Index: libexec/rtld-elf/rtld.1
===================================================================
--- libexec/rtld-elf/rtld.1
+++ libexec/rtld-elf/rtld.1
@@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 16, 2017
+.Dd May 20, 2017
 .Dt RTLD 1
 .Os
 .Sh NAME
@@ -60,10 +60,11 @@
 .Pp
 When resolving dependencies for the loaded objects,
 .Nm
-may be allowed to translate dynamic token strings in rpath and soname
-by setting
+translates dynamic token strings in rpath and soname.
+If the
 .Fl "z origin"
-option of the static linker
+option of the static linker was set when linking the binary,
+the token expansion is performed at the object load time, see
 .Xr ld 1 .
 The following strings are recognized now:
 .Bl -tag -width ".Pa $PLATFORM"
@@ -282,6 +283,72 @@
 Normally, the filtees are opened at the time of the first symbol resolution
 from the filter object.
 .El
+.Sh DIRECT EXECUTION MODE
+Besides typical implicit use of
+.Nm
+during program execution, when kernel loads the dynamic linker
+as requested by the
+.Dv PT_INTERP
+program header of executed binary,
+.Fx
+also supports so called direct execution mode for the dynamic linker.
+In this mode, user explicitely executes
+.Nm
+and provides the path of the program to be linked and executed, as
+argument.
+The mode allows to use non-standard dynamic linker for a program
+activation without changing the binary, and also allows to specify
+some execution options.
+.Pp
+The syntax of the direct invocation is
+.Bd -ragged -offset indent
+.Pa /libexec/ld-elf.so.1
+.Op Fl f Ar fd
+.Op Fl p
+.Op Fl -
+.Pa image_path
+.Op Ar image arguments
+.Ed
+.Pp
+The options are as follows:
+.Bl -tag -width indent
+.It Fl f Ar fd
+File descriptor with index
+.Ar fd
+must be opened in the process, it references the binary which is
+activated by
+.Nm .
+If this option is specified,
+.Ar image_path
+is only used to provide
+.Va argv[0]
+value to the program.
+.It Fl p
+If the
+.Pa image_path
+argument specifies relative path,
+.Nm
+uses search path specified in the environment variable
+.Dv PATH
+to find the binary to execute.
+.It Fl -
+Ends the
+.Nm
+options, next argument is interpreted as the path of binary to execute.
+.El
+.Pp
+To not break some naively restricted execution environments,
+in the direct execution mode
+.Nm
+emulates verification of the binary execute permission
+for current user.
+The verification only uses Unix
+.Dv DACs ,
+ignores
+.Dv ACLs
+and is racy by its nature.
+The environments which rely on such restrictions are weak
+and breakable on its own.
 .Sh FILES
 .Bl -tag -width ".Pa /var/run/ld-elf32.so.hints" -compact
 .It Pa /var/run/ld-elf.so.hints