Integrate emerg-shutdown into the initramfs

2025-11-27 16:00:26 -05:00 · 2025-08-06 19:10:14 -05:00 · 2025-08-06 19:10:14 -05:00 · 44e7d3059a
commit 44e7d3059a
parent 4294165362
5 changed files with 111 additions and 32 deletions
--- a/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
+++ b/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
@ -0,0 +1,48 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## called by dracut
+check() {
+  require_binaries /run/emerg-shutdown || return 1
+  return 255
+}
+
+## called by dracut
+depends() {
+  echo 'systemd bash'
+  return 0
+}
+
+## called by dracut
+install() {
+  local config_file
+
+  inst systemd-notify
+
+  inst_simple /usr/libexec/security-misc/emerg-shutdown
+  inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service
+  inst_simple /run/emerg-shutdown /emerg-shutdown
+
+  for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+  for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+
+  mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants"
+  ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service"
+}
+
+## called by dracut
+installkernel () {
+  hostonly='' instmods evdev
+}
--- a/usr/lib/systemd/system/emerg-shutdown.service
+++ b/usr/lib/systemd/system/emerg-shutdown.service
@ -6,8 +6,8 @@ Description=Emergency shutdown when boot media is removed
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
 Requires=local-fs.target
 After=local-fs.target

--- a/usr/lib/systemd/system/ensure-shutdown.service
+++ b/usr/lib/systemd/system/ensure-shutdown.service
@ -9,8 +9,8 @@ Description=Forcibly shut down the system if normal shutdown gets stuck
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
 Wants=emerg-shutdown.service
 After=emerg-shutdown.service

--- a/usr/libexec/security-misc/emerg-shutdown
+++ b/usr/libexec/security-misc/emerg-shutdown
@ -1,7 +1,7 @@
 #!/bin/bash

-# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-# See the file COPYING for copying conditions.
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.

 set -o errexit
 set -o nounset
@ -11,6 +11,14 @@ set -o pipefail
 ## Make sure globs sort in a predictable, reproducible fashion
 export LC_ALL=C

+in_dracut='false'
+if [ -f '/dracut-state.sh' ]; then
+  in_dracut='true'
+fi
+binary_prefix='/run'
+EMERG_SHUTDOWN_KEYS=''
+root_devices[0]=''
+
 ## Read emergency shutdown key configuration
 for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
  if [ -f "${config_file}" ]; then
@ -18,18 +26,19 @@ for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/secur
    source "${config_file}"
  fi
 done
-if [ -z "${EMERG_SHUTDOWN_KEYS}" ]; then
-  ## Default to Ctrl+Alt+Delete if nothing else is set
-  EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
-fi

+if [ "${in_dracut}" = 'true' ]; then
+  binary_prefix=''
+  modprobe evdev || {
+    printf '%s\n' 'Failed to load evdev driver!'
+    exit 1
+  }
+  ## modules may not work immediately after loaded, give them time to
+  ## initialize
+  sleep 0.1
+else
  ## Find the devices that make up the root device
  readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
-if [ "${#root_devices[@]}" = '0' ] \
-  || [ "${root_devices[0]}" == '' ]; then
-  ## /dev/sda1 might be the right one...
-  root_devices[0]='/dev/sda1'
-fi

  ## Build the actual emerg-shutdown executable
  if [ ! -f '/run/emerg-shutdown' ]; then
@ -40,16 +49,17 @@ if [ ! -f '/run/emerg-shutdown' ]; then
      /usr/src/security-misc/emerg-shutdown.c \
      || {
        printf "%s\n" 'Could not compile force-shutdown executable!'
-      exit 1;
+        exit 1
      }
  fi

+  ## memlockd daemonizes itself, so no need to background it.
+  memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
+fi
+
 systemd-notify --ready

-## memlockd daemonizes itself, so no need to background it.
-memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
-
 ## Launch emerg-shutdown
 OLDIFS="$IFS"
 IFS=','
-/run/emerg-shutdown "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
+"${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
--- a/usr/share/security-misc/emerg-shutdown-initramfs.service
+++ b/usr/share/security-misc/emerg-shutdown-initramfs.service
@ -0,0 +1,21 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file should not be installed on the host system, it is intended for
+## inclusion in a dracut initramfs only.
+
+[Unit]
+Description=Emergency shutdown when boot media is removed
+Documentation=https://github.com/Kicksecure/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=systemd-udevd.service
+After=systemd-udevd.service
+
+[Service]
+Type=notify
+ExecStart=/usr/libexec/security-misc/emerg-shutdown
+NotifyAccess=main
+
+[Install]
+WantedBy=sysinit.target