Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'

README.md

@@ -712,6 +712,19 @@ See:
 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
 * https://forums.whonix.org/t/cannot-use-pkexec/8129
 
+## Emergency shutdown
+
+- Forcibly powers off the system if the drive the system booted from is
+  removed from the system.
+- Forcibly powers off the system if a user-configurable "panic key sequence"
+  is pressed (Ctrl+Alt+Delete by default).
+- Forcibly powers off the system if
+  `sudo /run/emerg-shutdown --instant-shutdown` is called.
+- Optional - Forcibly powers off the system if shutdown gets stuck for longer
+  than a user-configurable number of seconds (30 by default). Requires tuning
+  by the user to function properly, see notes in
+  `/etc/security-misc/emerg-shutdown/30_security_misc.conf`.
+
 ## Application-specific hardening
 
 - Enables "`apt-get --error-on=any`" which makes apt exit non-zero for

debian/control

@@ -20,6 +20,7 @@ Package: security-misc
 Architecture: all
 Depends: adduser,
          apparmor-profile-dist,
+         build-essential,
          dmsetup,
          helper-scripts,
          libcap2-bin,
@@ -27,6 +28,7 @@ Depends: adduser,
          libpam-modules-bin,
          libpam-runtime,
          libpam-umask,
+         memlockd,
          python3,
          secure-delete,
          sudo,

etc/security-misc/emerg-shutdown/30_security_misc.conf

@@ -0,0 +1,33 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/security-misc/emerg-shutdown/50_user.conf" for your custom
+## configuration, which will override the defaults found here.
+## When Kicksecure is updated, this file may be overwritten.
+
+## Set the key combo for forcing immediate shutdown. See the "Keys and
+## buttons" section of "/usr/include/linux/input-event-codes.h" for possibly
+## supported values. Not all keys are supported.
+##
+## All specified keys must be depressed at the same time to trigger a
+## shutdown. Use a comma (",") to separate keys. If you want to alias certain
+## keys to each other from emerg-shutdown's standpoint, use a pipe
+## character("|").
+##
+## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is
+## pressed, allowing the use of either the left or right Ctrl and Alt keys.
+EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
+
+## Set the maximum number of seconds shutdown can take. If shutdown gets stuck
+## for longer than this, the system will forcibly power down.
+##
+## NOTE: This requires ensure-shutdown.service to be enabled, which is not
+## done by default. Enabling ensure-shutdown.service will cause shutdown to
+## always take at least as long as systemd's DefaultTimeoutStopSec (which by
+## default is 90 seconds). If you are going to enable ensure-shutdown.service,
+## it is highly recommended to set DefaultTimeoutStopSec to a much smaller
+## value, such as 5 seconds. The maximum shutdown time set here should be at
+## least 10 seconds *longer* than DefaultTimeoutStopSec, to give normal
+## shutdown a chance to actually succeed before forcibly shutting down the
+## system.
+ENSURE_SHUTDOWN_TIMEOUT=30

usr/lib/systemd/system-preset/50-security-misc.preset

@@ -17,3 +17,7 @@ disable proc-hidepid.service
 ## Disable due to issues. See:
 ## https://github.com/Kicksecure/security-misc/issues/159
 disable harden-module-loading.service
+
+## Disable due to timing difficulties. See:
+## https://github.com/systemd/systemd/issues/38261#issuecomment-3134580852
+disable ensure-shutdown.service

usr/lib/systemd/system/emerg-shutdown.service

@@ -0,0 +1,14 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Emergency shutdown when boot media is removed
+Documentation=https://github.com/Kicksecure/security-misc
+
+[Service]
+Type=notify
+ExecStart=/usr/libexec/security-misc/emerg-shutdown
+NotifyAccess=main
+
+[Install]
+WantedBy=multi-user.target

usr/lib/systemd/system/ensure-shutdown.service

@@ -0,0 +1,18 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Forcibly shut down the system if normal shutdown gets stuck
+Documentation=https://github.com/Kicksecure/security-misc
+Wants=emerg-shutdown.service
+After=emerg-shutdown.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/libexec/security-misc/ensure-shutdown
+ExecStop=bash -c -- 'echo "d" > /run/emerg-shutdown-trigger'
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

usr/lib/udev/rules.d/95-emerg-shutdown.rules

@@ -0,0 +1,9 @@
+SUBSYSTEM!="input", GOTO="end"
+
+# new keyboard or mouse attached or removed, restart emerg-shutdown
+KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart emerg-shutdown.service"
+KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end"
+KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart emerg-shutdown.service"
+KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end"
+
+LABEL="end"

usr/libexec/security-misc/emerg-shutdown

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+# See the file COPYING for copying conditions.
+
+set -o errexit
+set -o nounset
+set -o errtrace
+set -o pipefail
+
+## Make sure globs sort in a predictable, reproducible fashion
+export LC_ALL=C
+
+## Read emergency shutdown key configuration
+for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
+  source "${config_file}"
+done
+if [ -z "${EMERG_SHUTDOWN_KEYS}" ]; then
+  ## Default to Ctrl+Alt+Delete if nothing else is set
+  EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
+fi
+
+## Find the devices that make up the root device
+readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
+if [ "${#root_devices[@]}" = '0' ] \
+  || [ "${root_devices[0]}" == '' ]; then
+  ## /dev/sda1 might be the right one...
+  root_devices[0]='/dev/sda1'
+fi
+
+## Build the actual emerg-shutdown executable
+if [ ! -f '/run/emerg-shutdown' ]; then
+  gcc \
+    -o \
+    /run/emerg-shutdown \
+    -static \
+    /usr/src/security-misc/emerg-shutdown.c \
+    || {
+      printf "%s\n" 'Could not compile force-shutdown executable!'
+      exit 1;
+    }
+fi
+
+systemd-notify --ready
+
+## memlockd daemonizes itself, so no need to background it.
+memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
+
+## Launch emerg-shutdown
+OLDIFS="$IFS"
+IFS=','
+/run/emerg-shutdown "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"

usr/libexec/security-misc/ensure-shutdown

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+# See the file COPYING for copying conditions.
+
+set -o errexit
+set -o nounset
+set -o errtrace
+set -o pipefail
+
+source /usr/libexec/helper-scripts/strings.bsh
+
+## Make sure globs sort in a predictable, reproducible fashion
+export LC_ALL=C
+
+## Read emergency shutdown key configuration
+for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
+  source "${config_file}"
+done
+if [ -z "${ENSURE_SHUTDOWN_TIMEOUT}" ] \
+  || ! is_whole_number "${ENSURE_SHUTDOWN_TIMEOUT}"; then
+  ENSURE_SHUTDOWN_TIMEOUT=30;
+fi
+
+/run/emerg-shutdown --monitor-fifo "--timeout=${ENSURE_SHUTDOWN_TIMEOUT}" &
+sleep 1
+disown
+exit 0

usr/share/security-misc/security-misc-memlockd.cfg

@@ -0,0 +1,2 @@
+# Lock systemd and all of its library dependencies into memory
++/usr/bin/systemd