@@ -258,6 +258,7 @@ func TestCreateWithCustomMaskedPaths(t *testing.T) {

 	apiClient := testEnv.APIClient()

 	testCases := []struct {

+		privileged  bool

 		maskedPaths []string

 		expected    []string

 	}{

@@ -273,6 +274,11 @@ func TestCreateWithCustomMaskedPaths(t *testing.T) {

 			maskedPaths: []string{"/proc/kcore", "/proc/keys"},

 			expected:    []string{"/proc/kcore", "/proc/keys"},

 		},

+		{

+			privileged:  true,

+			maskedPaths: nil,

+			expected:    nil,

+		},

 	}

 	checkInspect := func(t *testing.T, ctx context.Context, name string, expected []string) {

@@ -286,15 +292,20 @@ func TestCreateWithCustomMaskedPaths(t *testing.T) {

 		cfg, ok := inspectJSON["HostConfig"].(map[string]interface{})

 		assert.Check(t, is.Equal(true, ok), name)

-		maskedPaths, ok := cfg["MaskedPaths"].([]interface{})

-		assert.Check(t, is.Equal(true, ok), name)

+		if expected != nil {

+			maskedPaths, ok := cfg["MaskedPaths"].([]interface{})

+			assert.Check(t, is.Equal(true, ok), name)

-		mps := make([]string, 0, len(maskedPaths))

-		for _, mp := range maskedPaths {

-			mps = append(mps, mp.(string))

-		}

+			mps := make([]string, 0, len(maskedPaths))

+			for _, mp := range maskedPaths {

+				mps = append(mps, mp.(string))

+			}

-		assert.DeepEqual(t, expected, mps)

+			assert.DeepEqual(t, expected, mps)

+		} else {

+			_, ok := cfg["MaskedPaths"].([]interface{})

+			assert.Check(t, is.Equal(false, ok), name)

+		}

 	}

 	// TODO: This should be using subtests

@@ -305,7 +316,9 @@ func TestCreateWithCustomMaskedPaths(t *testing.T) {

 			Image: "busybox",

 			Cmd:   []string{"true"},

 		}

-		hc := container.HostConfig{}

+		hc := container.HostConfig{

+			Privileged: tc.privileged,

+		}

 		if tc.maskedPaths != nil {

 			hc.MaskedPaths = tc.maskedPaths

 		}

@@ -2,6 +2,7 @@ package platform

 import (

 	"context"

+	"runtime"

 	"sync"

 	"github.com/containerd/log"

@@ -29,3 +30,22 @@ func Architecture() string {

 	})

 	return arch

 }

+

+// PossibleCPU returns the set of possible CPUs on the host (which is equal or

+// larger to the number of CPUs currently online). The returned set may be a

+// single CPU number ({0}), or a continuous range of CPU numbers ({0,1,2,3}), or

+// a non-continuous range of CPU numbers ({0,1,2,3,12,13,14,15}).

+func PossibleCPU() []int {

+	if ncpu := possibleCPUs(); ncpu != nil {

+		return ncpu

+	}

+

+	// Fallback in case possibleCPUs() fails.

+	var cpus []int

+	ncpu := runtime.NumCPU()

+	for i := 0; i <= ncpu; i++ {

+		cpus = append(cpus, i)

+	}

+

+	return cpus

+}

new file mode 100644

@@ -0,0 +1,55 @@

+package platform

+

+import (

+	"os"

+	"strconv"

+	"strings"

+	"sync"

+)

+

+// possibleCPUs returns the set of possible CPUs on the host (which is

+// equal or larger to the number of CPUs currently online). The returned

+// set may be a single number ({0}), or a continuous range ({0,1,2,3}), or

+// a non-continuous range ({0,1,2,3,12,13,14,15})

+//

+// Returns nil on errors. Assume CPUs are 0 -> runtime.NumCPU() in that case.

+var possibleCPUs = sync.OnceValue(func() []int {

+	data, err := os.ReadFile("/sys/devices/system/cpu/possible")

+	if err != nil {

+		return nil

+	}

+	content := strings.TrimSpace(string(data))

+	return parsePossibleCPUs(content)

+})

+

+func parsePossibleCPUs(content string) []int {

+	ranges := strings.Split(content, ",")

+

+	var cpus []int

+	for _, r := range ranges {

+		// Each entry is either a single number (e.g., "0") or a continuous range

+		// (e.g., "0-3").

