16 changed files with 266 additions and 437 deletions
--- a/17
+++ b/17
@ -19,7 +19,7 @@ CHANGES WITH 244 in spe:
          SystemdOptions. This may be used to configure systemd behaviour when
          modifying the kernel command line is inconvenient, but configuration
          on disk is read too late, for example for the options related to
-          cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
+          cgroup hierarchy setup. 'bootctl system-options' may be used to
          set the EFI variable.
        * systemd will now disable printk ratelimits in early boot. This should
@ -187,19 +187,6 @@ CHANGES WITH 244 in spe:
          used by the user service manager. The default is again to use the same
          path as the system manager.
        * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
          outputting the 128bit IDs in UUID format (i.e. in the "canonical
          representation").
        * Service units gained a new sandboxing option ProtectKernelLogs= which
          makes sure the program cannot get direct access to the kernel log
          buffer anymore, i.e. the syslog() system call (not to be confused
          with the API of the same name in libc, which is not affected), the
          /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
          inaccessible to the service. It's recommended to enable this setting
          for all services that should not be able to read from or write to the
          kernel log buffer, which are probably almost all.
 CHANGES WITH 243:
        * This release enables unprivileged programs (i.e. requiring neither
@ -518,7 +505,7 @@ CHANGES WITH 243:
        * SuccessExitStatus=, RestartPreventExitStatus=, and
          RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
          is equivalent to "65"). Those exit status name mappings may be
-          displayed with the systemd-analyze exit-status verb describe above.
+          displayed with the sytemd-analyze exit-status verb describe above.
        * systemd-logind now exposes a per-session SetBrightness() bus call,
          which may be used to securely change the brightness of a kernel
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -47,8 +47,8 @@ All tools:
 * `$SYSTEMD_CRYPTTAB` — if set, use this path instead of /etc/crypttab. Only
  useful for debugging. Currently only supported by systemd-cryptsetup-generator.
-* `$SYSTEMD_EFI_OPTIONS` — if set, used instead of the string in the
+* `$SYSTEMD_EFI_OPTIONS` — if set, used instead of the string in SystemdOptions
-  SystemdOptions EFI variable. Analogous to `$SYSTEMD_PROC_CMDLINE`.
+  EFI variable. Analogous to `$SYSTEMD_PROC_CMDLINE`.
 * `$SYSTEMD_IN_INITRD` — takes a boolean. If set, overrides initrd detection.
  This is useful for debugging and testing initrd-only programs in the main
--- a/man/bootctl.xml
+++ b/man/bootctl.xml
@ -102,7 +102,7 @@
      </varlistentry>
      <varlistentry>
-        <term><option>systemd-efi-options</option> <optional><replaceable>VALUE</replaceable></optional></term>
+        <term><option>system-options</option> <optional><replaceable>VALUE</replaceable></optional></term>
        <listitem><para>When called without the optional argument, prints the current value of the
        <literal>SystemdOptions</literal> EFI variable. When called with an argument, sets the
--- a/man/systemctl.xml
+++ b/man/systemctl.xml
@ -1032,7 +1032,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
    </refsect2>
    <refsect2>
-      <title>Manager State Commands</title>
+      <title>Manager Lifecycle Commands</title>
      <variablelist>
        <varlistentry>
@ -1051,7 +1051,6 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
            <command>reload</command> command.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term><command>daemon-reexec</command></term>
@ -1066,39 +1065,6 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
            </para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term><command>log-level</command> [<replaceable>LEVEL</replaceable>]</term>
          <listitem><para>If no argument is given, print the current log level of the manager. If an
          optional argument <replaceable>LEVEL</replaceable> is provided, then the command changes the
          current log level of the manager to <replaceable>LEVEL</replaceable> (accepts the same values as
          <option>--log-level=</option> described in
          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
          </para></listitem>
        </varlistentry>
        <varlistentry>
          <term><command>log-target</command> [<replaceable>TARGET</replaceable>]</term>
          <listitem><para>If no argument is given, print the current log target of the manager. If an
          optional argument <replaceable>TARGET</replaceable> is provided, then the command changes the
          current log target of the manager to <replaceable>TARGET</replaceable> (accepts the same values as
          <option>--log-target=</option>, described in
          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
          </para></listitem>
        </varlistentry>
        <varlistentry>
          <term><command>service-watchdogs</command> [yes|no]</term>
          <listitem><para>If no argument is given, print the current state of service runtime watchdogs of
          the manager. If an optional boolean argument is provided, then globally enables or disables the
          service runtime watchdogs (<option>WatchdogSec=</option>) and emergency actions (e.g.
