Merge branch 'master' into panic_limits

2025-11-25 15:18:31 -05:00 · 2025-08-21 10:27:44 +10:00 · 2025-08-21 10:27:44 +10:00 · e48897cc44
commit e48897cc44
parent add054933b c2d5bf38f5
27 changed files with 522 additions and 236 deletions
--- a/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
+++ b/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
@ -0,0 +1,48 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## called by dracut
+check() {
+  require_binaries /run/emerg-shutdown || return 1
+  return 255
+}
+
+## called by dracut
+depends() {
+  echo 'systemd bash'
+  return 0
+}
+
+## called by dracut
+install() {
+  local config_file
+
+  inst systemd-notify
+
+  inst_simple /usr/libexec/security-misc/emerg-shutdown
+  inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service
+  inst_simple /run/emerg-shutdown /emerg-shutdown
+
+  for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+  for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+
+  mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants"
+  ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service"
+}
+
+## called by dracut
+installkernel () {
+  hostonly='' instmods evdev
+}
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@ -6,14 +6,14 @@
 ## configuration. When security-misc is updated, this file may be overwritten.

 ## Used for SSH client key management
-## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
+## https://manpages.debian.org/ssh-agent
 ## Debian installs ssh-agent with setgid permissions (2755) and with
 ## _ssh as the group to help mitigate ptrace attacks that could extract
 ## private keys from the agent's memory.
 ssh-agent matchwhitelist

 ## Used only for SSH host-based authentication
-## https://linux.die.net/man/8/ssh-keysign
+## https://manpages.debian.org/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -202,19 +202,17 @@ kernel.perf_event_paranoid=3
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
+## Note this was already disabled by default as of Linux kernel 6.2.
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
 ## KSPP=yes
 ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
 ##
-## TODO: Debian 13 Trixie
-## This is disabled by default when using Linux kernel >= 6.2.
-##
 dev.tty.legacy_tiocsti=0

 ## Disable asynchronous I/O for all processes.
-## Leading cause of numerous kernel exploits.
+## Use of io_uring has been the leading cause of numerous kernel exploits.
 ## Disabling will reduce the read/write performance of storage devices.
 ##
 ## https://en.wikipedia.org/wiki/Io_uring#Security
@ -223,9 +221,6 @@ dev.tty.legacy_tiocsti=0
 ## https://github.com/moby/moby/pull/46762
 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
-##
 kernel.io_uring_disabled=2

 ## 2. User Space:
--- a/usr/lib/systemd/system-preset/50-security-misc.preset
+++ b/usr/lib/systemd/system-preset/50-security-misc.preset
@ -18,7 +18,11 @@ disable proc-hidepid.service
 ## https://github.com/Kicksecure/security-misc/issues/159
 disable harden-module-loading.service

+## TODO: polish, test
 ## Disable due to timing difficulties. See:
 ## https://github.com/systemd/systemd/issues/38261#issuecomment-3134580852
 disable ensure-shutdown.service
 disable ensure-shutdown-trigger.service
+
+## TODO: Disabled due to bug: breaks ISO Live Mode Calamares installer
+disable emerg-shutdown.service
--- a/usr/lib/systemd/system/emerg-shutdown.service
+++ b/usr/lib/systemd/system/emerg-shutdown.service
@ -6,10 +6,10 @@ Description=Emergency shutdown when boot media is removed
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
-Requires=local-fs.service
-After=local-fs.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
+Requires=local-fs.target
+After=local-fs.target

 [Service]
 Type=notify
--- a/usr/lib/systemd/system/ensure-shutdown.service
+++ b/usr/lib/systemd/system/ensure-shutdown.service
@ -9,8 +9,8 @@ Description=Forcibly shut down the system if normal shutdown gets stuck
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
 Wants=emerg-shutdown.service
 After=emerg-shutdown.service

--- a/usr/libexec/security-misc/apt-get-update
+++ b/usr/libexec/security-misc/apt-get-update
@ -1,46 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## TODO: Move this to helper-scripts.
-
-set -o errexit
-set -o nounset
-set -o errtrace
-set -o pipefail
-
-command -v start-stop-daemon >/dev/null
-command -v timeout >/dev/null
-command -v apt-get >/dev/null
-
-export LC_ALL=C
-pidfile="/run/helper-scripts/security-misc-apt-get-update-pid"
-
-sigterm_trap() {
-   /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
-   exit 143
-}
-
-## terminate potential previous invocations.
-/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
-
-trap "sigterm_trap" SIGTERM SIGINT
-
-[[ -v timeout_after ]] || timeout_after="600"
-[[ -v kill_after ]] || kill_after="10"
-
-start-stop-daemon \
-  --make-pidfile \
-  --pidfile "$pidfile" \
-  --exec /usr/bin/timeout \
-  --start \
-  -- \
-    --kill-after="$kill_after" \
-    "$timeout_after" \
-      apt-get update --error-on=any "$@" &
-
-lastpid="$!"
-wait "$lastpid"
-
-exit "$?"
--- a/usr/libexec/security-misc/apt-get-update-sanity-test
+++ b/usr/libexec/security-misc/apt-get-update-sanity-test
@ -1,21 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-set -x
-set -e
-set -o pipefail
-
-if ! printf '%s\n' "" | wc -l >/dev/null ; then
-  printf '%s\n' "\
-$0: ERROR: command 'wc' test failed! Do not ignore this!
-
-'wc' can core dump. Example:
-zsh: illegal hardware instruction (core dumped) wc -l
-https://github.com/rspamd/rspamd/issues/5137" >&2
-  exit 1
-fi
-
-wc -L "/var/lib/apt/lists/"*InRelease
-wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
--- a/usr/libexec/security-misc/askpass
+++ b/usr/libexec/security-misc/askpass
@ -7,4 +7,4 @@ set -e

