From 5fbd42bbec55d66197b70789b10f7cb6705207fb Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Sun, 9 Nov 2025 18:38:54 -0600
Subject: [PATCH] Add kill-vboxdrmclient-on-shutdown.service

---
 debian/security-misc-shared.install           |  2 ++
 ...t-on-shutdown.service#security-misc-shared | 15 ++++++++++
 ...drmclient-on-shutdown#security-misc-shared | 29 +++++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared
 create mode 100644 usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared

diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install
index e9e0dd7..6e49a9d 100755
--- a/debian/security-misc-shared.install
+++ b/debian/security-misc-shared.install
@@ -57,6 +57,7 @@ usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexe
 usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget
 usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x
 usr/libexec/security-misc/block-unsafe-logins#security-misc-shared => /usr/libexec/security-misc/block-unsafe-logins
+usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared => /usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown
 usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c
 usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc
 usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc
@@ -90,6 +91,7 @@ usr/lib/systemd/system/remount-secure.service#security-misc-shared => /usr/lib/s
 usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown.service
 usr/lib/systemd/system/sysinit-post.target#security-misc-shared => /usr/lib/systemd/system/sysinit-post.target
 usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown-trigger.service
+usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared => /usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service
 usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf
 usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/pstore.conf.d/30_security-misc.conf
 usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared => /usr/lib/udev/rules.d/95-emerg-shutdown.rules
diff --git a/usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared b/usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared
new file mode 100644
index 0000000..136ff7a
--- /dev/null
+++ b/usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared
@@ -0,0 +1,15 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=kill VBoxDRMClient during shutdown to allow /tmp to be unmounted properly
+ConditionVirtualization=oracle
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=true
+ExecStop=/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown
+
+[Install]
+WantedBy=multi-user.target
diff --git a/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared b/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared
new file mode 100644
index 0000000..b77e75a
--- /dev/null
+++ b/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See file COPYING for copying conditions.
+
+set -o errexit
+set -o nounset
+set -o errtrace
+set -o pipefail
+
+vboxdrmclient_sock='/tmp/.iprt-localipc-DRMIpcServer'
+
+if ! [ -S "$vboxdrmclient_sock" ]; then
+  printf '%s\n' "'$vboxdrmclient_sock' does not exist or is not a socket, ok."
+  exit 0
+fi
+
+sock_pid="$(/usr/libexec/helper-scripts/query-sock-pid "$vboxdrmclient_sock")" || true
+if [ -z "$sock_pid" ]; then
+  printf '%s\n' "Cannot get PID listening on '$vboxdrmclient_sock', ok."
+  exit 0
+fi
+if kill -SIGKILL "$sock_pid"; then
+  printf '%s\n' "Killed VBoxDRMClient ('$sock_pid'), ok."
+  exit 0
+fi
+
+printf '%s\n' "ERROR: Could not kill VBoxDRMClient ('$sock_pid')!"
+exit 1