Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 924621

Summary: sys-auth/polkit: pkexec freezes graphical environment when /proc is mounted with hidepid != 0
Product: Gentoo Linux Reporter: Thibaud CANALE <thican>
Component: Current packagesAssignee: Freedesktop bugs <freedesktop-bugs>
Status: UNCONFIRMED ---    
Severity: normal CC: thican
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/polkit-org/polkit/issues/80
https://github.com/polkit-org/polkit/issues/121
https://github.com/polkit-org/polkit/issues/426
Whiteboard:
Package list:
Runtime testing required: ---

Description Thibaud CANALE 2024-02-15 08:32:54 UTC 
I discovered using pkexec outside a terminal will freezes most (if not all) graphical processes, as shown by `htop` with the "T" state which means `traced or suspended (e.g by SIGTSTP)`, when `/proc` is mounted with `hidepid=2`; also possibly with `hidepid=1` but I didn’t test it myself.

It happened when I used OBS Studio to create a virtual webcam, which tries to load kernel module v4l2loopback through `pkexec` call.

In normal context, with MATE desktop environment, a window will pop asking for root password.

However when hidepid is enable, `/usr/libexec/polkit-mate-authentication-agent-1` will issue a warning, such as:
```
(polkit-mate-authentication-agent-1:16427): polkit-mate-1-WARNING **: Unable to determine the session we are in: No session for pid 16427
```
(see https://gitlab.freedesktop.org/polkit/polkit/-/issues/79 and https://gitlab.freedesktop.org/polkit/polkit/-/issues/120)

To reproduce:
- set `hidepid=2` (or =1) option for /proc (mount -o remount,hidepid=2 /proc);
- connect to your graphical environment (startx, graphical display manager),
- call pkexec outside a terminal, such as using the key combination Alt+F2 to run an application, example: `pkexec modprobe v4l2loopback video_nr=10,11 card_label="Dummy video device","Second video device"`;
- the graphical system should freeze, use Ctrl+Alt+F1 to switch to tty1, connect and see the processes are in suspended state.

My objective is to set a working environment with "modern" privileges workflow while keeping the `hidepid=2` feature of /proc to ensure privacy and security.
Comment 1 Mike Gilbert gentoo-dev 2024-02-18 17:55:39 UTC 
Please work with upstream.
Comment 2 Thibaud CANALE 2024-02-21 15:04:20 UTC 
Reported to upstream as recommended:
https://github.com/polkit-org/polkit/issues/426

At least I think it was also necessary to report here because hidepid != 0 might be a supported option for mounting /proc, I actually don’t know.

Too bad this report is already closed as usually this becomes less visible for people when looking or even for the hardening team; but it’s okay, let’s keep it closed then.
Comment 3 Mike Gilbert gentoo-dev 2024-02-21 16:26:37 UTC 
Fair enough, we can keep it open for visibility. Just don't expect us to fix this without some action upstream.