Merge branch 'arraybolt3/emerg-shutdown' into arraybolt3/trixie

2025-11-25 16:46:22 -05:00 · 2025-08-06 20:21:01 -05:00 · 2025-08-06 20:21:01 -05:00 · 5f2425ba6f
commit 5f2425ba6f
parent 86f44063eb 3a77abe5c9
9 changed files with 219 additions and 62 deletions
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,22 @@
+commit 784ff8af3616765a9c22febf66b522376ecedf12
+Merge: c2690ef 5a17e67
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Aug 6 04:26:37 2025 -0400
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
+
+commit 5a17e67c0a7678300f6342d5c90ded5494ebc838
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Tue Aug 5 20:14:07 2025 -0500
+
+    Fix local-fs.target dependency in emerg-shutdown.service
+
+commit c2690efcacbf7be7c57751ba1cee7f910d350cfc
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Aug 4 09:27:11 2025 +0000
+
+    bumped changelog version
+
 commit 166bc257b0b2eea87d684cc847bf6da1fba7c4b4
 Merge: d1bca02 63f2909
 Author: Patrick Schleizer <adrelanos@whonix.org>
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+security-misc (3:46.7-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 06 Aug 2025 08:27:15 +0000
+
 security-misc (3:46.6-1) unstable; urgency=medium

  * New upstream version (local package).
--- a/etc/security-misc/emerg-shutdown/30_security_misc.conf
+++ b/etc/security-misc/emerg-shutdown/30_security_misc.conf
@ -17,7 +17,7 @@
 ##
 ## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is
 ## pressed, allowing the use of either the left or right Ctrl and Alt keys.
-EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
+EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_END"

 ## Set the maximum number of seconds shutdown can take. If shutdown gets stuck
 ## for longer than this, the system will forcibly power down.
--- a/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
+++ b/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
@ -0,0 +1,48 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## called by dracut
+check() {
+  require_binaries /run/emerg-shutdown || return 1
+  return 255
+}
+
+## called by dracut
+depends() {
+  echo 'systemd bash'
+  return 0
+}
+
+## called by dracut
+install() {
+  local config_file
+
+  inst systemd-notify
+
+  inst_simple /usr/libexec/security-misc/emerg-shutdown
+  inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service
+  inst_simple /run/emerg-shutdown /emerg-shutdown
+
+  for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+  for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+
+  mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants"
+  ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service"
+}
+
+## called by dracut
+installkernel () {
+  hostonly='' instmods evdev
+}
--- a/usr/lib/systemd/system/emerg-shutdown.service
+++ b/usr/lib/systemd/system/emerg-shutdown.service
@ -6,8 +6,8 @@ Description=Emergency shutdown when boot media is removed
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
 Requires=local-fs.target
 After=local-fs.target

--- a/usr/lib/systemd/system/ensure-shutdown.service
+++ b/usr/lib/systemd/system/ensure-shutdown.service
@ -9,8 +9,8 @@ Description=Forcibly shut down the system if normal shutdown gets stuck
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
 Wants=emerg-shutdown.service
 After=emerg-shutdown.service

--- a/usr/libexec/security-misc/emerg-shutdown
+++ b/usr/libexec/security-misc/emerg-shutdown
@ -1,7 +1,7 @@
 #!/bin/bash

-# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-# See the file COPYING for copying conditions.
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.

 set -o errexit
 set -o nounset
@ -11,6 +11,27 @@ set -o pipefail
 ## Make sure globs sort in a predictable, reproducible fashion
 export LC_ALL=C

