Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-16 04:53:49 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into panic_limits

Browse source
This commit is contained in:
raja-grewal 2025-08-21 10:27:44 +10:00 committed by GitHub
commit e48897cc44
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
27 changed files with 522 additions and 236 deletions
Download patch file Download diff file Expand all files Collapse all files

25
README.md
View file

@ -52,8 +52,7 @@ configuration file and significant hardening is applied to a myriad of component
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
the source of numerous kernel exploits.
- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
#### User space
@ -221,12 +220,10 @@ Kernel space:
- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2)
since it may be slightly more resilient to attacks that are able to write
arbitrary executables in memory.
- Use kCFI as the default CFI implementation as it is more resilient to attacks that are
able to write arbitrary executables into memory omitting the necessary hash validation.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface.
- Disable support for all 32-bit x86 processes and syscalls to reduce attack surface.
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
and other persistent data to either the UEFI variable storage or ACPI ERST backends.
@ -728,20 +725,14 @@ See:
- Deactivates thumbnails in Thunar.
- Rationale: lower attack surface when using the file manager
- https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904
- Thunderbird is hardened with the following options:
- Displays domain names in punycode to prevent IDN homograph attacks (a
form of phishing).
- Strips email client information from sent email headers.
- Strips user time information from sent email headers by replacing the
originating time zone with UTC and rounding the timestamp to the nearest
minute.
- Disables scripting when viewing PDF files.
- Disables implicit outgoing connections.
- Disables all and any kind of telemetry.
- Security and privacy enhancements for gnupg's config file
`/etc/skel/.gnupg/gpg.conf`. See also:
- https://raw.github.com/ioerror/torbirdy/master/gpg.conf
- https://github.com/ioerror/torbirdy/pull/11
- Hardens SSH client
`/etc/ssh/ssh_config.d/30_security-misc.conf`
- Hardens SSH server
`/etc/ssh/sshd_config.d/30_security-misc.conf`
### Project scope of application-specific hardening

2
README_generic.md
View file

@ -28,7 +28,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
3\. Add the derivative repository.
```
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
```
4\. Update your package lists.

95
changelog.upstream
View file

@ -1,3 +1,98 @@
commit 3629f2c3a59d44e265f0c66389435de1b2414998
Merge: 5dc251c c59a3b2
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun Aug 10 02:25:48 2025 -0400
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
commit c59a3b233bd8893d466c020a2e2695ab545c6e60
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Sat Aug 9 21:55:03 2025 -0500
Fix unexpected shutdowns when booting Kicksecure from optical media
commit 5dc251c5da724092d264481740e4f6ed347aa0a7
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Aug 9 09:45:35 2025 +0000
bumped changelog version
commit 046c932898290d250a7900e3c59973a698e5c55f
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Aug 9 05:40:11 2025 -0400
`disable emerg-shutdown.service`:
Disabled due to bug: breaks ISO Live Mode Calamares installer
commit 0cc0a8310020afc10de6512095336e55559a84d9
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Aug 7 07:08:19 2025 +0000
bumped changelog version
commit 505a2b7d7995ad48a17add86513ced3499f64ee9
Merge: 4294165 3a77abe
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Aug 7 03:08:02 2025 -0400
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
commit 3a77abe5c9807caec530e69c41d5cf803b625e70
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed Aug 6 20:05:57 2025 -0500
Port hardening options from kloak to emerg-shutdown, fix new compiler warnings
commit 0c1af00aae50dba2983c3736744e0da320bb9330
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed Aug 6 19:33:38 2025 -0500
Implement paranoid mode in emerg-shutdown
commit 29480df770047c8ada3e993cf28f87ffbfd71dec
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed Aug 6 19:24:34 2025 -0500
Improve emerg-shutdown usage documentation
commit 2a3bc39eba317d5f9b0e710dd3663c82d92add94
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed Aug 6 19:10:37 2025 -0500
Use Ctrl+Alt+End as the default panic key rather than Ctrl+Alt+Delete
commit 44e7d3059a5618991a1408f77707132bfea86fef
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed Aug 6 19:10:14 2025 -0500
Integrate emerg-shutdown into the initramfs
commit 42941653621311187650f12e8d7aa39c45cb6984
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Aug 6 08:27:15 2025 +0000
bumped changelog version
commit 784ff8af3616765a9c22febf66b522376ecedf12
Merge: c2690ef 5a17e67
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Aug 6 04:26:37 2025 -0400
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
commit 5a17e67c0a7678300f6342d5c90ded5494ebc838
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Tue Aug 5 20:14:07 2025 -0500
Fix local-fs.target dependency in emerg-shutdown.service
commit c2690efcacbf7be7c57751ba1cee7f910d350cfc
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon Aug 4 09:27:11 2025 +0000
bumped changelog version
commit 166bc257b0b2eea87d684cc847bf6da1fba7c4b4
Merge: d1bca02 63f2909
Author: Patrick Schleizer <adrelanos@whonix.org>

24
debian/changelog vendored
View file

@ -1,3 +1,27 @@
security-misc (3:47.0-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Sun, 10 Aug 2025 06:34:30 +0000
security-misc (3:46.9-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Sat, 09 Aug 2025 09:45:34 +0000
security-misc (3:46.8-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 07 Aug 2025 07:08:19 +0000
security-misc (3:46.7-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 06 Aug 2025 08:27:15 +0000
security-misc (3:46.6-1) unstable; urgency=medium
* New upstream version (local package).

