From nobody Fri Dec 19 17:56:13 2025 Received: from mail-oi1-f201.google.com (mail-oi1-f201.google.com [209.85.167.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DC171F471F for ; Fri, 5 Dec 2025 00:58:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764896332; cv=none; b=B4DXHuKul1pPzEUnbEkhAAGFZjqyTPUgzqi0RDhrazFkwfbHSEsgzlgcBpYs9Y/BoXsVKDNGc4Sa2rk/WURANwUo58tXAKhb1NsM1xNuHOQwD9HBrRrL7y1rwHAkfYdNSipRNPhPrItsDgElTA6NgxVMQE3rbVxL6Oto4UbGbWs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764896332; c=relaxed/simple; bh=LLwOjwJb3krQOl35pm6jPUBFIvmN0U0U/HlVN35oQmQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=G60hTKNnjxQ7ifyklk5KCrT2iOg8o56+l70Unk+k+flX3vtdXsSxLNSgZkE7bMf1Rne97TwNxms0dS3Jc6+qAEIyVEhQxpB+rRAvXlaWefLRy+MA3OpPahWekVz6Cig398Efeb9pYk9UoEWBkdgcBt/3vP5vKjhOm7tIfpLKY9s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=pu0MNb0e; arc=none smtp.client-ip=209.85.167.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pu0MNb0e" Received: by mail-oi1-f201.google.com with SMTP id 5614622812f47-450b8303c1cso2153393b6e.0 for ; Thu, 04 Dec 2025 16:58:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1764896329; x=1765501129; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=bVE0N0KUpY0wO1fMUhmyg8I9ioeDz1sYwcQ5NNPx/VI=; b=pu0MNb0eIh3SqZbOq8ShY0wCZTmi6kG5Fo+kqHqdMby0LhQ3z+iEUltuPHsoyv0LQy fwNU8V+BdXuVHMV0FC5VS5Wrq4zbswIvW2yqmn17wNbw22u5636fw+XvBw65gn0TZIZ4 GM/Lf9pJDB56AGui08QYRJyE+R3640z1buFm30bWjhd3zj6ilz3PocA2/k3iB4pPaNu0 Yn6Rj8Ws1pmVuvi7R25p/VnjAdD45pnTlRL8ZRp8aWV6IiICymL9gRRxWfFSYcGLiDi2 lQ+Y1oDAlT0rzRomDdGKqtyB+R3OsHUZnudA9IRT3EgCWq0D1URDUX6QnVu49rr605o2 zVUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764896329; x=1765501129; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bVE0N0KUpY0wO1fMUhmyg8I9ioeDz1sYwcQ5NNPx/VI=; b=q6CotSmpyDyWI+x+k6zEIqdjQHZ83l+Gz4BOy7TJ354UIfDkA0G8pOo2T359bBxAT+ B/kLWBkZVpKaIi2+82JwFfXtmu/M5eSpuSpTj0mHPDVvqIG0WPN4HnDZDZv6G7uSofLz hL02uBLZysafskYmD9zRc3impGpBf3XHicmJrjObSZVrRgcfEMa8BxUWkPdDNTYpjIdT 0OpZueb/cDr8NjBIZxiq93ltE3V69JfLs6uHQ+Ao5d/DytaN5NFIqwZeKuVfBB7+ereI kss9+ZdLBF8RTOGzteoG/0PwrFl3VnmGe0z6y/Lb9WvjF+Xp8hJDORPKm7uhy75mqZyB sdSw== X-Gm-Message-State: AOJu0Yyo04dLbn2zoj5NJshzLy+RZ39KhKKnGrFI0G2JEJl+wLGeFvQ1 b5S/CKKr7aLXtgm9P6HvHnLBaFYgrvgNBVfpvg3n+cwi7qQcn9cW7LsmgIVQXEcuxQg4xfz+8P4 eKCJyHw== X-Google-Smtp-Source: AGHT+IFifApyQ81uqcVNp3ozqjh2VV5F+exYOtd6RAsz1O9td1lhZ/L2nTazk9kUzTzPa/vDQgHRCZrkH4g= X-Received: from iobfb16.prod.google.com ([2002:a05:6602:3f90:b0:949:11f9:31f7]) (user=avagin job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6808:11c4:b0:450:b3ec:c154 with SMTP id 5614622812f47-4536e3de299mr4587772b6e.25.1764896329505; Thu, 04 Dec 2025 16:58:49 -0800 (PST) Date: Fri, 5 Dec 2025 00:58:32 +0000 In-Reply-To: <20251205005841.3942668-1-avagin@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251205005841.3942668-1-avagin@google.com> X-Mailer: git-send-email 2.52.0.223.gf5cc29aaa4-goog Message-ID: <20251205005841.3942668-5-avagin@google.com> Subject: [PATCH 3/3] Documentation: cgroup-v2: Document misc.mask interface From: Andrei Vagin To: Kees Cook Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, cgroups@vger.kernel.org, criu@lists.linux.dev, Tejun Heo , Johannes Weiner , "=?UTF-8?q?Michal=20Koutn=C3=BD?