          <option>OnFailure=</option> or <option>StartLimitAction=</option>); see
          <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
          The hardware watchdog is not affected by this setting.</para></listitem>
        </varlistentry>
      </variablelist>
    </refsect2>
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@ -39,6 +39,25 @@
      <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>systemd-analyze</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
      <arg choice="plain">log-level</arg>
      <arg choice="opt"><replaceable>LEVEL</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>systemd-analyze</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
      <arg choice="plain">log-target</arg>
      <arg choice="opt"><replaceable>TARGET</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>systemd-analyze</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
      <arg choice="plain">service-watchdogs</arg>
      <arg choice="opt"><replaceable>BOOL</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>systemd-analyze</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
@ -222,6 +241,37 @@ multi-user.target @47.820s
      </example>
    </refsect2>
    <refsect2>
      <title><command>systemd-analyze log-level [<replaceable>LEVEL</replaceable>]</command></title>
      <para><command>systemd-analyze log-level</command> prints the current log level of the
      <command>systemd</command> daemon.  If an optional argument <replaceable>LEVEL</replaceable> is
      provided, then the command changes the current log level of the <command>systemd</command> daemon to
      <replaceable>LEVEL</replaceable> (accepts the same values as <option>--log-level=</option> described in
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
    </refsect2>
    <refsect2>
      <title><command>systemd-analyze log-target [<replaceable>TARGET</replaceable>]</command></title>
      <para><command>systemd-analyze log-target</command> prints the current log target of the
      <command>systemd</command> daemon.  If an optional argument <replaceable>TARGET</replaceable> is
      provided, then the command changes the current log target of the <command>systemd</command> daemon to
      <replaceable>TARGET</replaceable> (accepts the same values as <option>--log-target=</option>, described
      in <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
    </refsect2>
    <refsect2>
      <title><command>systemd-analyze service-watchdogs [yes|no]</command></title>
      <para><command>systemd-analyze service-watchdogs</command> prints the current state of service runtime
      watchdogs of the <command>systemd</command> daemon. If an optional boolean argument is provided, then
      globally enables or disables the service runtime watchdogs (<option>WatchdogSec=</option>) and
      emergency actions (e.g.  <option>OnFailure=</option> or <option>StartLimitAction=</option>); see
      <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
      The hardware watchdog is not affected by this setting.</para>
    </refsect2>
    <refsect2>
      <title><command>systemd-analyze dump</command></title>
--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@ -2166,8 +2166,8 @@ static int service_watchdogs(int argc, char *argv[], void *userdata) {
        if (r < 0)
                return log_error_errno(r, "Failed to create bus connection: %m");
        if (argc == 1) {
        /* get ServiceWatchdogs */
        if (argc == 1) {
                r = sd_bus_get_property_trivial(
                                bus,
                                "org.freedesktop.systemd1",
@ -2182,11 +2182,15 @@ static int service_watchdogs(int argc, char *argv[], void *userdata) {
                printf("%s\n", yes_no(!!b));
-        } else {
+                return 0;
        }
        /* set ServiceWatchdogs */
        b = parse_boolean(argv[1]);
-                if (b < 0)
+        if (b < 0) {
-                        return log_error_errno(b, "Failed to parse service-watchdogs argument: %m");
+                log_error("Failed to parse service-watchdogs argument.");
                return -EINVAL;
        }
        r = sd_bus_set_property(
                        bus,
@ -2199,7 +2203,6 @@ static int service_watchdogs(int argc, char *argv[], void *userdata) {
                        b);
        if (r < 0)
                return log_error_errno(r, "Failed to set service-watchdog state: %s", bus_error_message(&error, r));
        }
        return 0;
 }
