From 42941653621311187650f12e8d7aa39c45cb6984 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 6 Aug 2025 08:27:15 +0000 Subject: [PATCH 1/6] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0381ecf..ea0f4a2 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 784ff8af3616765a9c22febf66b522376ecedf12 +Merge: c2690ef 5a17e67 +Author: Patrick Schleizer +Date: Wed Aug 6 04:26:37 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown' + +commit 5a17e67c0a7678300f6342d5c90ded5494ebc838 +Author: Aaron Rainbolt +Date: Tue Aug 5 20:14:07 2025 -0500 + + Fix local-fs.target dependency in emerg-shutdown.service + +commit c2690efcacbf7be7c57751ba1cee7f910d350cfc +Author: Patrick Schleizer +Date: Mon Aug 4 09:27:11 2025 +0000 + + bumped changelog version + commit 166bc257b0b2eea87d684cc847bf6da1fba7c4b4 Merge: d1bca02 63f2909 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 460f1a2..14ebd05 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 06 Aug 2025 08:27:15 +0000 + security-misc (3:46.6-1) unstable; urgency=medium * New upstream version (local package). From 44e7d3059a5618991a1408f77707132bfea86fef Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 6 Aug 2025 19:10:14 -0500 Subject: [PATCH 2/6] Integrate emerg-shutdown into the initramfs --- .../99emerg-shutdown/module-setup.sh | 48 ++++++++++++++ usr/lib/systemd/system/emerg-shutdown.service | 4 +- .../systemd/system/ensure-shutdown.service | 4 +- usr/libexec/security-misc/emerg-shutdown | 66 +++++++++++-------- .../emerg-shutdown-initramfs.service | 21 ++++++ 5 files changed, 111 insertions(+), 32 deletions(-) create mode 100755 usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh create mode 100644 usr/share/security-misc/emerg-shutdown-initramfs.service diff --git a/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh b/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh new file mode 100755 index 0000000..98d6be9 --- /dev/null +++ b/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## called by dracut +check() { + require_binaries /run/emerg-shutdown || return 1 + return 255 +} + +## called by dracut +depends() { + echo 'systemd bash' + return 0 +} + +## called by dracut +install() { + local config_file + + inst systemd-notify + + inst_simple /usr/libexec/security-misc/emerg-shutdown + inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service + inst_simple /run/emerg-shutdown /emerg-shutdown + + for config_file in /etc/security-misc/emerg-shutdown/*.conf; do + if [ -f "${config_file}" ]; then + inst_multiple /etc/security-misc/emerg-shutdown/*.conf + break + fi + done + for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do + if [ -f "${config_file}" ]; then + inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf + break + fi + done + + mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants" + ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service" +} + +## called by dracut +installkernel () { + hostonly='' instmods evdev +} diff --git a/usr/lib/systemd/system/emerg-shutdown.service b/usr/lib/systemd/system/emerg-shutdown.service index f2dc2e8..fa738ab 100644 --- a/usr/lib/systemd/system/emerg-shutdown.service +++ b/usr/lib/systemd/system/emerg-shutdown.service @@ -6,8 +6,8 @@ Description=Emergency shutdown when boot media is removed Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target -Requires=udev.service -After=udev.service +Requires=systemd-udevd.service +After=systemd-udevd.service Requires=local-fs.target After=local-fs.target diff --git a/usr/lib/systemd/system/ensure-shutdown.service b/usr/lib/systemd/system/ensure-shutdown.service index 52eb487..8e4c5b6 