=" , Vipin Sharma , Jonathan Corbet , Andrei Vagin Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Updates the cgroup-v2 documentation to include details about the newly introduced 'misc.mask' interface. This interface, part of the 'misc' cgroup controller, allows masking out hardware capabilities (AT_HWCAP, AT_HWCAP2, AT_HWCAP3, AT_HWCAP4) reported to user-space processes within a cgroup. Signed-off-by: Andrei Vagin --- Documentation/admin-guide/cgroup-v2.rst | 25 +++++++++++++++++++++++++ Documentation/arch/arm64/elf_hwcaps.rst | 21 +++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/Documentation/admin-guide/cgroup-v2.rst b/Documentation/admin-= guide/cgroup-v2.rst index 4c072e85acdf..9d9d923e0d4e 100644 --- a/Documentation/admin-guide/cgroup-v2.rst +++ b/Documentation/admin-guide/cgroup-v2.rst @@ -2924,6 +2924,31 @@ Miscellaneous controller provides 3 interface files.= If two misc resources (res_ cgroup i.e. not hierarchical. The file modified event generated on this file reflects only the local events. =20 +Miscellaneous controller provides one interface file to control masks. + + misc.mask + A read-write flat-keyed file shown in all cgroups. It allows + setting/reading the masks. The file format is a series of lines, each + describing a mask of a specific mask type. + + The file has the following format for each line:: + + $NAME\t$LOCAL_MASK\t$EFFECTIVE_MASK + + Where $NAME is the mask type name, $LOCAL_MASK is the mask for the + current cgroup, and $EFFECTIVE_MASK is the effective mask for the + current cgroup, which is a combination of the masks from the current + cgroup and all its ancestors. + + To set a mask, write a string in the following format to the file:: + + $NAME $MASK + + For example, to set a mask for the mask_a type, you would write the + following to the file:: + + # echo "mask_a 0x3000" > misc.mask + Migration and Ownership ~~~~~~~~~~~~~~~~~~~~~~~ =20 diff --git a/Documentation/arch/arm64/elf_hwcaps.rst b/Documentation/arch/a= rm64/elf_hwcaps.rst index a15df4956849..5526daff5d30 100644 --- a/Documentation/arch/arm64/elf_hwcaps.rst +++ b/Documentation/arch/arm64/elf_hwcaps.rst @@ -450,3 +450,24 @@ HWCAP3_LSFE =20 For interoperation with userspace, the kernel guarantees that bits 62 and 63 of AT_HWCAP will always be returned as 0. + +5. Masking hwcaps for a group of processes +-------------------------------- + +The misc cgroup controller provides a mechanism to mask hwcaps for a speci= fic +workload. This can be useful for limiting the features available to a +containerized application. + +To mask hwcaps, you can write a mask to the ``misc.mask`` file in the cgro= up +directory. The mask is specified per AT_HWCAP entry (AT_HWCAP, AT_HWCAP2, +AT_HWCAP3) in the format `` ``. + +For example, to mask ``HWCAP_FP`` and ``HWCAP_ASIMD`` (which are represent= ed by +bits 0 and 1 of AT_HWCAP, so a mask of 0x3) for a workload, you would writ= e the +mask for AT_HWCAP to the ``misc.mask`` file in the new cgroup directory:: + + # echo "AT_HWCAP 0x3" > /sys/fs/cgroup/misc/my-workload/misc.mask + +Any new processes started in this cgroup will have the specified hwcaps +masked. You can verify this by reading the ``misc.mask`` file, which will +show the effective mask for the cgroup. --=20 2.52.0.223.gf5cc29aaa4-goog