@ -2243,11 +2246,13 @@ static int help(int argc, char *argv[], void *userdata) {
        printf("%s [OPTIONS...] COMMAND ...\n\n"
               "%sProfile systemd, show unit dependencies, check unit files.%s\n"
               "\nCommands:\n"
-               "  [time]                   Print time required to boot the machine\n"
+               "  time                     Print time spent in the kernel\n"
               "  blame                    Print list of running units ordered by time to init\n"
               "  critical-chain [UNIT...] Print a tree of the time critical chain of units\n"
               "  plot                     Output SVG graphic showing service initialization\n"
               "  dot [UNIT...]            Output dependency graph in %s format\n"
               "  log-level [LEVEL]        Get/set logging threshold for manager\n"
               "  log-target [TARGET]      Get/set logging target for manager\n"
               "  dump                     Output state serialization of service manager\n"
               "  cat-config               Show configuration file and drop-ins\n"
               "  unit-files               List files and symlinks for units\n"
@ -2256,6 +2261,7 @@ static int help(int argc, char *argv[], void *userdata) {
               "  syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
               "  condition CONDITION...   Evaluate conditions and asserts\n"
               "  verify FILE...           Check unit files for correctness\n"
               "  service-watchdogs [BOOL] Get/set service watchdog state\n"
               "  calendar SPEC...         Validate repetitive calendar time events\n"
               "  timestamp TIMESTAMP...   Validate a timestamp\n"
               "  timespan SPAN...         Validate a time span\n"
@ -2476,14 +2482,13 @@ static int run(int argc, char *argv[]) {
                { "critical-chain",    VERB_ANY, VERB_ANY, 0,            analyze_critical_chain },
                { "plot",              VERB_ANY, 1,        0,            analyze_plot           },
                { "dot",               VERB_ANY, VERB_ANY, 0,            dot                    },
                /* The following seven verbs are deprecated */
                { "log-level",         VERB_ANY, 2,        0,            get_or_set_log_level   },
                { "log-target",        VERB_ANY, 2,        0,            get_or_set_log_target  },
                /* The following four verbs are deprecated aliases */
                { "set-log-level",     2,        2,        0,            set_log_level          },
                { "get-log-level",     VERB_ANY, 1,        0,            get_log_level          },
                { "set-log-target",    2,        2,        0,            set_log_target         },
                { "get-log-target",    VERB_ANY, 1,        0,            get_log_target         },
                { "service-watchdogs", VERB_ANY, 2,        0,            service_watchdogs      },
                { "dump",              VERB_ANY, 1,        0,            dump                   },
                { "cat-config",        2,        VERB_ANY, 0,            cat_config             },
                { "unit-files",        VERB_ANY, VERB_ANY, 0,            do_unit_files          },
@ -2495,6 +2500,7 @@ static int run(int argc, char *argv[]) {
                { "calendar",          2,        VERB_ANY, 0,            test_calendar          },
                { "timestamp",         2,        VERB_ANY, 0,            test_timestamp         },
                { "timespan",          2,        VERB_ANY, 0,            dump_timespan          },
                { "service-watchdogs", VERB_ANY, 2,        0,            service_watchdogs      },
                { "security",          VERB_ANY, VERB_ANY, 0,            do_security            },
                {}
        };
--- a/src/basic/efivars.c
+++ b/src/basic/efivars.c
@ -220,7 +220,7 @@ int efi_set_variable_string(sd_id128_t vendor, const char *name, const char *v)
        return efi_set_variable(vendor, name, u16, (char16_strlen(u16) + 1) * sizeof(char16_t));
 }
-int systemd_efi_options_variable(char **line) {
+int efi_systemd_options_variable(char **line) {
        const char *e;
        int r;
--- a/src/basic/efivars.h
+++ b/src/basic/efivars.h
@ -28,7 +28,7 @@ int efi_get_variable_string(sd_id128_t vendor, const char *name, char **p);
 int efi_set_variable(sd_id128_t vendor, const char *name, const void *value, size_t size);
 int efi_set_variable_string(sd_id128_t vendor, const char *name, const char *p);