100644 --- a/usr/lib/systemd/system/ensure-shutdown.service +++ b/usr/lib/systemd/system/ensure-shutdown.service @@ -9,8 +9,8 @@ Description=Forcibly shut down the system if normal shutdown gets stuck Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target -Requires=udev.service -After=udev.service +Requires=systemd-udevd.service +After=systemd-udevd.service Wants=emerg-shutdown.service After=emerg-shutdown.service diff --git a/usr/libexec/security-misc/emerg-shutdown b/usr/libexec/security-misc/emerg-shutdown index 1afebcb..f3496fc 100755 --- a/usr/libexec/security-misc/emerg-shutdown +++ b/usr/libexec/security-misc/emerg-shutdown @@ -1,7 +1,7 @@ #!/bin/bash -# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -# See the file COPYING for copying conditions. +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. set -o errexit set -o nounset @@ -11,6 +11,14 @@ set -o pipefail ## Make sure globs sort in a predictable, reproducible fashion export LC_ALL=C +in_dracut='false' +if [ -f '/dracut-state.sh' ]; then + in_dracut='true' +fi +binary_prefix='/run' +EMERG_SHUTDOWN_KEYS='' +root_devices[0]='' + ## Read emergency shutdown key configuration for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do if [ -f "${config_file}" ]; then @@ -18,38 +26,40 @@ for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/secur source "${config_file}" fi done -if [ -z "${EMERG_SHUTDOWN_KEYS}" ]; then - ## Default to Ctrl+Alt+Delete if nothing else is set - EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE" -fi -## Find the devices that make up the root device -readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true; -if [ "${#root_devices[@]}" = '0' ] \ - || [ "${root_devices[0]}" == '' ]; then - ## /dev/sda1 might be the right one... - root_devices[0]='/dev/sda1' -fi +if [ "${in_dracut}" = 'true' ]; then + binary_prefix='' + modprobe evdev || { + printf '%s\n' 'Failed to load evdev driver!' + exit 1 + } + ## modules may not work immediately after loaded, give them time to + ## initialize + sleep 0.1 +else + ## Find the devices that make up the root device + readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true; -## Build the actual emerg-shutdown executable -if [ ! -f '/run/emerg-shutdown' ]; then - gcc \ - -o \ - /run/emerg-shutdown \ - -static \ - /usr/src/security-misc/emerg-shutdown.c \ - || { - printf "%s\n" 'Could not compile force-shutdown executable!' - exit 1; - } + ## Build the actual emerg-shutdown executable + if [ ! -f '/run/emerg-shutdown' ]; then + gcc \ + -o \ + /run/emerg-shutdown \ + -static \ + /usr/src/security-misc/emerg-shutdown.c \ + || { + printf "%s\n" 'Could not compile force-shutdown executable!' + exit 1 + } + fi + + ## memlockd daemonizes itself, so no need to background it. + memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true fi systemd-notify --ready -## memlockd daemonizes itself, so no need to background it. -memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true - ## Launch emerg-shutdown OLDIFS="$IFS" IFS=',' -/run/emerg-shutdown "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}" +"${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}" diff --git a/usr/share/security-misc/emerg-shutdown-initramfs.service b/usr/share/security-misc/emerg-shutdown-initramfs.service new file mode 100644 index 0000000..8de5412 --- /dev/null +++ b/usr/share/security-misc/emerg-shutdown-initramfs.service @@ -0,0 +1,21 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## This file should not be installed on the host system, it is intended for +## inclusion in a dracut initramfs only. + +[Unit] +Description=Emergency