+		if rStart, rEnd, ok := strings.Cut(r, "-"); !ok {

+			cpu, err := strconv.Atoi(rStart)

+			if err != nil {

+				return nil

+			}

+			cpus = append(cpus, cpu)

+		} else {

+			var start, end int

+			start, err := strconv.Atoi(rStart)

+			if err != nil {

+				return nil

+			}

+			end, err = strconv.Atoi(rEnd)

+			if err != nil {

+				return nil

+			}

+			for i := start; i <= end; i++ {

+				cpus = append(cpus, i)

+			}

+		}

+	}

+

+	return cpus

+}

new file mode 100644

@@ -0,0 +1,54 @@

+package platform

+

+import (

+	"testing"

+

+	"gotest.tools/v3/assert"

+	is "gotest.tools/v3/assert/cmp"

+)

+

+func TestParsePossibleCPUs(t *testing.T) {

+	tests := []struct {

+		name     string

+		input    string

+		expected []int

+	}{

+		{

+			name:     "Continuous Range",

+			input:    "0-3",

+			expected: []int{0, 1, 2, 3},

+		},

+		{

+			name:     "Non-Continuous Range",

+			input:    "0-2,4,6-7",

+			expected: []int{0, 1, 2, 4, 6, 7},

+		},

+		{

+			name:     "Single CPU",

+			input:    "5",

+			expected: []int{5},

+		},

+		{

+			name:     "Empty Input",

+			input:    "",

+			expected: nil,

+		},

+		{

+			name:     "Invalid Range",

+			input:    "0-2,invalid",

+			expected: nil,

+		},

+		{

+			name:     "Malformed Range",

+			input:    "0-2-3",

+			expected: nil,

+		},

+	}

+

+	for _, test := range tests {

+		t.Run(test.name, func(t *testing.T) {

+			result := parsePossibleCPUs(test.input)

+			assert.Assert(t, is.DeepEqual(result, test.expected), "Expected %v but got %v", test.expected, result)

+		})

+	}

+}

@@ -69,3 +69,8 @@ func NumProcs() uint32 {

 	_, _, _ = syscall.SyscallN(procGetSystemInfo.Addr(), uintptr(unsafe.Pointer(&sysinfo)))

 	return sysinfo.dwNumberOfProcessors

 }

+

+func possibleCPUs() []int {

+	// not implemented

+	return nil

+}

@@ -1,8 +1,12 @@

 package oci // import "github.com/docker/docker/oci"

 import (

+	"fmt"

+	"os"

 	"runtime"

+	"sync"

+	"github.com/docker/docker/internal/platform"

 	"github.com/docker/docker/oci/caps"

 	"github.com/opencontainers/runtime-spec/specs-go"

 )

@@ -102,19 +106,7 @@ func DefaultLinuxSpec() specs.Spec {

 			},

 		},

 		Linux: &specs.Linux{

-			MaskedPaths: []string{

-				"/proc/asound",

-				"/proc/acpi",

-				"/proc/kcore",

-				"/proc/keys",

-				"/proc/latency_stats",

-				"/proc/timer_list",

-				"/proc/timer_stats",

-				"/proc/sched_debug",

-				"/proc/scsi",

-				"/sys/firmware",

-				"/sys/devices/virtual/powercap",

-			},

+			MaskedPaths: defaultLinuxMaskedPaths(),

 			ReadonlyPaths: []string{

 				"/proc/bus",

 				"/proc/fs",

@@ -194,3 +186,33 @@ func DefaultLinuxSpec() specs.Spec {

 		},

 	}

 }

+

+// defaultLinuxMaskedPaths returns the default list of paths to mask in a Linux

+// container. The paths won't change while the docker daemon is running, so just

+// compute them once.

+var defaultLinuxMaskedPaths = sync.OnceValue(func() []string {

+	maskedPaths := []string{

+		"/proc/asound",

+		"/proc/acpi",

+		"/proc/interrupts", // https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm

+		"/proc/kcore",

+		"/proc/keys",

+		"/proc/latency_stats",

+		"/proc/timer_list",

+		"/proc/timer_stats",

+		"/proc/sched_debug",

+		"/proc/scsi",

+		"/sys/firmware",

+		"/sys/devices/virtual/powercap", // https://github.com/moby/moby/security/advisories/GHSA-jq35-85cj-fj4p

+	}

+

+	// https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm

+	cpus := platform.PossibleCPU()

+	for _, cpu := range cpus {

+		path := fmt.Sprintf("/sys/devices/system/cpu/cpu%d/thermal_throttle", cpu)

+		if _, err := os.Stat(path); err == nil {

+			maskedPaths = append(maskedPaths, path)

+		}

+	}

+	return maskedPaths

+})