2
debian/control vendored
View file

@ -13,7 +13,7 @@ Build-Depends: config-package-dev,
Homepage: https://www.kicksecure.com/wiki/Security-misc
Vcs-Browser: https://github.com/Kicksecure/security-misc
Vcs-Git: https://github.com/Kicksecure/security-misc.git
Standards-Version: 4.6.2
Standards-Version: 4.7.2
Rules-Requires-Root: no
Package: security-misc

21
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -188,15 +188,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## The default implementation is FineIBT as of Linux kernel 6.2.
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
## FineIBT may result in some performance benefits as it only performs checking at destinations.
## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
## Do not modify from the default setting if unsure of implications.
##
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
## https://lwn.net/Articles/891976/
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
## https://docs.kernel.org/next/x86/shstk.html
@ -207,12 +206,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## KSPP=yes
## KSPP sets the kernel parameter.
##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
## Disable support for x86 processes and syscalls.
## Disable support for all 32-bit x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
##
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@ -220,10 +216,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## KSPP=yes
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
## Disable EFI persistent storage feature.
## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.

5
etc/default/grub.d/41_recovery_restrict.cfg
View file

@ -7,14 +7,17 @@
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
## Disable access to single-user (recovery) mode.
## Disable access to the GRUB single-user (recovery) mode menu entries.
##
## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
##
GRUB_DISABLE_RECOVERY="true"
## Disable access to Dracut's recovery console.
## Prevents the emergency shell from starting automatically during boot failures.
##
## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
##
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"

2
etc/modprobe.d/30_security-misc_blacklist.conf
View file

@ -27,7 +27,7 @@ blacklist sr_mod
## Partial selection of their infrastructure blacklist.
## Duplicate and already disabled modules have been omitted.
##
## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf
##
#blacklist cfg80211
#blacklist intel_agp

2
etc/security-misc/emerg-shutdown/30_security_misc.conf
View file

@ -17,7 +17,7 @@
##
## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is
## pressed, allowing the use of either the left or right Ctrl and Alt keys.
EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_END"
## Set the maximum number of seconds shutdown can take. If shutdown gets stuck
## for longer than this, the system will forcibly power down.

4
etc/security/limits.d/30_security-misc.conf
View file

@ -2,4 +2,6 @@
## See the file COPYING for copying conditions.
## Disable coredumps.
* hard core 0
## `-` in the second field sets both hard and soft limits at the same time.
## See `man 5 limits.conf`.
* - core 0

22
etc/ssh/ssh_config.d/30_security-misc.conf Normal file
View file

@ -0,0 +1,22 @@
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Don't edit this file, to overwrite any options, edit a file with a higher
## number that is read later by SSH, such as
## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not
## need to be system-wide, you may also consider placing overrides in
## ~/.ssh/config.
## See also:
## https://www.kicksecure.com/wiki/SSH#Client_Configuration_File
Host *
VisualHostKey yes
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
## To force the use of quantum-resistant key exchange algorithms, override
## the above with
# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519
PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519