+in_dracut='false'
+if [ -f '/dracut-state.sh' ]; then
+  in_dracut='true'
+fi
+binary_prefix='/run'
+EMERG_SHUTDOWN_KEYS=''
+root_devices[0]=''
+
+## Taken from kloak/Makefile, see it for more information
+gcc_hardening_options=(
+  "-Wall" "-Wformat" "-Wformat=2" "-Wconversion"
+  "-Wimplicit-fallthrough" "-Werror=format-security" "-Werror=implicit"
+  "-Werror=int-conversion" "-Werror=incompatible-pointer-types"
+  "-Wtrampolines" "-Wbidi-chars=any" "-U_FORTIFY_SOURCE" "-D_FORTIFY_SOURCE=3"
+  "-fstack-clash-protection" "-fstack-protector-strong"
+  "-fno-delete-null-pointer-checks" "-fno-strict-overflow"
+  "-fno-strict-aliasing" "-fsanitize=undefined" "-fcf-protection=full"
+  "-Wl,-z,nodlopen" "-Wl,-z,noexecstack" "-Wl,-z,relro" "-Wl,-z,now"
+  "-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie"
+)
+
 ## Read emergency shutdown key configuration
 for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
  if [ -f "${config_file}" ]; then
@ -18,38 +39,41 @@ for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/secur
    source "${config_file}"
  fi
 done
-if [ -z "${EMERG_SHUTDOWN_KEYS}" ]; then
-  ## Default to Ctrl+Alt+Delete if nothing else is set
-  EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
-fi

-## Find the devices that make up the root device
-readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
-if [ "${#root_devices[@]}" = '0' ] \
-  || [ "${root_devices[0]}" == '' ]; then
-  ## /dev/sda1 might be the right one...
-  root_devices[0]='/dev/sda1'
-fi
+if [ "${in_dracut}" = 'true' ]; then
+  binary_prefix=''
+  modprobe evdev || {
+    printf '%s\n' 'Failed to load evdev driver!'
+    exit 1
+  }
+  ## modules may not work immediately after loaded, give them time to
+  ## initialize
+  sleep 0.1
+else
+  ## Find the devices that make up the root device
+  readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;

-## Build the actual emerg-shutdown executable
-if [ ! -f '/run/emerg-shutdown' ]; then
-  gcc \
-    -o \
-    /run/emerg-shutdown \
-    -static \
-    /usr/src/security-misc/emerg-shutdown.c \
-    || {
-      printf "%s\n" 'Could not compile force-shutdown executable!'
-      exit 1;
-    }
+  ## Build the actual emerg-shutdown executable
+  if [ ! -f '/run/emerg-shutdown' ]; then
+    gcc \
+      -o \
+      /run/emerg-shutdown \
+      -static \
+      "${gcc_hardening_options[@]}" \
+      /usr/src/security-misc/emerg-shutdown.c \
+      || {
+        printf "%s\n" 'Could not compile force-shutdown executable!'
+        exit 1
+      }
+  fi
+
+  ## memlockd daemonizes itself, so no need to background it.
+  memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
 fi

 systemd-notify --ready

-## memlockd daemonizes itself, so no need to background it.
-memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
-
 ## Launch emerg-shutdown
 OLDIFS="$IFS"
 IFS=','
-/run/emerg-shutdown "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
+"${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
--- a/usr/share/security-misc/emerg-shutdown-initramfs.service
+++ b/usr/share/security-misc/emerg-shutdown-initramfs.service
@ -0,0 +1,21 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file should not be installed on the host system, it is intended for
+## inclusion in a dracut initramfs only.
+
+[Unit]
+Description=Emergency shutdown when boot media is removed
+Documentation=https://github.com/Kicksecure/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=systemd-udevd.service
+After=systemd-udevd.service
+
+[Service]
+Type=notify
+ExecStart=/usr/libexec/security-misc/emerg-shutdown
+NotifyAccess=main
+
+[Install]
+WantedBy=sysinit.target
--- a/usr/src/security-misc/emerg-shutdown.c
+++ b/usr/src/security-misc/emerg-shutdown.c
@ -42,7 +42,7 @@
 * be entirely possible. To give our feature the highest chance of success:
 *
 * - We use memlockd to lock systemd and all libraries it depends on into
- *   memory. It can holds its own pretty well in the event of a segfault, but
+ *   memory. It can hold its own pretty well in the event of a segfault, but
 *   if its crash handler ends up re-segfaulting, that could get ugly.
 * - We compile the utility at boot time, statically link it against all of
 *   its dependencies (really only one, glibc), and load it into /run. This
@ -94,6 +94,7 @@
 #include <sys/stat.h>
 #include <signal.h>
 #include <errno.h>
+#include <limits.h>

