From de7070b49a9e7d8bc7ddfa004bd415574dbf503a Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 4 Sep 2017 16:20:47 +0900
Subject: [PATCH] man: add examples for CapabilityBoundingSet=

Follow-up for c792ec2e3512a672881fc847ff432e26b641c9c9.
---
 man/systemd.exec.xml | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 9c6e863..707cab2 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -925,11 +925,21 @@
         inverted. Note that this option also affects the respective capabilities in the effective, permitted and
         inheritable capability sets. If this option is not used, the capability bounding set is not modified on process
         execution, hence no limits on the capabilities of the process are enforced. This option may appear more than
-        once, in which case the bounding sets are merged. If the empty string is assigned to this option, the bounding
-        set is reset to the empty capability set, and all prior settings have no effect.  If set to
-        <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available
+        once, in which case the bounding sets are merged by <constant>AND</constant>, or by <constant>OR</constant>
+        if the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned
+        to this option, the bounding set is reset to the empty capability set, and all prior settings have no effect.
+        If set to <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available
         capabilities, also undoing any previous settings. This does not affect commands prefixed with
-        <literal>+</literal>.</para></listitem>
+        <literal>+</literal>.</para>
+
+        <para>Example: if a unit has the following,
+        <programlisting>CapabilityBoundingSet=CAP_A CAP_B
+CapabilityBoundingSet=CAP_B CAP_C</programlisting>
+        then <constant>CAP_A</constant>, <constant>CAP_B</constant>, and <constant>CAP_C</constant> are set.
+        If the second line is prefixed with <literal>~</literal>, e.g.,
+        <programlisting>CapabilityBoundingSet=CAP_A CAP_B
+CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
+        then, only <constant>CAP_A</constant> is set.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -938,7 +948,8 @@
         <listitem><para>Controls which capabilities to include in the ambient capability set for the executed
         process. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>,
         <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
-        once in which case the ambient capability sets are merged.  If the list of capabilities is prefixed with
+        once in which case the ambient capability sets are merged (see the above examples in
+        <varname>CapabilityBoundingSet=</varname>). If the list of capabilities is prefixed with
         <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment
         inverted. If the empty string is assigned to this option, the ambient capability set is reset to the empty
         capability set, and all prior settings have no effect.  If set to <literal>~</literal> (without any further
-- 
2.7.4