shutdown when boot media is removed +Documentation=https://github.com/Kicksecure/security-misc +DefaultDependencies=no +Before=sysinit.target +Requires=systemd-udevd.service +After=systemd-udevd.service + +[Service] +Type=notify +ExecStart=/usr/libexec/security-misc/emerg-shutdown +NotifyAccess=main + +[Install] +WantedBy=sysinit.target From 2a3bc39eba317d5f9b0e710dd3663c82d92add94 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 6 Aug 2025 19:10:37 -0500 Subject: [PATCH 3/6] Use Ctrl+Alt+End as the default panic key rather than Ctrl+Alt+Delete --- etc/security-misc/emerg-shutdown/30_security_misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/security-misc/emerg-shutdown/30_security_misc.conf b/etc/security-misc/emerg-shutdown/30_security_misc.conf index 4ec6cbd..e8b4b48 100644 --- a/etc/security-misc/emerg-shutdown/30_security_misc.conf +++ b/etc/security-misc/emerg-shutdown/30_security_misc.conf @@ -17,7 +17,7 @@ ## ## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is ## pressed, allowing the use of either the left or right Ctrl and Alt keys. -EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE" +EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_END" ## Set the maximum number of seconds shutdown can take. If shutdown gets stuck ## for longer than this, the system will forcibly power down. From 29480df770047c8ada3e993cf28f87ffbfd71dec Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 6 Aug 2025 19:24:34 -0500 Subject: [PATCH 4/6] Improve emerg-shutdown usage documentation --- usr/src/security-misc/emerg-shutdown.c | 28 ++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/usr/src/security-misc/emerg-shutdown.c b/usr/src/security-misc/emerg-shutdown.c index 83cb6de..287c953 100644 --- a/usr/src/security-misc/emerg-shutdown.c +++ b/usr/src/security-misc/emerg-shutdown.c @@ -42,7 +42,7 @@ * be entirely possible. To give our feature the highest chance of success: * * - We use memlockd to lock systemd and all libraries it depends on into - * memory. It can holds its own pretty well in the event of a segfault, but + * memory. It can hold its own pretty well in the event of a segfault, but * if its crash handler ends up re-segfaulting, that could get ugly. * - We compile the utility at boot time, statically link it against all of * its dependencies (really only one, glibc), and load it into /run. This @@ -288,13 +288,29 @@ void print(int fd, char *str) { void print_usage() { print(fd_stderr, "Usage:\n"); - print(fd_stderr, " emerg-shutdown --devices=DEVICE1[,DEVICE2...] --keys=KEY_1[,KEY_2|KEY_3...]\n"); - print(fd_stderr, "Or:\n"); - print(fd_stderr, " emerg-shutdown --instant-shutdown\n"); - print(fd_stderr, "Or:\n"); - print(fd_stderr, " emerg-shutdown --monitor-fifo --timeout=TIMEOUT\n"); + print(fd_stderr, " emerg-shutdown [OPTIONS...]\n"); + print(fd_stderr, "Options:\n"); + print(fd_stderr, " --devices=DEVICE1[,DEVICE2...]\n"); + print(fd_stderr, " A comma-separated list of devices. If any of these devices are\n"); + print(fd_stderr, " removed from the system, an emergency shutdown will occur.\n"); + print(fd_stderr, " --keys=KEY_1[,KEY_2|KEY_3...]\n"); + print(fd_stderr, " A comma-separated list of keys. If all of the specified keys are\n"); + print(fd_stderr, " pressed at the same time, an emergency shutdown will occur.\n"); + print(fd_stderr, " Keys separated with a pipe will be treated as aliases of each\n"); + print(fd_stderr, " other.\n"); + print(fd_stderr, " --instant-shutdown\n"); + print(fd_stderr, " Immediately triggers an emergency shutdown. Cannot be combined\n"); + print(fd_stderr, " with other options.