 #define fd_stdin 0
 #define fd_stdout 1
@ -113,7 +114,7 @@ int console_fd = 0;
 /* Adapted from kloak/src/keycodes.c */
 struct name_value {
    const char *name;
-    const int value;
+    const uint32_t value;
 };
 static struct name_value key_table[] = {
        {"KEY_ESC", KEY_ESC},
@ -259,14 +260,14 @@ static struct name_value key_table[] = {
        {"KEY_UNKNOWN", KEY_UNKNOWN},
        {NULL, 0}
 };
-int lookup_keycode(const char *name) {
+uint32_t lookup_keycode(const char *name) {
  struct name_value *p;
  for (p = key_table; p->name != NULL; ++p) {
    if (strcmp(p->name, name) == 0) {
      return p->value;
    }
  }
-  return -1;
+  return 0;
 }

 /* Adapted from systemd/src/login/logind-button.c */
@ -278,7 +279,11 @@ void print(int fd, char *str) {
  size_t len = strlen(str) + 1;
  while (true) {
    ssize_t write_len = write(fd, str, len);
-    len -= write_len;
+    if (write_len < 0) {
+      /* File descriptor was closed, continue regardless */
+      return;
+    }
+    len -= (size_t)write_len;
    if (len == 0) {
      return;
    }
@ -288,13 +293,33 @@ void print(int fd, char *str) {

 void print_usage() {
  print(fd_stderr, "Usage:\n");
-  print(fd_stderr, "  emerg-shutdown --devices=DEVICE1[,DEVICE2...] --keys=KEY_1[,KEY_2|KEY_3...]\n");
-  print(fd_stderr, "Or:\n");
-  print(fd_stderr, "  emerg-shutdown --instant-shutdown\n");
-  print(fd_stderr, "Or:\n");
-  print(fd_stderr, "  emerg-shutdown --monitor-fifo --timeout=TIMEOUT\n");
+  print(fd_stderr, "  emerg-shutdown [OPTIONS...]\n");
+  print(fd_stderr, "Options:\n");
+  print(fd_stderr, "  --devices=DEVICE1[,DEVICE2...]\n");
+  print(fd_stderr, "    A comma-separated list of devices. If any of these devices are\n");
+  print(fd_stderr, "    removed from the system, an emergency shutdown will occur.\n");
+  print(fd_stderr, "  --keys=KEY_1[,KEY_2|KEY_3...]\n");
+  print(fd_stderr, "    A comma-separated list of keys. If all of the specified keys are\n");
+  print(fd_stderr, "    pressed at the same time, an emergency shutdown will occur.\n");
+  print(fd_stderr, "    Keys separated with a pipe will be treated as aliases of each\n");
+  print(fd_stderr, "    other.\n");
+  print(fd_stderr, "  --paranoid\n");
+  print(fd_stderr, "    Watches for the removal of any removable device whatsoever. An\n");
+  print(fd_stderr, "    emergency shutdown will be triggered if any device is removed.\n");
+  print(fd_stderr, "    Cannot be combined with --devices.\n");
+  print(fd_stderr, "  --instant-shutdown\n");
+  print(fd_stderr, "    Immediately triggers an emergency shutdown. Cannot be combined\n");
+  print(fd_stderr, "    with other options.\n");
+  print(fd_stderr, "  --monitor-fifo\n");
+  print(fd_stderr, "    Used internally to implement the ensure-shutdown service. Do\n");
+  print(fd_stderr, "    not use.\n");
+  print(fd_stderr, "  --timeout=TIMEOUT\n");
+  print(fd_stderr, "    Used internally to implement the ensure-shutdown service. Do\n");
+  print(fd_stderr, "    not use.\n");
  print(fd_stderr, "Example:\n");
  print(fd_stderr, "  emerg-shutdown --devices=/dev/sda3 --keys=KEY_POWER\n");
+  print(fd_stderr, "See /etc/security-misc/emerg-shutdown/30_security-misc.cofn to\n");
+  print(fd_stderr, "configure the emerg-shutdown service.\n");
 }

