From a14e028e869739021482c86ef3aeb861b0342dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 8 Sep 2021 15:46:17 +0200
Subject: man: cross-reference DeviceAllow= and PrivateDevices=

They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.

For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
---
 man/systemd.resource-control.xml | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'man/systemd.resource-control.xml')

diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index ea728dff33..b21f8575a0 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1</programlisting>
           url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller</ulink>.
           In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.</para>
 
+          <para>When access to <emphasis>all</emphasis> physical devices should be disallowed,
+          <varname>PrivateDevices=</varname> may be used instead. See
+          <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+          </para>
+
           <para>The device node specifier is either a path to a device node in the file system, starting with
           <filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or
           <literal>block-</literal> followed by a device group name, as listed in
-- 
cgit v1.2.1