-int systemd_efi_options_variable(char **line);
+int efi_systemd_options_variable(char **line);
 #else
@ -52,7 +52,7 @@ static inline int efi_set_variable_string(sd_id128_t vendor, const char *name, c
        return -EOPNOTSUPP;
 }
-static inline int systemd_efi_options_variable(char **line) {
+static inline int efi_systemd_options_variable(char **line) {
        return -ENODATA;
 }
--- a/src/basic/errno-util.h
+++ b/src/basic/errno-util.h
@ -94,10 +94,3 @@ static inline bool ERRNO_IS_NOT_SUPPORTED(int r) {
                      ENOTTY,
                      ENOSYS);
 }
 /* Two different errors for access problems */
 static inline bool ERRNO_IS_PRIVILEGE(int r) {
        return IN_SET(abs(r),
                      EACCES,
                      EPERM);
 }
--- a/src/basic/proc-cmdline.c
+++ b/src/basic/proc-cmdline.c
@ -119,7 +119,7 @@ int proc_cmdline_parse(proc_cmdline_parse_t parse_item, void *data, ProcCmdlineF
        /* We parse the EFI variable first, because later settings have higher priority. */
-        r = systemd_efi_options_variable(&line);
+        r = efi_systemd_options_variable(&line);
        if (r < 0 && r != -ENODATA)
                log_debug_errno(r, "Failed to get SystemdOptions EFI variable, ignoring: %m");
@ -250,7 +250,7 @@ int proc_cmdline_get_key(const char *key, ProcCmdlineFlags flags, char **ret_val
                return r;
        line = mfree(line);
-        r = systemd_efi_options_variable(&line);
+        r = efi_systemd_options_variable(&line);
        if (r == -ENODATA)
                return false; /* Not found */
        if (r < 0)
--- a/src/boot/bootctl.c
+++ b/src/boot/bootctl.c
@ -1033,7 +1033,7 @@ static int help(int argc, char *argv[], void *userdata) {
                return log_oom();
        printf("%s  [OPTIONS...] COMMAND ...\n"
-               "\n%sInstall/update/remove the systemd-boot EFI boot manager and list/select entries.%s\n"
+               "\n%sInstall, update or remove the systemd-boot EFI boot manager.%s\n"
               "\nBoot Loader Commands:\n"
               "     status            Show status of installed systemd-boot and EFI variables\n"
               "     install           Install systemd-boot to the ESP and EFI variables\n"
@ -1041,7 +1041,7 @@ static int help(int argc, char *argv[], void *userdata) {
               "     remove            Remove systemd-boot from the ESP and EFI variables\n"
               "     is-installed      Test whether systemd-boot is installed in the ESP\n"
               "     random-seed       Initialize random seed in ESP and EFI variables\n"
-               "  systemd-efi-options Query or set system options string in EFI variable\n"
+               "     system-options    Query or set system options string in EFI variable\n"
               "\nBoot Loader Entries Commands:\n"
               "     list              List boot loader entries\n"
               "     set-default ID    Set default boot loader entry\n"
@ -1716,17 +1716,17 @@ static int verb_random_seed(int argc, char *argv[], void *userdata) {
        return 0;
 }
-static int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
+static int verb_system_options(int argc, char *argv[], void *userdata) {
        int r;
        if (argc == 1) {
                _cleanup_free_ char *line = NULL;
-                r = systemd_efi_options_variable(&line);
+                r = efi_systemd_options_variable(&line);
                if (r < 0)
                        return log_error_errno(r, "Failed to query SystemdOptions EFI variable: %m");
-                puts(line);
+                printf("SystemdOptions: %s\n", line);
        } else {
                r = efi_set_variable_string(EFI_VENDOR_SYSTEMD, "SystemdOptions", argv[1]);
@ -1749,7 +1749,7 @@ static int bootctl_main(int argc, char *argv[]) {
                { "set-default",    2,        2,        0,            verb_set_default    },
                { "set-oneshot",    2,        2,        0,            verb_set_default    },
                { "random-seed",    VERB_ANY, 1,        0,            verb_random_seed    },
-                { "systemd-efi-options", VERB_ANY, 2,        0,            verb_systemd_efi_options },
+                { "system-options", VERB_ANY, 2,        0,            verb_system_options },
                {}
        };
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -2459,40 +2459,6 @@ finish:
        return r;
 }
 static bool insist_on_sandboxing(
                const ExecContext *context,
                const char *root_dir,
                const char *root_image,