 void *safe_calloc(size_t nmemb, size_t size) {
@ -318,7 +343,7 @@ void *safe_reallocarray(void *ptr, size_t nmemb, size_t size) {
 /* Inspired by https://www.strudel.org.uk/itoa/ */
 char *int_to_str(uint32_t val) {
  static char buf[11];
-  int8_t i;
+  uint8_t i;
  char *rslt = NULL;
  const char *digits = "0123456789";

@ -340,7 +365,7 @@ char *int_to_str(uint32_t val) {
 void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list_ref, const char *sep, bool parse_opt) {
  char **result_list = NULL;
  size_t result_list_len = 0;
-  int arg_copy_len = strlen(arg) + 1;
+  size_t arg_copy_len = strlen(arg) + 1;
  char *arg_copy = safe_calloc(1, arg_copy_len);
  char *arg_val;
  char *arg_part;
@ -372,7 +397,7 @@ void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list
  free(arg_copy);
 }

-int kill_system() {
+long int kill_system() {
  /*
   * It isn't safe to simply call the reboot syscall here - there is a
   * graphics driver bug in the i915 driver on Bookworm that will throw a
@ -451,20 +476,21 @@ void hw_monitor(int argc, char **argv) {
  size_t panic_key_list_len = 0;
  char **panic_key_str_list = NULL;
  char **target_dev_list = NULL;
-  int **panic_key_list = NULL;
+  uint32_t **panic_key_list = NULL;
  bool *panic_key_active_list = NULL;
  size_t event_fd_list_len = 0;
  int *event_fd_list = NULL;
  char input_path_buf[input_path_size];
  struct pollfd *pollfd_list = NULL;
  struct input_event ie_buf[64];
+  bool paranoid_mode = false;

  /* Index variables */
  int arg_idx = 0;
  size_t tdl_idx = 0;
  size_t tdp_char_idx = 0;
  size_t pkl_idx = 0;
-  int input_idx = 0;
+  uint32_t input_idx = 0;
  size_t efl_idx = 0;
  int ie_idx = 0;
  size_t kg_idx = 0;
@ -477,6 +503,8 @@ void hw_monitor(int argc, char **argv) {
        exit(1);
      }
      load_list(argv[arg_idx], &target_dev_list_len, &target_dev_name_raw_list, ",", true);
+    } else if (strcmp(argv[arg_idx], "--paranoid") == 0) {
+      paranoid_mode = true;
    } else if (strncmp(argv[arg_idx], "--keys=", strlen("--keys=")) == 0) {
      if (panic_key_str_list != NULL) {
        print(fd_stderr, "--keys cannot be passed more than once!\n");
@ -492,6 +520,11 @@ void hw_monitor(int argc, char **argv) {
      exit(1);
    }
  }
+  if (target_dev_name_raw_list != NULL && paranoid_mode) {
+    print(fd_stderr, "--devices and --paranoid are mutually exclusive!\n");
+    print_usage();
+    exit(1);
+  }

  console_fd = open("/dev/console", O_RDWR);
  if (console_fd == -1) {
@ -500,7 +533,7 @@ void hw_monitor(int argc, char **argv) {
  }

  target_dev_list = safe_calloc(target_dev_list_len, sizeof(char *));
-  panic_key_list = safe_calloc(panic_key_list_len, sizeof(int *));
+  panic_key_list = safe_calloc(panic_key_list_len, sizeof(uint32_t *));
  panic_key_active_list = safe_calloc(panic_key_list_len, sizeof(bool));

  for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) {
@ -567,12 +600,12 @@ void hw_monitor(int argc, char **argv) {
    size_t keygroup_str_list_len = 0;
    char **keygroup_str_list = NULL;
    load_list(panic_key_str_list[pkl_idx], &keygroup_str_list_len, &keygroup_str_list, "|", false);
-    int *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(int));
+    uint32_t *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(uint32_t));