82
etc/ssh/sshd_config.d/30_security-misc.conf Normal file
View file

@ -0,0 +1,82 @@
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Don't edit this file, to overwrite any options, edit a file with a higher
## number that is read later by SSHD, such as
## '/etc/ssh/sshd_config.d/50_user.conf'.
## See also:
## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File
## This is okay because of strict firewall. For an onion-only server, listen
## on 127.0.0.1.
ListenAddress 0.0.0.0
## Number of allowed login attempts per connection.
MaxAuthTries 3
## Require strong ciphers and algorithms.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms ssh-ed25519
PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
## To force the use of quantum-resistant key exchange algorithms, override the
## above with
# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
## Override with 'no' to fully deny root login, or leave this as
## 'prohibit-password' for denying root password login but still allowing
## other authentication methods such as public key.
PermitRootLogin prohibit-password
## Public key authentication is transparent, non-interactive and more secure.
PasswordAuthentication no
## Change to 'yes' to enable challenge-response passwords (beware issues with
## some PAM modules and threads)
KbdInteractiveAuthentication no
## PAM can be used for account and session processing when using
## ChallengeResponseAuthentication or PasswordAuthentication.
##
## Depending on your PAM configuration, PAM authentication via
## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin
## without-password".
##
## If you want PAM account and session checks to run without PAM
## authentication, then enable this but set PasswordAuthentication and
## ChallengeResponseAuthentication to 'no'.
##
## The default upstream is 'no', Debian sets this to 'yes'. If using a locked
## account, read:
## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
## We set it to 'yes' to work with libpam-tmpdir.
## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir
## Also folders such as '/run/user/1000' will exist thanks to PAM.
## The absence of that folder can lead to issues (such as with msgcollector).
UsePAM yes
## Block dangerous forwarding.
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
## Hide unnecessary login banners.
PrintMotd no
#Banner /etc/issue.net
#Hiding Debian version from SSH banner (obscurity)
DebianBanner no
## Some options are dangerous but may be required in certain circumstances. As
## an example, if forwarding is required, selectively allow it with a 'Match'
## block. Consider a new separate user named 'tunnel' which wants to forward
## its local port to be available on the server on port 443. Note that a
## tunnel user doesn't even require a TTY nor a shell, so don't forget to
## change the 'tunnel' shell to something that prevents login such as
## '/usr/sbin/nologin'.
#Match User tunnel
# AllowTcpForwarding yes
# PermitListen localhost:443
# PermitTTY no

59
etc/thunderbird/pref/40_security-misc.js
View file

@ -1,59 +0,0 @@
//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
//#### See the file COPYING for copying conditions.
//#### meta start
//#### project Whonix and Kicksecure
//#### category security and apps
//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
//#### meta end
// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
pref("network.IDN_show_punycode", true);
// Disable all and any kind of telemetry by default
pref("toolkit.telemetry.enabled", false);
pref("toolkit.telemetry.unified", false);
pref("toolkit.telemetry.shutdownPingSender.enabled", false);
pref("toolkit.telemetry.updatePing.enabled", false);
pref("toolkit.telemetry.archive.enabled", false);
pref("toolkit.telemetry.bhrPing.enabled", false);
pref("toolkit.telemetry.firstShutdownPing.enabled", false);
pref("toolkit.telemetry.newProfilePing.enabled", false);
pref("toolkit.telemetry.server", ""); // Defense in depth
pref("toolkit.telemetry.server_owner", ""); // Defense in depth
pref("datareporting.healthreport.uploadEnabled", false);
pref("datareporting.policy.dataSubmissionEnabled", false);
pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox
pref("toolkit.coverage.opt-out", true); // from Firefox
// Disable implicit outbound traffic
pref("network.connectivity-service.enabled", false);
pref("network.prefetch-next", false);
pref("network.dns.disablePrefetch", true);
pref("network.predictor.enabled", false);
// No need to explain the problems with javascript
// If you want javascript, use your browser
// Thunderbird needs no javascript
// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now.
// Disable scripting when viewing pdf files
user_pref("pdfjs.enableScripting", false);
// If you want cookies, use your browser
pref("network.cookie.cookieBehavior", 2);
// Do not send user agent information
// For email clients, this is more like a relic of the past
// Completely not necessary and just exposes a lot of information about the client
// Since v115.0 Thunderbird already minimizes the user agent
// But we want it gone for good for no information leak at all
// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7
pref("mailnews.headers.sendUserAgent", false);
// Normally we send emails after marking them with a time stamp
// That includes our local time zone
// This option makes our local time zone appear as UTC
// And rounds the time stamp to the closes minute
// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719
pref("mail.sanitize_date_header", true);

