From 6aeff32430c6ac8519c213d93d682b3b5d58cb13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Thu, 26 Feb 2026 15:51:28 +0100
Subject: [PATCH 1/4] shielding: List all slices consistently

---
 xml/slert_systemd_shielding.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/xml/slert_systemd_shielding.xml b/xml/slert_systemd_shielding.xml
index f8d8676..9ec7c9f 100644
--- a/xml/slert_systemd_shielding.xml
+++ b/xml/slert_systemd_shielding.xml
@@ -49,6 +49,14 @@ AllowedCPUs=0-1
    <screen>&prompt.root;cat /etc/systemd/system/system.slice.d/40-shielding.conf
 [Slice]
 AllowedCPUs=0-1
+</screen>
+   <screen>&prompt.root;cat /etc/systemd/system/user.slice.d/40-shielding.conf
+[Slice]
+AllowedCPUs=0-1
+</screen>
+   <screen>&prompt.root;cat /etc/systemd/system/machine.slice.d/40-shielding.conf
+[Slice]
+AllowedCPUs=0-1
 </screen>
 
 <para>
@@ -67,6 +75,8 @@ AllowedCPUs=2-15
 <screen>&prompt.root;systemctl set-property --runtime workload.slice AllowedCPUs=4-15
 &prompt.root;systemctl set-property --runtime init.scope AllowedCPUs=0-3
 &prompt.root;systemctl set-property --runtime system.slice AllowedCPUs=0-3
+&prompt.root;systemctl set-property --runtime user.slice AllowedCPUs=0-3
+&prompt.root;systemctl set-property --runtime machine.slice AllowedCPUs=0-3
 </screen>
  </sect1>
  <sect1 xml:id="sec-shielding-systemd-ex-move">

From 9d7875e43851a3f815ef849c39ff738815292e6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Thu, 26 Feb 2026 15:53:46 +0100
Subject: [PATCH 2/4] shielding: Use same bitmasks for static and dynamic
 config for simplicity

---
 xml/slert_systemd_shielding.xml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/xml/slert_systemd_shielding.xml b/xml/slert_systemd_shielding.xml
index 9ec7c9f..6669183 100644
--- a/xml/slert_systemd_shielding.xml
+++ b/xml/slert_systemd_shielding.xml
@@ -70,13 +70,15 @@ AllowedCPUs=0-1
 AllowedCPUs=2-15
 </screen>
 <para>
-        The setup can also be changed at runtime (for debugging reasons):
 </para>
-<screen>&prompt.root;systemctl set-property --runtime workload.slice AllowedCPUs=4-15
-&prompt.root;systemctl set-property --runtime init.scope AllowedCPUs=0-3
-&prompt.root;systemctl set-property --runtime system.slice AllowedCPUs=0-3
-&prompt.root;systemctl set-property --runtime user.slice AllowedCPUs=0-3
-&prompt.root;systemctl set-property --runtime machine.slice AllowedCPUs=0-3
+<para>
+        The setup can also be changed dynamically until next reboot (for debugging reasons):
+</para>
+<screen>&prompt.root;systemctl set-property --runtime workload.slice AllowedCPUs=2-15
+&prompt.root;systemctl set-property --runtime init.scope AllowedCPUs=0-1
+&prompt.root;systemctl set-property --runtime system.slice AllowedCPUs=0-1
+&prompt.root;systemctl set-property --runtime user.slice AllowedCPUs=0-1
+&prompt.root;systemctl set-property --runtime machine.slice AllowedCPUs=0-1
 </screen>
  </sect1>
  <sect1 xml:id="sec-shielding-systemd-ex-move">

From 20ffcbb0a154bdddd0d08cf9e1d0fc6cbf687ea1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Thu, 26 Feb 2026 15:59:19 +0100
Subject: [PATCH 3/4] shielding: Do not forget daemon-reload

---
 xml/slert_systemd_shielding.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/xml/slert_systemd_shielding.xml b/xml/slert_systemd_shielding.xml
index 6669183..7e7f1c9 100644
--- a/xml/slert_systemd_shielding.xml
+++ b/xml/slert_systemd_shielding.xml
@@ -70,7 +70,10 @@ AllowedCPUs=0-1
 AllowedCPUs=2-15
 </screen>
 <para>
+        and apply the new config files to systemd:
 </para>
+<screen>&prompt.root;systemctl daemon-reload
+</screen>
 <para>
         The setup can also be changed dynamically until next reboot (for debugging reasons):
 </para>

From aef665c817216de5e8393b9283f81ef21df1a1fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Thu, 26 Feb 2026 15:59:32 +0100
Subject: [PATCH 4/4] shielding: Mention unprivileged execution

---
 xml/slert_systemd_shielding.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/xml/slert_systemd_shielding.xml b/xml/slert_systemd_shielding.xml
index 7e7f1c9..b073ece 100644
--- a/xml/slert_systemd_shielding.xml
+++ b/xml/slert_systemd_shielding.xml
@@ -99,7 +99,11 @@ Slice=workload.slice
 <para>
         Should not the sensitive job have a form of a service but an ad-hoc command, you may start it in a systemd scope:
 </para>
-<screen>&prompt.root;systemd-run --scope -p Slice=workload.slice command arg1 ...</screen>
+<screen>&prompt.root;systemd-run --scope --uid=&lt;UID&gt; -p Slice=workload.slice command arg1 ...</screen>
+<para>
+        starting such a scope is privileged operation but you can pass the <literal>--uid</literal>
+        argument to run the workload as given user.
+</para>
 <note>
         <para>Existing processes cannot be moved under the shield since that would involve process migration between cgroups which would cause distortion of the accounting state.
         But sensitive workload should start with their resources secured in advance anyway.</para>