Re: [SECURITY] [DLA 1232-1] linux security update - hidepid not working in Wheezy (regression)

[Stefan Benter <stefan.benter@gmail.com>]

Hello everyone,

I am facing multiple reproducible issues after updating to 3.2.0-5-amd64 
when using the option hidepid=2 for mounting /proc. These issues did not 
exist with 3.2.0-4-amd64. And are solved by removing hidepid=2 from 
fstab and rebooting.

When I am trying to start Firefox or Thunderbird (as user, not root) 
they print these lines:
Sandbox: unexpected multithreading found; this prevents using namespace 
sandboxing.
too much recursion
ExceptionHandler::GenerateDump cloned child 5188
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
ExceptionHandler::SendContinueSignalToChild sent continue signal to child

Top shows this (as user, not root) and does not start either:
Error, do this: mount -t proc proc /proc Htop shows an empty list of 
processes.

When trying to remount /proc with "mount -t proc proc /proc" bash 
replies "memory access error".
The same happens with "sudo su -".
My only chance therefore was to reboot the old kernel, remove hidepid 
and start the new kernel again.

When using hidepid=1 strangely it becomes worse. Then gdm3 does not even 
start (it just loads forever).

Of course KPTI is much more important than hidepid. But on a server this 
behaviour, without a warning, might cause a headache.

In Stretch hidepid=2 works without any issues.

Best regards,
Stefan Benter


PS: Thanks a lot for your effort! I really did not expect you to be so 
fast in backporting KPTI.