55
etc/usbguard/rules.d/30_security-misc.conf Normal file
View file

@ -0,0 +1,55 @@
## We allow devices that were plugged in before the daemon starts. Everything
## is blocked as the default. Following rules apply on top of this.
## Explicitly reject any interface that is not documented and/or defined by
## USB.org.
## Note: Most probably superfluous.
reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* }
## Allow all mouses and keyboards, in a sense, so the user can conveniently
## change them without restrating the daemon.
## Allow only one keyboard to be connected
allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 })
## Allow only one mouse to be connected
allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 })
## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID
## devices that do not support a "boot interface". **These are blocked
## entirely.** It is very likely that this will cause issues with some mice
## and keyboards. Also note, all HID devices other than mice and keyboards
## will be blocked, **including touchscreens.**
## Explicitly reject any device with a mouse/keyboard interface in
## combination with some other interface.
## Mice and keyboards should likely never have non-HID interfaces provided
## alongside them.
reject with-interface all-of { 03:*:* 00:*:* }
reject with-interface all-of { 03:*:* 01:*:* }
reject with-interface all-of { 03:*:* 02:*:* }
reject with-interface all-of { 03:*:* 05:*:* }
reject with-interface all-of { 03:*:* 06:*:* }
reject with-interface all-of { 03:*:* 07:*:* }
reject with-interface all-of { 03:*:* 08:*:* }
reject with-interface all-of { 03:*:* 09:*:* }
reject with-interface all-of { 03:*:* 0a:*:* }
reject with-interface all-of { 03:*:* 0b:*:* }
reject with-interface all-of { 03:*:* 0d:*:* }
reject with-interface all-of { 03:*:* 0e:*:* }
reject with-interface all-of { 03:*:* 0f:*:* }
reject with-interface all-of { 03:*:* 10:*:* }
reject with-interface all-of { 03:*:* 11:*:* }
reject with-interface all-of { 03:*:* 12:*:* }
reject with-interface all-of { 03:*:* 13:*:* }
reject with-interface all-of { 03:*:* 14:*:* }
reject with-interface all-of { 03:*:* 3c:*:* }
reject with-interface all-of { 03:*:* dc:*:* }
reject with-interface all-of { 03:*:* e0:*:* }
reject with-interface all-of { 03:*:* ef:*:* }
reject with-interface all-of { 03:*:* fe:*:* }
reject with-interface all-of { 03:*:* ff:*:* }
## Allow USB mass storage, if and only if the USB device only has the mass
## storage interface and nothing extra.
## Suspicious interface combinations with mass storage are blocked.
allow with-interface equals { 08:*:* }

48
usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh Executable file
View file

@ -0,0 +1,48 @@
#!/bin/bash
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## called by dracut
check() {
require_binaries /run/emerg-shutdown || return 1
return 255
}
## called by dracut
depends() {
echo 'systemd bash'
return 0
}
## called by dracut
install() {
local config_file
inst systemd-notify
inst_simple /usr/libexec/security-misc/emerg-shutdown
inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service
inst_simple /run/emerg-shutdown /emerg-shutdown
for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
if [ -f "${config_file}" ]; then
inst_multiple /etc/security-misc/emerg-shutdown/*.conf
break
fi
done
for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
if [ -f "${config_file}" ]; then
inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf
break
fi
done
mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants"
ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service"
}
## called by dracut
installkernel () {
hostonly='' instmods evdev
}

4
usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
View file

@ -6,14 +6,14 @@
## configuration. When security-misc is updated, this file may be overwritten.
## Used for SSH client key management
## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
## https://manpages.debian.org/ssh-agent
## Debian installs ssh-agent with setgid permissions (2755) and with
## _ssh as the group to help mitigate ptrace attacks that could extract
## private keys from the agent's memory.
ssh-agent matchwhitelist
## Used only for SSH host-based authentication
## https://linux.die.net/man/8/ssh-keysign
## https://manpages.debian.org/ssh-keysign
## Needed to allow access to the machine's host key for use in the
## authentication process. This is a non-default method of authenticating to
## SSH, and is likely rarely used, thus this should be safe to disable.

9
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -202,19 +202,17 @@ kernel.perf_event_paranoid=3
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
## Can lead to privilege escalation by pushing characters into a controlling TTY.
## Will break out-dated screen readers that continue to rely on this legacy functionality.
## Note this was already disabled by default as of Linux kernel 6.2.
##
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
##
## KSPP=yes
## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
##
## TODO: Debian 13 Trixie
## This is disabled by default when using Linux kernel >= 6.2.
##
dev.tty.legacy_tiocsti=0
## Disable asynchronous I/O for all processes.
## Leading cause of numerous kernel exploits.
## Use of io_uring has been the leading cause of numerous kernel exploits.
## Disabling will reduce the read/write performance of storage devices.
##
## https://en.wikipedia.org/wiki/Io_uring#Security
@ -223,9 +221,6 @@ dev.tty.legacy_tiocsti=0
## https://github.com/moby/moby/pull/46762
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
##
kernel.io_uring_disabled=2
## 2. User Space:

4
usr/lib/systemd/system-preset/50-security-misc.preset
View file

@ -18,7 +18,11 @@ disable proc-hidepid.service
## https://github.com/Kicksecure/security-misc/issues/159
disable harden-module-loading.service
## TODO: polish, test
## Disable due to timing difficulties. See:
## https://github.com/systemd/systemd/issues/38261#issuecomment-3134580852
disable ensure-shutdown.service
disable ensure-shutdown-trigger.service
## TODO: Disabled due to bug: breaks ISO Live Mode Calamares installer
disable emerg-shutdown.service

8
usr/lib/systemd/system/emerg-shutdown.service
View file

@ -6,10 +6,10 @@ Description=Emergency shutdown when boot media is removed
Documentation=https://github.com/Kicksecure/security-misc
DefaultDependencies=no
Before=sysinit.target
Requires=udev.service
After=udev.service
Requires=local-fs.service
After=local-fs.service
Requires=systemd-udevd.service
After=systemd-udevd.service
Requires=local-fs.target
After=local-fs.target
[Service]
Type=notify