                const BindMount *bind_mounts,
                size_t n_bind_mounts) {
        size_t i;
        assert(context);
        assert(n_bind_mounts == 0 || bind_mounts);
        /* Checks whether we need to insist on fs namespacing. i.e. whether we have settings configured that
         * would alter the view on the file system beyond making things read-only or invisble, i.e. would
         * rearrange stuff in a way we cannot ignore gracefully. */
        if (context->n_temporary_filesystems > 0)
                return true;
        if (root_dir || root_image)
                return true;
        if (context->dynamic_user)
                return true;
        /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
         * essential. */
        for (i = 0; i < n_bind_mounts; i++)
                if (!path_equal(bind_mounts[i].source, bind_mounts[i].destination))
                        return true;
        return false;
 }
 static int apply_mount_namespace(
                const Unit *u,
                const ExecCommand *command,
@ -2579,28 +2545,28 @@ static int apply_mount_namespace(
                            DISSECT_IMAGE_DISCARD_ON_LOOP,
                            error_path);
        bind_mount_free_many(bind_mounts, n_bind_mounts);
        /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
         * that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively
         * sandboxing options were used, i.e. nothing such as RootDirectory= or BindMount= that would result in a
         * completely different execution environment. */
        if (r == -ENOANO) {
-                if (insist_on_sandboxing(
+                if (n_bind_mounts == 0 &&
-                                    context,
+                    context->n_temporary_filesystems == 0 &&
-                                    root_dir, root_image,
+                    !root_dir && !root_image &&
-                                    bind_mounts,
+                    !context->dynamic_user) {
-                                    n_bind_mounts)) {
+                        log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
                        return 0;
                }
                log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n"
                               "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
                               n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user));
-                        r = -EOPNOTSUPP;
+                return -EOPNOTSUPP;
                } else {
                        log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
                        r = 0;
                }
        }
        bind_mount_free_many(bind_mounts, n_bind_mounts);
        return r;
 }
@ -3448,13 +3414,9 @@ static int exec_child(
        if (context->protect_hostname) {
                if (ns_type_supported(NAMESPACE_UTS)) {
                        if (unshare(CLONE_NEWUTS) < 0) {
                                if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
                                *exit_status = EXIT_NAMESPACE;
                                return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
                        }
                                log_unit_warning(unit, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
                        }
                } else
                        log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
 #if HAVE_SECCOMP
--- a/src/core/path.c
+++ b/src/core/path.c
@ -501,14 +501,18 @@ fail:
 static bool path_check_good(Path *p, bool initial) {
        PathSpec *s;
        bool good = false;
        assert(p);
-        LIST_FOREACH(spec, s, p->specs)
+        LIST_FOREACH(spec, s, p->specs) {
-                if (path_spec_check_good(s, initial))
+                good = path_spec_check_good(s, initial);
                        return true;
-        return false;
+                if (good)
                        break;
        }
        return good;
 }
 static void path_enter_waiting(Path *p, bool initial, bool recheck) {
--- a/src/id128/id128.c
+++ b/src/id128/id128.c
@ -12,7 +12,7 @@
 #include "verbs.h"
 static Id128PrettyPrintMode arg_mode = ID128_PRINT_ID128;
-static sd_id128_t arg_app = {};
+static sd_id128_t arg_app = SD_ID128_NULL;
 static int verb_new(int argc, char **argv, void *userdata) {
        return id128_print_new(arg_mode);
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@ -6343,145 +6343,6 @@ static int switch_root(int argc, char *argv[], void *userdata) {
