diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index e4d9c0ef1b..67182f17dc 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -821,49 +821,37 @@
Controls which capabilities to include in the capability bounding set for the executed
process. See capabilities7 for
- details. Takes a whitespace-separated list of capability names as read by cap_from_name3,
- e.g. CAP_SYS_ADMIN, CAP_DAC_OVERRIDE,
- CAP_SYS_PTRACE. Capabilities listed will be included in the bounding set, all others are
- removed. If the list of capabilities is prefixed with ~, all but the listed capabilities
- will be included, the effect of the assignment inverted. Note that this option also affects the respective
- capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the
- capability bounding set is not modified on process execution, hence no limits on the capabilities of the
- process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the
- empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
- settings have no effect. If set to ~ (without any further argument), the bounding set is
- reset to the full set of available capabilities, also undoing any previous settings. This does not affect
- commands prefixed with +.
+ details. Takes a whitespace-separated list of capability names, e.g. CAP_SYS_ADMIN,
+ CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Capabilities listed will be
+ included in the bounding set, all others are removed. If the list of capabilities is prefixed with
+ ~, all but the listed capabilities will be included, the effect of the assignment
+ inverted. Note that this option also affects the respective capabilities in the effective, permitted and
+ inheritable capability sets. If this option is not used, the capability bounding set is not modified on process
+ execution, hence no limits on the capabilities of the process are enforced. This option may appear more than
+ once, in which case the bounding sets are merged. If the empty string is assigned to this option, the bounding
+ set is reset to the empty capability set, and all prior settings have no effect. If set to
+ ~ (without any further argument), the bounding set is reset to the full set of available
+ capabilities, also undoing any previous settings. This does not affect commands prefixed with
+ +.
AmbientCapabilities=
- Controls which capabilities to include in the
- ambient capability set for the executed process. Takes a
- whitespace-separated list of capability names as read by
- cap_from_name3,
- e.g. CAP_SYS_ADMIN,
- CAP_DAC_OVERRIDE,
- CAP_SYS_PTRACE. This option may appear more than
- once in which case the ambient capability sets are merged.
- If the list of capabilities is prefixed with ~, all
- but the listed capabilities will be included, the effect of the
- assignment inverted. If the empty string is
- assigned to this option, the ambient capability set is reset to
- the empty capability set, and all prior settings have no effect.
- If set to ~ (without any further argument), the
- ambient capability set is reset to the full set of available
- capabilities, also undoing any previous settings. Note that adding
- capabilities to ambient capability set adds them to the process's
- inherited capability set.
-
- Ambient capability sets are useful if you want to execute a process
- as a non-privileged user but still want to give it some capabilities.
- Note that in this case option keep-caps is
- automatically added to SecureBits= to retain the
- capabilities over the user change. AmbientCapabilities= does not affect
- commands prefixed with +.
+ Controls which capabilities to include in the ambient capability set for the executed
+ process. Takes a whitespace-separated list of capability names, e.g. CAP_SYS_ADMIN,
+ CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. This option may appear more than
+ once in which case the ambient capability sets are merged. If the list of capabilities is prefixed with
+ ~, all but the listed capabilities will be included, the effect of the assignment
+ inverted. If the empty string is assigned to this option, the ambient capability set is reset to the empty
+ capability set, and all prior settings have no effect. If set to ~ (without any further
+ argument), the ambient capability set is reset to the full set of available capabilities, also undoing any
+ previous settings. Note that adding capabilities to ambient capability set adds them to the process's inherited
+ capability set. Ambient capability sets are useful if you want to execute a process as a
+ non-privileged user but still want to give it some capabilities. Note that in this case option
+ keep-caps is automatically added to SecureBits= to retain the
+ capabilities over the user change. AmbientCapabilities= does not affect commands prefixed
+ with +.