4
usr/lib/systemd/system/ensure-shutdown.service
View file

@ -9,8 +9,8 @@ Description=Forcibly shut down the system if normal shutdown gets stuck
Documentation=https://github.com/Kicksecure/security-misc
DefaultDependencies=no
Before=sysinit.target
Requires=udev.service
After=udev.service
Requires=systemd-udevd.service
After=systemd-udevd.service
Wants=emerg-shutdown.service
After=emerg-shutdown.service

46
usr/libexec/security-misc/apt-get-update
View file

@ -1,46 +0,0 @@
#!/bin/bash
## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## TODO: Move this to helper-scripts.
set -o errexit
set -o nounset
set -o errtrace
set -o pipefail
command -v start-stop-daemon >/dev/null
command -v timeout >/dev/null
command -v apt-get >/dev/null
export LC_ALL=C
pidfile="/run/helper-scripts/security-misc-apt-get-update-pid"
sigterm_trap() {
/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
exit 143
}
## terminate potential previous invocations.
/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
trap "sigterm_trap" SIGTERM SIGINT
[[ -v timeout_after ]] || timeout_after="600"
[[ -v kill_after ]] || kill_after="10"
start-stop-daemon \
--make-pidfile \
--pidfile "$pidfile" \
--exec /usr/bin/timeout \
--start \
-- \
--kill-after="$kill_after" \
"$timeout_after" \
apt-get update --error-on=any "$@" &
lastpid="$!"
wait "$lastpid"
exit "$?"

21
usr/libexec/security-misc/apt-get-update-sanity-test
View file

@ -1,21 +0,0 @@
#!/bin/bash
## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -x
set -e
set -o pipefail
if ! printf '%s\n' "" | wc -l >/dev/null ; then
printf '%s\n' "\
$0: ERROR: command 'wc' test failed! Do not ignore this!
'wc' can core dump. Example:
zsh: illegal hardware instruction (core dumped) wc -l
https://github.com/rspamd/rspamd/issues/5137" >&2
exit 1
fi
wc -L "/var/lib/apt/lists/"*InRelease
wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'

2
usr/libexec/security-misc/askpass
View file

@ -7,4 +7,4 @@ set -e
title="$0: password required for $(whoami) to perform action as superuser"
zenity --password --title="$title"
yad --password --title="$title"

80
usr/libexec/security-misc/emerg-shutdown
View file

@ -1,7 +1,7 @@
#!/bin/bash
# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
# See the file COPYING for copying conditions.
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -o errexit
set -o nounset
@ -11,6 +11,27 @@ set -o pipefail
## Make sure globs sort in a predictable, reproducible fashion
export LC_ALL=C
in_dracut='false'
if [ -f '/dracut-state.sh' ]; then
in_dracut='true'
fi
binary_prefix='/run'
EMERG_SHUTDOWN_KEYS=''
root_devices[0]=''
## Taken from kloak/Makefile, see it for more information
gcc_hardening_options=(
"-Wall" "-Wformat" "-Wformat=2" "-Wconversion"
"-Wimplicit-fallthrough" "-Werror=format-security" "-Werror=implicit"
"-Werror=int-conversion" "-Werror=incompatible-pointer-types"
"-Wtrampolines" "-Wbidi-chars=any" "-U_FORTIFY_SOURCE" "-D_FORTIFY_SOURCE=3"
"-fstack-clash-protection" "-fstack-protector-strong"
"-fno-delete-null-pointer-checks" "-fno-strict-overflow"
"-fno-strict-aliasing" "-fsanitize=undefined" "-fcf-protection=full"
"-Wl,-z,nodlopen" "-Wl,-z,noexecstack" "-Wl,-z,relro" "-Wl,-z,now"
"-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie"
)
## Read emergency shutdown key configuration
for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
if [ -f "${config_file}" ]; then
@ -18,38 +39,41 @@ for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/secur
source "${config_file}"
fi
done
if [ -z "${EMERG_SHUTDOWN_KEYS}" ]; then
## Default to Ctrl+Alt+Delete if nothing else is set
EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
fi
## Find the devices that make up the root device
readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
if [ "${#root_devices[@]}" = '0' ] \
|| [ "${root_devices[0]}" == '' ]; then
## /dev/sda1 might be the right one...
root_devices[0]='/dev/sda1'
fi
if [ "${in_dracut}" = 'true' ]; then
binary_prefix=''
modprobe evdev || {
printf '%s\n' 'Failed to load evdev driver!'
exit 1
}
## modules may not work immediately after loaded, give them time to
## initialize
sleep 0.1
else
## Find the devices that make up the root device
readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
## Build the actual emerg-shutdown executable
if [ ! -f '/run/emerg-shutdown' ]; then
gcc \
-o \
/run/emerg-shutdown \
-static \
/usr/src/security-misc/emerg-shutdown.c \
|| {
printf "%s\n" 'Could not compile force-shutdown executable!'
exit 1;
}
## Build the actual emerg-shutdown executable
if [ ! -f '/run/emerg-shutdown' ]; then
gcc \
-o \
/run/emerg-shutdown \
-static \
"${gcc_hardening_options[@]}" \
/usr/src/security-misc/emerg-shutdown.c \
|| {
printf "%s\n" 'Could not compile force-shutdown executable!'
exit 1
}
fi
## memlockd daemonizes itself, so no need to background it.
memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
fi
systemd-notify --ready
## memlockd daemonizes itself, so no need to background it.
memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
## Launch emerg-shutdown
OLDIFS="$IFS"
IFS=','
/run/emerg-shutdown "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
"${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"

