In this case you can just read the previous paper, which explains the caveat that PIE daemons utilizing ASLR must be so-called fork-only services--i.e. forked from a supervisor process. If they're not fork-only than you can't leak the address space layout.
Presumably (hopefully) some other common, multi-process network daemons have been refactored to exec child processes. As explained in the paper, nginx, which utilizes an M:N process model, was susceptible. Anybody know if nginx was refactored to fork+exec its worker processes rather than just fork? (EDIT: AFAICT via a cursory examination of ngx_master_process_cycle, ngx_start_worker_processes, and related the answer is, "no".)
The suggested counter measure is to re-exec child processes so their address space is re-randomized. OpenSSH began doing this by default 10 years before the above paper: https://github.com/openbsd/src/commit/5541d005bde289515d9734...
Presumably (hopefully) some other common, multi-process network daemons have been refactored to exec child processes. As explained in the paper, nginx, which utilizes an M:N process model, was susceptible. Anybody know if nginx was refactored to fork+exec its worker processes rather than just fork? (EDIT: AFAICT via a cursory examination of ngx_master_process_cycle, ngx_start_worker_processes, and related the answer is, "no".)
EDIT: See also https://lwn.net/Articles/849531/