bits flags (see above), as it also prohibits
+        UID changes of any kind. This is the simplest and most effective way to ensure that
+        a process and its children can never elevate privileges again. Defaults to false,
+        but in the user manager instance certain settings force
+        <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
+        Those is the case when <varname>SystemCallFilter=</varname>,
+        <varname>SystemCallArchitectures=</varname>,
+        <varname>RestrictAddressFamilies=</varname>,
+        <varname>PrivateDevices=</varname>,
+        <varname>ProtectKernelTunables=</varname>,
+        <varname>ProtectKernelModules=</varname>,
+        <varname>MemoryDenyWriteExecute=</varname>, or
+        <varname>RestrictRealtime=</varname> are specified.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 04efee2891..40c4cfd854 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -908,7 +908,8 @@
         <varname>systemd-nspawn</varname>,
         <varname>docker</varname>,
         <varname>rkt</varname> to test
-        against a specific implementation. See
+        against a specific implementation, or
+        <varname>private-users</varname> to check whether we are running in a user namespace. See
         <citerefentry><refentrytitle>systemd-detect-virt</refentrytitle><manvolnum>1</manvolnum></citerefentry>
         for a full list of known virtualization technologies and their
         identifiers. If multiple virtualization technologies are
diff --git a/man/udev.xml b/man/udev.xml
index dd5563605c..3359fb0865 100644
--- a/man/udev.xml
+++ b/man/udev.xml
@@ -577,8 +577,8 @@
 
       <para>The <varname>NAME</varname>, <varname>SYMLINK</varname>,
       <varname>PROGRAM</varname>, <varname>OWNER</varname>,
-      <varname>GROUP</varname>, <varname>MODE</varname>, and
-      <varname>RUN</varname> fields support simple string substitutions.
+      <varname>GROUP</varname>, <varname>MODE</varname>, <varname>SECLABEL</varname>,
+      and <varname>RUN</varname> fields support simple string substitutions.
       The <varname>RUN</varname> substitutions are performed after all rules
       have been processed, right before the program is executed, allowing for
       the use of device properties set by earlier matching rules. For all other