\n"); + print(fd_stderr, " --monitor-fifo\n"); + print(fd_stderr, " Used internally to implement the ensure-shutdown service. Do\n"); + print(fd_stderr, " not use.\n"); + print(fd_stderr, " --timeout=TIMEOUT\n"); + print(fd_stderr, " Used internally to implement the ensure-shutdown service. Do\n"); + print(fd_stderr, " not use.\n"); print(fd_stderr, "Example:\n"); print(fd_stderr, " emerg-shutdown --devices=/dev/sda3 --keys=KEY_POWER\n"); + print(fd_stderr, "See /etc/security-misc/emerg-shutdown/30_security-misc.cofn to\n"); + print(fd_stderr, "configure the emerg-shutdown service.\n"); } void *safe_calloc(size_t nmemb, size_t size) { From 0c1af00aae50dba2983c3736744e0da320bb9330 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 6 Aug 2025 19:33:38 -0500 Subject: [PATCH 5/6] Implement paranoid mode in emerg-shutdown --- usr/src/security-misc/emerg-shutdown.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/usr/src/security-misc/emerg-shutdown.c b/usr/src/security-misc/emerg-shutdown.c index 287c953..89c4400 100644 --- a/usr/src/security-misc/emerg-shutdown.c +++ b/usr/src/security-misc/emerg-shutdown.c @@ -298,6 +298,10 @@ void print_usage() { print(fd_stderr, " pressed at the same time, an emergency shutdown will occur.\n"); print(fd_stderr, " Keys separated with a pipe will be treated as aliases of each\n"); print(fd_stderr, " other.\n"); + print(fd_stderr, " --paranoid\n"); + print(fd_stderr, " Watches for the removal of any removable device whatsoever. An\n"); + print(fd_stderr, " emergency shutdown will be triggered if any device is removed.\n"); + print(fd_stderr, " Cannot be combined with --devices.\n"); print(fd_stderr, " --instant-shutdown\n"); print(fd_stderr, " Immediately triggers an emergency shutdown. Cannot be combined\n"); print(fd_stderr, " with other options.\n"); @@ -474,6 +478,7 @@ void hw_monitor(int argc, char **argv) { char input_path_buf[input_path_size]; struct pollfd *pollfd_list = NULL; struct input_event ie_buf[64]; + bool paranoid_mode = false; /* Index variables */ int arg_idx = 0; @@ -493,6 +498,8 @@ void hw_monitor(int argc, char **argv) { exit(1); } load_list(argv[arg_idx], &target_dev_list_len, &target_dev_name_raw_list, ",", true); + } else if (strcmp(argv[arg_idx], "--paranoid") == 0) { + paranoid_mode = true; } else if (strncmp(argv[arg_idx], "--keys=", strlen("--keys=")) == 0) { if (panic_key_str_list != NULL) { print(fd_stderr, "--keys cannot be passed more than once!\n"); @@ -508,6 +515,11 @@ void hw_monitor(int argc, char **argv) { exit(1); } } + if (target_dev_name_raw_list != NULL && paranoid_mode) { + print(fd_stderr, "--devices and --paranoid are mutually exclusive!\n"); + print_usage(); + exit(1); + } console_fd = open("/dev/console", O_RDWR); if (console_fd == -1) { @@ -844,6 +856,11 @@ void hw_monitor(int argc, char **argv) { goto next_str; } + if (paranoid_mode) { + /* Something was removed, we don't care what, shut down now */ + kill_system(); + } + for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) { if (strcmp(rem_dev_name, target_dev_list[tdl_idx]) == 0) { kill_system(); From 3a77abe5c9807caec530e69c41d5cf803b625e70 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 6 Aug 2025 20:05:57 -0500 Subject: [PATCH 6/6] Port hardening options from kloak to emerg-shutdown, fix new compiler warnings --- usr/libexec/security-misc/emerg-shutdown | 14 +++++++ usr/src/security-misc/emerg-shutdown.c | 52 +++++++++++++----------- 2 files changed, 43 insertions(+), 23 deletions(-) diff --git a/usr/libexec/security-misc/emerg-shutdown b/usr/libexec/security-misc/emerg-shutdown index f3496fc..3016088 100755 --- a/usr/libexec/security-misc/emerg-shutdown +++ b/usr/libexec/security-misc/emerg-shutdown @@ -19,6 +19,19 @@ binary_prefix='/run' EMERG_SHUTDOWN_KEYS='' root_devices[0]='' +## Taken from kloak/Makefile, see it for more information +gcc_hardening_options=( + "-Wall" "-Wformat" "-Wformat=2" "-Wconversion" + "-Wimplicit-fallthrough" "-Werror=format-security" "-Werror=implicit" + "-Werror=int-conversion" "-Werror=incompatible-pointer-types" + "-Wtrampolines" "-Wbidi-chars=any" "-U_FORTIFY_SOURCE" "-D_FORTIFY_SOURCE=3" + "-fstack-clash-protection" "-fstack-protector-strong" + "-fno-delete-null-pointer-checks" "-fno-strict-overflow" + "-fno-strict-aliasing" "-fsanitize=undefined" "-fcf-protection=full" + "-Wl,-z,nodlopen" "-Wl,-z,noexecstack" "-Wl,-z,relro" "-Wl,-z,now" + "-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie" +) + ## Read emergency shutdown key configuration for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do if [ -f "${config_file}" ]; then @@ -46,6 +59,7 @@ else -o \ /run/emerg-shutdown \ -static \ + "${gcc_hardening_options[@]}" \ /usr/src/security-misc/emerg-shutdown.c \ || { printf "%s\n" 'Could not compile force-shutdown executable!' diff --git a/usr/src/security-misc/emerg-shutdown.c b/usr/src/security-misc/emerg-shutdown.c index 89c4400..cd310e8 100644 --- a/usr/src/security-misc/emerg-shutdown.c +++ b/usr/src/security-misc/emerg-shutdown.c @@ -94,6 +94,7 @@ #include #include #include +#include #define fd_stdin 0 #define fd_stdout 1 @@ -113,7 +114,7 @@ int console_fd = 0; /* Adapted from kloak/src/keycodes.c */ struct name_value { const char *name; - const int value; + const uint32_t value; }; static struct name_value key_table[] = { {"KEY_ESC", KEY_ESC}, @@ -259,14 +260,14 @@ static struct name_value key_table[] = { {"KEY_UNKNOWN", KEY_UNKNOWN}, {NULL, 0} }; -int lookup_keycode(const char *name) { +uint32_t lookup_keycode(const char *name) { struct name_value *p; for (p = key_table; p->name != NULL; ++p) { if (strcmp(p->name, name) == 0) { return p->value; } } - return -1; + return 0; } /* Adapted from systemd/src/login/logind-button.c */ @@ -278,7 +279,11 @@ void print(int fd, char *str) { size_t len = strlen(str) + 1; while (true) { ssize_t write_len = write(fd, str, len); - len -= write_len; + if (write_len < 0) { + /* File descriptor was closed, continue regardless */ + return; + } + len -= (size_t)write_len; if (len == 0) { return; } @@ -338,7 +343,7 @@ void *safe_reallocarray(void *ptr, size_t nmemb, size_t size) { /* Inspired by https://www.strudel.org.uk/itoa/ */ char *int_to_str(uint32_t val) { static char buf[11]; - int8_t i; + uint8_t i; char *rslt = NULL; const char *digits = "0123456789"; @@ -360,7 +365,7 @@ char *int_to_str(uint32_t val) { void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list_ref, const char *sep, bool parse_opt) { char **result_list = NULL; size_t result_list_len = 0; - int arg_copy_len = strlen(arg) + 1; + size_t arg_copy_len = strlen(arg) + 1; char *arg_copy = safe_calloc(1, arg_copy_len); char *arg_val; char *arg_part; @@ -392,7 +397,7 @@ void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list free(arg_copy); } -int kill_system() { +long int kill_system() { /* * It isn't safe to simply call the reboot syscall here - there is a * graphics driver bug in the i915 driver on Bookworm that will throw a @@ -471,7 +476,7 @@ void hw_monitor(int argc, char **argv) { size_t panic_key_list_len = 0; char **panic_key_str_list = NULL; char **target_dev_list = NULL; - int **panic_key_list = NULL; + uint32_t **panic_key_list = NULL; bool *panic_key_active_list = NULL; size_t event_fd_list_len = 0; int *event_fd_list = NULL; @@ -485,7 +490,7 @@ void hw_monitor(int argc, char **argv) { size_t tdl_idx = 0; size_t tdp_char_idx = 0; size_t pkl_idx = 0; - int input_idx = 0; + uint32_t input_idx = 0; size_t efl_idx = 0; int ie_idx = 0; size_t kg_idx = 0; @@ -528,7 +533,7 @@ void hw_monitor(int argc, char **argv) { } target_dev_list = safe_calloc(target_dev_list_len, sizeof(char *)); - panic_key_list = safe_calloc(panic_key_list_len, sizeof(int *)); + panic_key_list = safe_calloc(panic_key_list_len, sizeof(uint32_t *)); panic_key_active_list = safe_calloc(panic_key_list_len, sizeof(bool)); for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) { @@ -595,12 +600,12 @@ void hw_monitor(int argc, char **argv) { size_t keygroup_str_list_len = 0; char **keygroup_str_list = NULL; load_list(panic_key_str_list[pkl_idx], &keygroup_str_list_len, &keygroup_str_list, "|", false); - int *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(int)); + uint32_t *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(uint32_t)); pkl_element[keygroup_str_list_len] = 0; for (kg_idx = 0; kg_idx < keygroup_str_list_len; kg_idx++) { - int keycode = lookup_keycode(keygroup_str_list[kg_idx]); - if (keycode < 0) { + uint32_t keycode = lookup_keycode(keygroup_str_list[kg_idx]); + if (keycode == 0) { print(fd_stderr, "Invalid key code '"); print(fd_stderr, keygroup_str_list[kg_idx]); print(fd_stderr, "'!\n"); @@ -619,7 +624,7 @@ void hw_monitor(int argc, char **argv) { struct sockaddr_nl sa = { .nl_family = AF_NETLINK, .nl_pad = 0, - .nl_pid = getpid(), + .nl_pid = (uint32_t)getpid(), .nl_groups = NETLINK_KOBJECT_UEVENT, }; int ns = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); @@ -712,11 +717,10 @@ void hw_monitor(int argc, char **argv) { continue; } - size_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64); + ssize_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64); - if (ieread_bytes == -1 - || ieread_bytes == 0 - || (ieread_bytes % sizeof(struct input_event)) != 0) { + if (ieread_bytes <= 0 + || ((size_t)ieread_bytes % sizeof(struct input_event)) != 0) { /* This will probably terminate the service if the user unplugs a * keyboard or similar, however systemd can start it again. The * alternative is to handle device hotplug, which sounds like a @@ -725,7 +729,8 @@ void hw_monitor(int argc, char **argv) { exit(1); } - for (ie_idx = 0; ie_idx < ieread_bytes / sizeof(struct input_event); ie_idx++) { + for (ie_idx = 0; ie_idx < (size_t)ieread_bytes / sizeof(struct input_event); + ie_idx++) { if (ie_buf[ie_idx].type != EV_KEY) { continue; } @@ -773,7 +778,7 @@ void hw_monitor(int argc, char **argv) { * NUL-terminated string "libudev" so they're easy to filter out. */ - int len; + ssize_t len; char buf[16384]; struct iovec iov = { buf, sizeof(buf) }; struct sockaddr_nl sa2; @@ -874,7 +879,7 @@ void hw_monitor(int argc, char **argv) { } next_str: - len -= strlen(tmpbuf) + 1; + len = len - (ssize_t)(strlen(tmpbuf) + 1); tmpbuf += strlen(tmpbuf) + 1; } } @@ -916,8 +921,9 @@ void fifo_monitor(int argc, char **argv) { arg_part = strtok(arg_copy, "="); /* returns everything after the = sign */ arg_part = strtok(NULL, ""); + errno = 0; monitor_fifo_timeout = strtol(arg_part, &arg_num_end, 10); - if (errno == ERANGE) { + if (errno == ERANGE || monitor_fifo_timeout > UINT_MAX) { print(fd_stderr, "Timeout out of range!\n"); print_usage(); exit(1); @@ -982,7 +988,7 @@ void fifo_monitor(int argc, char **argv) { if (trigger_fifo_charbuf == 'k') { kill_system(); } else if (trigger_fifo_charbuf == 'd') { - sleep(monitor_fifo_timeout); + sleep((unsigned int)monitor_fifo_timeout); kill_system(); } }