4
usr/libexec/security-misc/panic-on-oops
View file

@ -17,10 +17,14 @@ fi
## to run after an inconsistent state is triggered by a potentially
## flawed processes. The reasons for the errors could be kernel
## exploit attempts but may also simply be general software bugs.
##
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
sysctl kernel.oops_limit=1
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
sysctl kernel.warn_limit=1
## Makes the system immediately reboot on the occurrence of a single
## kernel panic. This reduces the risk and impact of denial of
## service attacks and both cold and warmm boot attacks.
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
sysctl kernel.panic=-1

21
usr/share/security-misc/emerg-shutdown-initramfs.service Normal file
View file

@ -0,0 +1,21 @@
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This file should not be installed on the host system, it is intended for
## inclusion in a dracut initramfs only.
[Unit]
Description=Emergency shutdown when boot media is removed
Documentation=https://github.com/Kicksecure/security-misc
DefaultDependencies=no
Before=sysinit.target
Requires=systemd-udevd.service
After=systemd-udevd.service
[Service]
Type=notify
ExecStart=/usr/libexec/security-misc/emerg-shutdown
NotifyAccess=main
[Install]
WantedBy=sysinit.target

107
usr/src/security-misc/emerg-shutdown.c
View file

@ -42,7 +42,7 @@
* be entirely possible. To give our feature the highest chance of success:
*
* - We use memlockd to lock systemd and all libraries it depends on into
* memory. It can holds its own pretty well in the event of a segfault, but
* memory. It can hold its own pretty well in the event of a segfault, but
* if its crash handler ends up re-segfaulting, that could get ugly.
* - We compile the utility at boot time, statically link it against all of
* its dependencies (really only one, glibc), and load it into /run. This
@ -94,6 +94,7 @@
#include <sys/stat.h>
#include <signal.h>
#include <errno.h>
#include <limits.h>
#define fd_stdin 0
#define fd_stdout 1
@ -113,7 +114,7 @@ int console_fd = 0;
/* Adapted from kloak/src/keycodes.c */
struct name_value {
const char *name;
const int value;
const uint32_t value;
};
static struct name_value key_table[] = {
{"KEY_ESC", KEY_ESC},
@ -259,14 +260,14 @@ static struct name_value key_table[] = {
{"KEY_UNKNOWN", KEY_UNKNOWN},
{NULL, 0}
};
int lookup_keycode(const char *name) {
uint32_t lookup_keycode(const char *name) {
struct name_value *p;
for (p = key_table; p->name != NULL; ++p) {
if (strcmp(p->name, name) == 0) {
return p->value;
}
}
return -1;
return 0;
}
/* Adapted from systemd/src/login/logind-button.c */
@ -278,7 +279,11 @@ void print(int fd, char *str) {
size_t len = strlen(str) + 1;
while (true) {
ssize_t write_len = write(fd, str, len);
len -= write_len;
if (write_len < 0) {
/* File descriptor was closed, continue regardless */
return;
}
len -= (size_t)write_len;
if (len == 0) {
return;
}
@ -288,13 +293,33 @@ void print(int fd, char *str) {
void print_usage() {
print(fd_stderr, "Usage:\n");
print(fd_stderr, " emerg-shutdown --devices=DEVICE1[,DEVICE2...] --keys=KEY_1[,KEY_2|KEY_3...]\n");
print(fd_stderr, "Or:\n");
print(fd_stderr, " emerg-shutdown --instant-shutdown\n");
print(fd_stderr, "Or:\n");
print(fd_stderr, " emerg-shutdown --monitor-fifo --timeout=TIMEOUT\n");
print(fd_stderr, " emerg-shutdown [OPTIONS...]\n");
print(fd_stderr, "Options:\n");
print(fd_stderr, " --devices=DEVICE1[,DEVICE2...]\n");
print(fd_stderr, " A comma-separated list of devices. If any of these devices are\n");
print(fd_stderr, " removed from the system, an emergency shutdown will occur.\n");
print(fd_stderr, " --keys=KEY_1[,KEY_2|KEY_3...]\n");
print(fd_stderr, " A comma-separated list of keys. If all of the specified keys are\n");
print(fd_stderr, " pressed at the same time, an emergency shutdown will occur.\n");