 title="$0: password required for $(whoami) to perform action as superuser"

-zenity --password --title="$title"
+yad --password --title="$title"
--- a/usr/libexec/security-misc/emerg-shutdown
+++ b/usr/libexec/security-misc/emerg-shutdown
@ -1,7 +1,7 @@
 #!/bin/bash

-# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-# See the file COPYING for copying conditions.
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.

 set -o errexit
 set -o nounset
@ -11,6 +11,27 @@ set -o pipefail
 ## Make sure globs sort in a predictable, reproducible fashion
 export LC_ALL=C

+in_dracut='false'
+if [ -f '/dracut-state.sh' ]; then
+  in_dracut='true'
+fi
+binary_prefix='/run'
+EMERG_SHUTDOWN_KEYS=''
+root_devices[0]=''
+
+## Taken from kloak/Makefile, see it for more information
+gcc_hardening_options=(
+  "-Wall" "-Wformat" "-Wformat=2" "-Wconversion"
+  "-Wimplicit-fallthrough" "-Werror=format-security" "-Werror=implicit"
+  "-Werror=int-conversion" "-Werror=incompatible-pointer-types"
+  "-Wtrampolines" "-Wbidi-chars=any" "-U_FORTIFY_SOURCE" "-D_FORTIFY_SOURCE=3"
+  "-fstack-clash-protection" "-fstack-protector-strong"
+  "-fno-delete-null-pointer-checks" "-fno-strict-overflow"
+  "-fno-strict-aliasing" "-fsanitize=undefined" "-fcf-protection=full"
+  "-Wl,-z,nodlopen" "-Wl,-z,noexecstack" "-Wl,-z,relro" "-Wl,-z,now"
+  "-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie"
+)
+
 ## Read emergency shutdown key configuration
 for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
  if [ -f "${config_file}" ]; then
@ -18,38 +39,41 @@ for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/secur
    source "${config_file}"
  fi
 done
-if [ -z "${EMERG_SHUTDOWN_KEYS}" ]; then
-  ## Default to Ctrl+Alt+Delete if nothing else is set
-  EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
-fi

-## Find the devices that make up the root device
-readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
-if [ "${#root_devices[@]}" = '0' ] \
-  || [ "${root_devices[0]}" == '' ]; then
-  ## /dev/sda1 might be the right one...
-  root_devices[0]='/dev/sda1'
-fi
+if [ "${in_dracut}" = 'true' ]; then
+  binary_prefix=''
+  modprobe evdev || {
+    printf '%s\n' 'Failed to load evdev driver!'
+    exit 1
+  }
+  ## modules may not work immediately after loaded, give them time to
+  ## initialize
+  sleep 0.1
+else
+  ## Find the devices that make up the root device
+  readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;

-## Build the actual emerg-shutdown executable
-if [ ! -f '/run/emerg-shutdown' ]; then
-  gcc \
-    -o \
-    /run/emerg-shutdown \
-    -static \
-    /usr/src/security-misc/emerg-shutdown.c \
-    || {
-      printf "%s\n" 'Could not compile force-shutdown executable!'
-      exit 1;
-    }
+  ## Build the actual emerg-shutdown executable
+  if [ ! -f '/run/emerg-shutdown' ]; then
+    gcc \
+      -o \
+      /run/emerg-shutdown \
+      -static \
+      "${gcc_hardening_options[@]}" \
+      /usr/src/security-misc/emerg-shutdown.c \
+      || {
+        printf "%s\n" 'Could not compile force-shutdown executable!'
+        exit 1
+      }
+  fi
+
+  ## memlockd daemonizes itself, so no need to background it.
+  memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
 fi

 systemd-notify --ready

-## memlockd daemonizes itself, so no need to background it.
-memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
-
 ## Launch emerg-shutdown
 OLDIFS="$IFS"
 IFS=','
-/run/emerg-shutdown "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
+"${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
--- a/usr/libexec/security-misc/panic-on-oops
+++ b/usr/libexec/security-misc/panic-on-oops
@ -17,10 +17,14 @@ fi
 ## to run after an inconsistent state is triggered by a potentially
 ## flawed processes. The reasons for the errors could be kernel
 ## exploit attempts but may also simply be general software bugs.
+##
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
 sysctl kernel.oops_limit=1
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
 sysctl kernel.warn_limit=1