        return 0;
 }
 static int log_level(int argc, char *argv[], void *userdata) {
        sd_bus *bus;
        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        int r;
        r = acquire_bus(BUS_MANAGER, &bus);
        if (r < 0)
                return r;
        if (argc == 1) {
                _cleanup_free_ char *level = NULL;
                r = sd_bus_get_property_string(
                                bus,
                                "org.freedesktop.systemd1",
                                "/org/freedesktop/systemd1",
                                "org.freedesktop.systemd1.Manager",
                                "LogLevel",
                                &error,
                                &level);
                if (r < 0)
                        return log_error_errno(r, "Failed to get log level: %s", bus_error_message(&error, r));
                puts(level);
        } else {
                assert(argc == 2);
                r = sd_bus_set_property(
                                bus,
                                "org.freedesktop.systemd1",
                                "/org/freedesktop/systemd1",
                                "org.freedesktop.systemd1.Manager",
                                "LogLevel",
                                &error,
                                "s",
                                argv[1]);
                if (r < 0)
                        return log_error_errno(r, "Failed to set log level: %s", bus_error_message(&error, r));
        }
        return 0;
 }
 static int log_target(int argc, char *argv[], void *userdata) {
        sd_bus *bus;
        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        int r;
        r = acquire_bus(BUS_MANAGER, &bus);
        if (r < 0)
                return r;
        if (argc == 1) {
                _cleanup_free_ char *target = NULL;
                r = sd_bus_get_property_string(
                                bus,
                                "org.freedesktop.systemd1",
                                "/org/freedesktop/systemd1",
                                "org.freedesktop.systemd1.Manager",
                                "LogTarget",
                                &error,
                                &target);
                if (r < 0)
                        return log_error_errno(r, "Failed to get log target: %s", bus_error_message(&error, r));
                puts(target);
        } else {
                assert(argc == 2);
                r = sd_bus_set_property(
                                bus,
                                "org.freedesktop.systemd1",
                                "/org/freedesktop/systemd1",
                                "org.freedesktop.systemd1.Manager",
                                "LogTarget",
                                &error,
                                "s",
                                argv[1]);
                if (r < 0)
                        return log_error_errno(r, "Failed to set log target: %s", bus_error_message(&error, r));
        }
        return 0;
 }
 static int service_watchdogs(int argc, char *argv[], void *userdata) {
        sd_bus *bus;
        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        int b, r;
        assert(argv);
        r = acquire_bus(BUS_MANAGER, &bus);
        if (r < 0)
                return r;
        if (argc == 1) {
                /* get ServiceWatchdogs */
                r = sd_bus_get_property_trivial(
                                bus,
                                "org.freedesktop.systemd1",
                                "/org/freedesktop/systemd1",
                                "org.freedesktop.systemd1.Manager",
                                "ServiceWatchdogs",
                                &error,
                                'b',
                                &b);
                if (r < 0)
                        return log_error_errno(r, "Failed to get service-watchdog state: %s", bus_error_message(&error, r));
                printf("%s\n", yes_no(!!b));
        } else {
                /* set ServiceWatchdogs */
                assert(argc == 2);
                b = parse_boolean(argv[1]);
                if (b < 0)
                        return log_error_errno(b, "Failed to parse service-watchdogs argument: %m");
                r = sd_bus_set_property(
                                bus,
                                "org.freedesktop.systemd1",
                                "/org/freedesktop/systemd1",