print(fd_stderr, " Keys separated with a pipe will be treated as aliases of each\n");
print(fd_stderr, " other.\n");
print(fd_stderr, " --paranoid\n");
print(fd_stderr, " Watches for the removal of any removable device whatsoever. An\n");
print(fd_stderr, " emergency shutdown will be triggered if any device is removed.\n");
print(fd_stderr, " Cannot be combined with --devices.\n");
print(fd_stderr, " --instant-shutdown\n");
print(fd_stderr, " Immediately triggers an emergency shutdown. Cannot be combined\n");
print(fd_stderr, " with other options.\n");
print(fd_stderr, " --monitor-fifo\n");
print(fd_stderr, " Used internally to implement the ensure-shutdown service. Do\n");
print(fd_stderr, " not use.\n");
print(fd_stderr, " --timeout=TIMEOUT\n");
print(fd_stderr, " Used internally to implement the ensure-shutdown service. Do\n");
print(fd_stderr, " not use.\n");
print(fd_stderr, "Example:\n");
print(fd_stderr, " emerg-shutdown --devices=/dev/sda3 --keys=KEY_POWER\n");
print(fd_stderr, "See /etc/security-misc/emerg-shutdown/30_security-misc.cofn to\n");
print(fd_stderr, "configure the emerg-shutdown service.\n");
}
void *safe_calloc(size_t nmemb, size_t size) {
@ -318,7 +343,7 @@ void *safe_reallocarray(void *ptr, size_t nmemb, size_t size) {
/* Inspired by https://www.strudel.org.uk/itoa/ */
char *int_to_str(uint32_t val) {
static char buf[11];
int8_t i;
uint8_t i;
char *rslt = NULL;
const char *digits = "0123456789";
@ -340,7 +365,7 @@ char *int_to_str(uint32_t val) {
void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list_ref, const char *sep, bool parse_opt) {
char **result_list = NULL;
size_t result_list_len = 0;
int arg_copy_len = strlen(arg) + 1;
size_t arg_copy_len = strlen(arg) + 1;
char *arg_copy = safe_calloc(1, arg_copy_len);
char *arg_val;
char *arg_part;
@ -372,7 +397,7 @@ void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list
free(arg_copy);
}
int kill_system() {
long int kill_system() {
/*
* It isn't safe to simply call the reboot syscall here - there is a
* graphics driver bug in the i915 driver on Bookworm that will throw a
@ -451,20 +476,21 @@ void hw_monitor(int argc, char **argv) {
size_t panic_key_list_len = 0;
char **panic_key_str_list = NULL;
char **target_dev_list = NULL;
int **panic_key_list = NULL;
uint32_t **panic_key_list = NULL;
bool *panic_key_active_list = NULL;
size_t event_fd_list_len = 0;
int *event_fd_list = NULL;
char input_path_buf[input_path_size];
struct pollfd *pollfd_list = NULL;
struct input_event ie_buf[64];
bool paranoid_mode = false;
/* Index variables */
int arg_idx = 0;
size_t tdl_idx = 0;
size_t tdp_char_idx = 0;
size_t pkl_idx = 0;
int input_idx = 0;
uint32_t input_idx = 0;
size_t efl_idx = 0;
int ie_idx = 0;
size_t kg_idx = 0;
@ -477,6 +503,8 @@ void hw_monitor(int argc, char **argv) {
exit(1);
}
load_list(argv[arg_idx], &target_dev_list_len, &target_dev_name_raw_list, ",", true);
} else if (strcmp(argv[arg_idx], "--paranoid") == 0) {
paranoid_mode = true;
} else if (strncmp(argv[arg_idx], "--keys=", strlen("--keys=")) == 0) {
if (panic_key_str_list != NULL) {
print(fd_stderr, "--keys cannot be passed more than once!\n");
@ -492,6 +520,11 @@ void hw_monitor(int argc, char **argv) {
exit(1);
}
}
if (target_dev_name_raw_list != NULL && paranoid_mode) {
print(fd_stderr, "--devices and --paranoid are mutually exclusive!\n");
print_usage();
exit(1);
}
console_fd = open("/dev/console", O_RDWR);
if (console_fd == -1) {
@ -500,7 +533,7 @@ void hw_monitor(int argc, char **argv) {
}
target_dev_list = safe_calloc(target_dev_list_len, sizeof(char *));
panic_key_list = safe_calloc(panic_key_list_len, sizeof(int *));
panic_key_list = safe_calloc(panic_key_list_len, sizeof(uint32_t *));
panic_key_active_list = safe_calloc(panic_key_list_len, sizeof(bool));
for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) {
