ld.so.8: Make notes on secure-execute mode more prominent

Place each note on secure-execution mode in a separate
paragraph, to make it more obvious.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man8/ld.so.8

@@ -268,6 +268,7 @@ The items in the list are separated by either colons or semicolons.
 Similar to the
 .B PATH
 environment variable.
+
 This variable is ignored in secure-execution mode.
 
 Within the pathnames specified in
@@ -342,6 +343,7 @@ to be loaded before all others in a separate linker namespace
 (i.e., one that does not intrude upon the normal symbol bindings that
 would occur in the process).
 These objects can be used to audit the operation of the dynamic linker.
+
 .B LD_AUDIT
 is ignored in secure-execution mode.
 
@@ -447,6 +449,7 @@ File in which
 .B LD_DEBUG
 output should be written.
 The default is standard error.
+
 .B LD_DEBUG_OUTPUT
 is ignored in secure-execution mode.
 .TP
@@ -460,6 +463,7 @@ allow weak symbols to be overridden (reverting to old glibc behavior).
 .\"     From: Ulrich Drepper <drepper at redhat dot com>
 .\"     Date: 07 Jun 2000 20:08:12 -0700
 .\"     Reply-To: drepper at cygnus dot com (Ulrich Drepper)
+
 Since glibc 2.3.4,
 .B LD_DYNAMIC_WEAK
 is ignored in secure-execution mode.
@@ -469,11 +473,12 @@ Mask for hardware capabilities.
 .TP
 .BR LD_ORIGIN_PATH " (since glibc 2.1)"
 Path where the binary is found.
+.\" Used only if $ORIGIN can't be determined by normal means
+.\" (from the origin path saved at load time, or from /proc/self/exe)?
+
 Since glibc 2.4,
 .B LD_ORIGIN_PATH
 is ignored in secure-execution mode.
-.\" Used only if $ORIGIN can't be determined by normal means
-.\" (from the origin path saved at load time, or from /proc/self/exe)?
 .TP
 .BR LD_POINTER_GUARD " (glibc from 2.4 to 2.22)"
 Set to 0 to disable pointer guarding.
@@ -504,6 +509,7 @@ output should be written.
 If this variable is not defined, or is defined as an empty string,
 then the default is
 .IR /var/tmp .
+
 .B LD_PROFILE_OUTPUT
 is ignored in secure-execution mode; instead
 .IR /var/profile
@@ -513,6 +519,7 @@ is always used.
 If this environment variable is defined (with any value),
 show the auxiliary array passed up from the kernel (see also
 .BR getauxval (3)).
+
 Since glibc 2.3.5,
 .B LD_SHOW_AUXV
 is ignored in secure-execution mode.
@@ -545,6 +552,7 @@ If
 .B LD_USE_LOAD_BIAS
 is defined with the value 0,
 neither executables nor PIEs will honor the base addresses.
+
 This variable is ignored in secure-execution mode.
 .TP
 .BR LD_VERBOSE " (since glibc 2.1)"
@@ -568,6 +576,7 @@ will first try to map executable pages using the
 .BR MAP_32BIT
 flag, and fall back to mapping without that flag if that attempt fails.
 NB: MAP_32BIT will map to the low 2GB (not 4GB) of the address space.
+
 Because
 .B MAP_32BIT
 reduces the address range available for address space layout