                                "org.freedesktop.systemd1.Manager",
                                "ServiceWatchdogs",
                                &error,
                                "b",
                                b);
                if (r < 0)
                        return log_error_errno(r, "Failed to set service-watchdog state: %s", bus_error_message(&error, r));
        }
        return 0;
 }
 static int set_environment(int argc, char *argv[], void *userdata) {
        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
@ -7866,7 +7727,7 @@ static int systemctl_help(void) {
               "                                      units\n"
               "  list-dependencies [UNIT]            Recursively show units which are required\n"
               "                                      or wanted by this unit or by which this\n"
-               "                                      unit is required or wanted"
+               "                                      unit is required or wanted\n"
               "\n%3$sUnit File Commands:%4$s\n"
               "  list-unit-files [PATTERN...]        List installed unit files\n"
               "  enable [UNIT...|PATH...]            Enable one or more unit files\n"
@ -7891,7 +7752,7 @@ static int systemctl_help(void) {
               "  get-default                         Get the name of the default target\n"
               "  set-default TARGET                  Set the default target\n"
               "\n%3$sMachine Commands:%4$s\n"
-               "  list-machines [PATTERN...]          List local containers and host\n"
+               "  list-machines [PATTERN...]          List local containers and host\n\n"
               "\n%3$sJob Commands:%4$s\n"
               "  list-jobs [PATTERN...]              List jobs\n"
               "  cancel [JOB...]                     Cancel all, one, or more jobs\n"
@ -7899,13 +7760,10 @@ static int systemctl_help(void) {
               "  show-environment                    Dump environment\n"
               "  set-environment VARIABLE=VALUE...   Set one or more environment variables\n"
               "  unset-environment VARIABLE...       Unset one or more environment variables\n"
-               "  import-environment [VARIABLE...]    Import all or some environment variables\n"
+               "  import-environment [VARIABLE...]    Import all or some environment variables\n\n"
-               "\n%3$sManager State Commands:%4$s\n"
+               "\n%3$sManager Lifecycle Commands:%4$s\n"
               "  daemon-reload                       Reload systemd manager configuration\n"
               "  daemon-reexec                       Reexecute systemd manager\n"
               "  log-level [LEVEL]                   Get/set logging threshold for manager\n"
               "  log-target [TARGET]                 Get/set logging target for manager\n"
               "  service-watchdogs [BOOL]            Get/set service watchdog state\n"
               "\n%3$sSystem Commands:%4$s\n"
               "  is-system-running                   Check whether system is fully running\n"
               "  default                             Enter system default mode\n"
@ -7921,34 +7779,38 @@ static int systemctl_help(void) {
               "  hibernate                           Hibernate the system\n"
               "  hybrid-sleep                        Hibernate and suspend the system\n"
               "  suspend-then-hibernate              Suspend the system, wake after a period of\n"
-               "                                      time, and hibernate"
+               "                                      time and put it into hibernate\n"
               "\n%3$sOptions:%4$s\n"
               "  -h --help           Show this help\n"
               "     --version        Show package version\n"
               "     --system         Connect to system manager\n"
               "     --user           Connect to user service manager\n"
-               "  -H --host=[USER@]HOST  Operate on remote host\n"
+               "  -H --host=[USER@]HOST\n"
-               "  -M --machine=CONTAINER Operate on a local container\n"
+               "                      Operate on remote host\n"
               "  -M --machine=CONTAINER\n"
               "                      Operate on local container\n"
               "  -t --type=TYPE      List units of a particular type\n"
               "     --state=STATE    List units with particular LOAD or SUB or ACTIVE state\n"