@ -567,12 +600,12 @@ void hw_monitor(int argc, char **argv) {
size_t keygroup_str_list_len = 0;
char **keygroup_str_list = NULL;
load_list(panic_key_str_list[pkl_idx], &keygroup_str_list_len, &keygroup_str_list, "|", false);
int *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(int));
uint32_t *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(uint32_t));
pkl_element[keygroup_str_list_len] = 0;
for (kg_idx = 0; kg_idx < keygroup_str_list_len; kg_idx++) {
int keycode = lookup_keycode(keygroup_str_list[kg_idx]);
if (keycode < 0) {
uint32_t keycode = lookup_keycode(keygroup_str_list[kg_idx]);
if (keycode == 0) {
print(fd_stderr, "Invalid key code '");
print(fd_stderr, keygroup_str_list[kg_idx]);
print(fd_stderr, "'!\n");
@ -591,7 +624,7 @@ void hw_monitor(int argc, char **argv) {
struct sockaddr_nl sa = {
.nl_family = AF_NETLINK,
.nl_pad = 0,
.nl_pid = getpid(),
.nl_pid = (uint32_t)getpid(),
.nl_groups = NETLINK_KOBJECT_UEVENT,
};
int ns = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
@ -684,11 +717,10 @@ void hw_monitor(int argc, char **argv) {
continue;
}
size_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64);
ssize_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64);
if (ieread_bytes == -1
|| ieread_bytes == 0
|| (ieread_bytes % sizeof(struct input_event)) != 0) {
if (ieread_bytes <= 0
|| ((size_t)ieread_bytes % sizeof(struct input_event)) != 0) {
/* This will probably terminate the service if the user unplugs a
* keyboard or similar, however systemd can start it again. The
* alternative is to handle device hotplug, which sounds like a
@ -697,7 +729,8 @@ void hw_monitor(int argc, char **argv) {
exit(1);
}
for (ie_idx = 0; ie_idx < ieread_bytes / sizeof(struct input_event); ie_idx++) {
for (ie_idx = 0; ie_idx < (size_t)ieread_bytes / sizeof(struct input_event);
ie_idx++) {
if (ie_buf[ie_idx].type != EV_KEY) {
continue;
}
@ -745,7 +778,7 @@ void hw_monitor(int argc, char **argv) {
* NUL-terminated string "libudev" so they're easy to filter out.
*/
int len;
ssize_t len;
char buf[16384];
struct iovec iov = { buf, sizeof(buf) };
struct sockaddr_nl sa2;
@ -760,6 +793,7 @@ void hw_monitor(int argc, char **argv) {
char *tmpbuf = NULL;
bool device_removed = false;
bool device_changed = false;
bool disk_media_changed = false;
len = recvmsg(ns, &msg, 0);
if (len == -1) {
@ -788,6 +822,10 @@ void hw_monitor(int argc, char **argv) {
device_changed = true;
goto next_str;
}
if (strcmp(tmpbuf, "DISK_MEDIA_CHANGE=1") == 0) {
disk_media_changed = true;
goto next_str;
}
if (strncmp(tmpbuf, "DEVNAME=", strlen("DEVNAME=")) == 0) {
if (device_removed || device_changed) {
@ -828,6 +866,16 @@ void hw_monitor(int argc, char **argv) {
goto next_str;
}
if (device_changed && !disk_media_changed) {
free(rem_devname_line);
goto next_str;
}
if (paranoid_mode) {
/* Something was removed, we don't care what, shut down now */
kill_system();
}
for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) {
if (strcmp(rem_dev_name, target_dev_list[tdl_idx]) == 0) {
kill_system();
@ -841,7 +889,7 @@ void hw_monitor(int argc, char **argv) {
}
next_str:
len -= strlen(tmpbuf) + 1;
len = len - (ssize_t)(strlen(tmpbuf) + 1);
tmpbuf += strlen(tmpbuf) + 1;
}
}
@ -883,8 +931,9 @@ void fifo_monitor(int argc, char **argv) {
arg_part = strtok(arg_copy, "=");
/* returns everything after the = sign */
arg_part = strtok(NULL, "");
errno = 0;
monitor_fifo_timeout = strtol(arg_part, &arg_num_end, 10);
if (errno == ERANGE) {
if (errno == ERANGE || monitor_fifo_timeout > UINT_MAX) {
print(fd_stderr, "Timeout out of range!\n");
print_usage();
exit(1);
@ -949,7 +998,7 @@ void fifo_monitor(int argc, char **argv) {
if (trigger_fifo_charbuf == 'k') {
kill_system();
} else if (trigger_fifo_charbuf == 'd') {
sleep(monitor_fifo_timeout);
sleep((unsigned int)monitor_fifo_timeout);
kill_system();
}
}