    pkl_element[keygroup_str_list_len] = 0;
    for (kg_idx = 0; kg_idx < keygroup_str_list_len; kg_idx++) {
-      int keycode = lookup_keycode(keygroup_str_list[kg_idx]);
-      if (keycode < 0) {
+      uint32_t keycode = lookup_keycode(keygroup_str_list[kg_idx]);
+      if (keycode == 0) {
        print(fd_stderr, "Invalid key code '");
        print(fd_stderr, keygroup_str_list[kg_idx]);
        print(fd_stderr, "'!\n");
@ -591,7 +624,7 @@ void hw_monitor(int argc, char **argv) {
  struct sockaddr_nl sa = {
    .nl_family = AF_NETLINK,
    .nl_pad = 0,
-    .nl_pid = getpid(),
+    .nl_pid = (uint32_t)getpid(),
    .nl_groups = NETLINK_KOBJECT_UEVENT,
  };
  int ns = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
@ -684,11 +717,10 @@ void hw_monitor(int argc, char **argv) {
        continue;
      }

-      size_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64);
+      ssize_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64);

-      if (ieread_bytes == -1
-        || ieread_bytes == 0
-        || (ieread_bytes % sizeof(struct input_event)) != 0) {
+      if (ieread_bytes <= 0
+        || ((size_t)ieread_bytes % sizeof(struct input_event)) != 0) {
        /* This will probably terminate the service if the user unplugs a
         * keyboard or similar, however systemd can start it again. The
         * alternative is to handle device hotplug, which sounds like a
@ -697,7 +729,8 @@ void hw_monitor(int argc, char **argv) {
        exit(1);
      }

-      for (ie_idx = 0; ie_idx < ieread_bytes / sizeof(struct input_event); ie_idx++) {
+      for (ie_idx = 0; ie_idx < (size_t)ieread_bytes / sizeof(struct input_event);
+        ie_idx++) {
        if (ie_buf[ie_idx].type != EV_KEY) {
          continue;
        }
@ -745,7 +778,7 @@ void hw_monitor(int argc, char **argv) {
       *   NUL-terminated string "libudev" so they're easy to filter out.
       */

-      int len;
+      ssize_t len;
      char buf[16384];
      struct iovec iov = { buf, sizeof(buf) };
      struct sockaddr_nl sa2;
@ -828,6 +861,11 @@ void hw_monitor(int argc, char **argv) {
              goto next_str;
            }

+            if (paranoid_mode) {
+              /* Something was removed, we don't care what, shut down now */
+              kill_system();
+            }
+
            for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) {
              if (strcmp(rem_dev_name, target_dev_list[tdl_idx]) == 0) {
                kill_system();
@ -841,7 +879,7 @@ void hw_monitor(int argc, char **argv) {
        }

 next_str:
-        len -= strlen(tmpbuf) + 1;
+        len = len - (ssize_t)(strlen(tmpbuf) + 1);
        tmpbuf += strlen(tmpbuf) + 1;
      }
    }
@ -883,8 +921,9 @@ void fifo_monitor(int argc, char **argv) {
  arg_part = strtok(arg_copy, "=");
  /* returns everything after the = sign */
  arg_part = strtok(NULL, "");
+  errno = 0;
  monitor_fifo_timeout = strtol(arg_part, &arg_num_end, 10);
-  if (errno == ERANGE) {
+  if (errno == ERANGE || monitor_fifo_timeout > UINT_MAX) {
    print(fd_stderr, "Timeout out of range!\n");
    print_usage();
    exit(1);
@ -949,7 +988,7 @@ void fifo_monitor(int argc, char **argv) {
    if (trigger_fifo_charbuf == 'k') {
      kill_system();
    } else if (trigger_fifo_charbuf == 'd') {
-      sleep(monitor_fifo_timeout);
+      sleep((unsigned int)monitor_fifo_timeout);
      kill_system();
    }
  }