               "     --failed         Shorcut for --state=failed\n"
               "  -p --property=NAME  Show only properties by this name\n"
               "  -a --all            Show all properties/all units currently in memory,\n"
-               "                         including dead/empty ones. To list all units installed\n"
+               "                      including dead/empty ones. To list all units installed on\n"
-               "                         on the system, use 'list-unit-files' instead.\n"
+               "                      the system, use the 'list-unit-files' command instead.\n"
               "  -l --full           Don't ellipsize unit names on output\n"
               "  -r --recursive      Show unit list of host and local containers\n"
               "     --reverse        Show reverse dependencies with 'list-dependencies'\n"
               "     --job-mode=MODE  Specify how to deal with already queued jobs, when\n"
               "                      queueing a new job\n"
-               "  -T --show-transaction  When enqueuing a unit job, show full transaction\n"
+               "  -T --show-transaction\n"
               "                      When enqueuing a unit job, show full transaction\n"
               "     --show-types     When showing sockets, explicitly show their type\n"
               "     --value          When showing properties, only print the value\n"
-               "  -i --ignore-inhibitors When shutting down or sleeping, ignore inhibitors\n"
+               "  -i --ignore-inhibitors\n"
-               "     --kill-who=WHO      Whom to send signal to\n"
+               "                      When shutting down or sleeping, ignore inhibitors\n"
               "     --kill-who=WHO   Who to send signal to\n"
               "  -s --signal=SIGNAL  Which signal to send\n"
               "     --what=RESOURCES Which types of resources to remove\n"
-               "     --now               Start or stop unit after enabling or disabling it\n"
+               "     --now            Start or stop unit in addition to enabling or disabling it\n"
               "     --dry-run        Only print what would be done\n"
               "  -q --quiet          Suppress output\n"
               "     --wait           For (re)start, wait until service stopped again\n"
@ -7958,7 +7820,8 @@ static int systemctl_help(void) {
               "     --no-reload      Don't reload daemon after en-/dis-abling unit files\n"
               "     --no-legend      Do not print a legend (column headers and hints)\n"
               "     --no-pager       Do not pipe output into a pager\n"
-               "     --no-ask-password   Do not ask for system passwords\n"
+               "     --no-ask-password\n"
               "                      Do not ask for system passwords\n"
               "     --global         Enable/disable/mask unit files globally\n"
               "     --runtime        Enable/disable/mask unit files temporarily until next\n"
               "                      reboot\n"
@ -9123,9 +8986,6 @@ static int systemctl_main(int argc, char *argv[]) {
                { "help",                  VERB_ANY, VERB_ANY, VERB_ONLINE_ONLY, show                 },
                { "daemon-reload",         VERB_ANY, 1,        VERB_ONLINE_ONLY, daemon_reload        },
                { "daemon-reexec",         VERB_ANY, 1,        VERB_ONLINE_ONLY, daemon_reload        },
                { "log-level",             VERB_ANY, 2,        0,                log_level               },
                { "log-target",            VERB_ANY, 2,        0,                log_target              },
                { "service-watchdogs",     VERB_ANY, 2,        0,                service_watchdogs       },
                { "show-environment",      VERB_ANY, 1,        VERB_ONLINE_ONLY, show_environment     },
                { "set-environment",       2,        VERB_ANY, VERB_ONLINE_ONLY, set_environment      },
                { "unset-environment",     2,        VERB_ANY, VERB_ONLINE_ONLY, set_environment      },
--- a/test/test-execute/exec-readonlypaths-with-bindpaths.service
+++ b/test/test-execute/exec-readonlypaths-with-bindpaths.service
@ -3,6 +3,7 @@ Description=Test for ReadOnlyPaths=
 [Service]
 ReadOnlyPaths=/etc -/i-dont-exist /usr
-BindPaths=/etc:/tmp/etc2
+# From 6c47cd7d3bf35c8158a0737f34fe2c5dc95e72d6, RuntimeDirectory= implies BindPaths=.
 RuntimeDirectory=foo
 ExecStart=/bin/sh -x -c 'test ! -w /etc && test ! -w /usr && test ! -e /i-dont-exist && test -w /var'
 Type=oneshot