madaidan via Whonix Forum:
Merged.
1 Like
I think it might be better to make hidepid=2 optional now if it’s causing so much breakage.
proc-hidepid.service can be disabled by default and how to enable it can be added to the wiki.
If System-wide sandboxing framework - sandbox-app-launcher is implemented, then hidepid=2 won’t be as important anymore as most applications can be run in a PID namespace (except the ones that break).
2 Likes
1 Like
Will revert.
Causing error output during boot of Whonix VirtualBox 15.0.0.9.0-developers-only. (Happening during initramfs sysctl.)
vm.unprivileged_userfaultfd is an unknown key
That message is very prominent now that other verbose boot messages are disabled.
sudo sysctl -w vm.unprivileged_userfaultfd=0
sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory
Please fix.
1 Like
That error is harmless and doesn’t do anything. It’s just because our kernel version doesn’t support this feature yet. There’s no point in reverting it.
1 Like
madaidan via Whonix Forum:
That error is harmless and doesn’t do anything. It’s just because our kernel version doesn’t support this feature yet. There’s no point in reverting it.
The only point of reverting then is avoiding user confusion as this is a
prominent message during waiting for X to finally draw something.
1 Like
We can just change >/dev/null to &>/dev/null in security-misc/sysctl-initramfs at master · Kicksecure/security-misc · GitHub
1 Like
Then we would miss any errors if this should break.
1 Like
Then we can change it to &>>${rootmnt}/var/log/sysctl-initramfs.log to log any actual errors in case of breakage but hide the unimportant ones from the user.
1 Like
Or maybe:
sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2> >(grep -v "sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory")
So only the unprivileged_userfaultfd error is hidden.
1 Like
Something like this maybe. Though the actual error message to grep for is more similar to:
vm.unprivileged_userfaultfd is an unknown key
I didn’t note the exact one.
Also that snippet is broken. Added something else broken to it. (Just a single X in some sysctl config file.) That error would be hidden too with the current snippet.
Maybe redirect stderr to /var/log/sysctl-initramfs-error.log first, then cat and grep -v? Probably also simpler to read than >(...).
/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs is an sh script and >(...) might be a bash feature. Dunno if bash can be used in initramfs easy/sane[size, dependencies].
1 Like
That is the actual error message.
sysctl -p test
sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory
“test” being a file that contains vm.unprivileged_userfaultfd=0.
That sounds good. cat is unneccesary though. We can just use
grep -v "sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory" /var/log/sysctl-initramfs-error.log
Should the content of /var/log/sysctl-initramfs-error.log be overwritten (>) or just appended to (>>)? I think something like this would be best:
sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log
sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log
grep -v "sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory" /var/log/sysctl-initramfs-error.log
The first sysctl command overwrites it to remove past entries and the second appends to it.
1 Like
Looks different during initramfs in Whonix VIrtualBox 15.0.0.9.3-developers-only. Yes, I am sure. I was also surprised the error message is different in the fully booted system.
Maybe it is for now. Could we skip further error messages in future if required?
What’s the standard? I guess it is >>? But I am OK with your suggestion (new after each reboot) too. Otherwise we would have to add logrotate too. Full log over multiple reboot probably not worth that effort.
1 Like
Should we use grep -v "unprivileged_userfaultfd" then? So the unprivileged_userfaultfd error is caught regardless of what the overall error message is.
Yes, we can just pipe grep into grep.
It’s probably >> but we won’t need old logs for something as small as this. The logs for the current boot only are fine.
1 Like
Yes. That seems the most simple and robust solution. Good idea. I guess very unlikely any other error message would include that exact string unprivileged_userfaultfd and be hidden by mistake.
1 Like
1 Like
Merged. 
1 Like
security-misc/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs at master · Kicksecure/security-misc · GitHub does not work in Whonix VirtualBox. (Also available from Whonix developers repository.) Shows an error during boot.
/scripts/init-bottom/sysctl-initramfs: line 18: can’t create /root/var/log/sysctl-initramfs-error.log: Read-only file system
/scripts/init-bottom/sysctl-initramfs: line 19: can’t create /root/var/log/sysctl-initramfs-error.log: Read-only file system
grep: /var/log/sysctl-initramfs-error.log: No such file or directory
Could you fix this please?
1 Like
2 Likes
Thanks! I guess that will work unless some other initramfs hook mounts rw already and expects to keep it rw.
1 Like