 ## Makes the system immediately reboot on the occurrence of a single
 ## kernel panic. This reduces the risk and impact of denial of
 ## service attacks and both cold and warmm boot attacks.
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
 sysctl kernel.panic=-1
--- a/usr/share/security-misc/emerg-shutdown-initramfs.service
+++ b/usr/share/security-misc/emerg-shutdown-initramfs.service
@ -0,0 +1,21 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file should not be installed on the host system, it is intended for
+## inclusion in a dracut initramfs only.
+
+[Unit]
+Description=Emergency shutdown when boot media is removed
+Documentation=https://github.com/Kicksecure/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=systemd-udevd.service
+After=systemd-udevd.service
+
+[Service]
+Type=notify
+ExecStart=/usr/libexec/security-misc/emerg-shutdown
+NotifyAccess=main
+
+[Install]
+WantedBy=sysinit.target
--- a/usr/src/security-misc/emerg-shutdown.c
+++ b/usr/src/security-misc/emerg-shutdown.c
@ -42,7 +42,7 @@
 * be entirely possible. To give our feature the highest chance of success:
 *
 * - We use memlockd to lock systemd and all libraries it depends on into
- *   memory. It can holds its own pretty well in the event of a segfault, but
+ *   memory. It can hold its own pretty well in the event of a segfault, but
 *   if its crash handler ends up re-segfaulting, that could get ugly.
 * - We compile the utility at boot time, statically link it against all of
 *   its dependencies (really only one, glibc), and load it into /run. This
@ -94,6 +94,7 @@
 #include <sys/stat.h>
 #include <signal.h>
 #include <errno.h>
+#include <limits.h>

 #define fd_stdin 0
 #define fd_stdout 1
@ -113,7 +114,7 @@ int console_fd = 0;
 /* Adapted from kloak/src/keycodes.c */
 struct name_value {
    const char *name;
-    const int value;
+    const uint32_t value;
 };
 static struct name_value key_table[] = {
        {"KEY_ESC", KEY_ESC},
@ -259,14 +260,14 @@ static struct name_value key_table[] = {
        {"KEY_UNKNOWN", KEY_UNKNOWN},
        {NULL, 0}
 };
-int lookup_keycode(const char *name) {
+uint32_t lookup_keycode(const char *name) {
  struct name_value *p;
  for (p = key_table; p->name != NULL; ++p) {
    if (strcmp(p->name, name) == 0) {
      return p->value;
    }
  }
-  return -1;
+  return 0;
 }

 /* Adapted from systemd/src/login/logind-button.c */
@ -278,7 +279,11 @@ void print(int fd, char *str) {
  size_t len = strlen(str) + 1;
  while (true) {
    ssize_t write_len = write(fd, str, len);
-    len -= write_len;
+    if (write_len < 0) {
+      /* File descriptor was closed, continue regardless */
+      return;
+    }
+    len -= (size_t)write_len;
    if (len == 0) {
      return;
    }
@ -288,13 +293,33 @@ void print(int fd, char *str) {

 void print_usage() {
  print(fd_stderr, "Usage:\n");
-  print(fd_stderr, "  emerg-shutdown --devices=DEVICE1[,DEVICE2...] --keys=KEY_1[,KEY_2|KEY_3...]\n");
-  print(fd_stderr, "Or:\n");
-  print(fd_stderr, "  emerg-shutdown --instant-shutdown\n");
-  print(fd_stderr, "Or:\n");
-  print(fd_stderr, "  emerg-shutdown --monitor-fifo --timeout=TIMEOUT\n");
+  print(fd_stderr, "  emerg-shutdown [OPTIONS...]\n");
+  print(fd_stderr, "Options:\n");
+  print(fd_stderr, "  --devices=DEVICE1[,DEVICE2...]\n");
+  print(fd_stderr, "    A comma-separated list of devices. If any of these devices are\n");
+  print(fd_stderr, "    removed from the system, an emergency shutdown will occur.\n");
+  print(fd_stderr, "  --keys=KEY_1[,KEY_2|KEY_3...]\n");
+  print(fd_stderr, "    A comma-separated list of keys. If all of the specified keys are\n");
+  print(fd_stderr, "    pressed at the same time, an emergency shutdown will occur.\n");
+  print(fd_stderr, "    Keys separated with a pipe will be treated as aliases of each\n");
+  print(fd_stderr, "    other.\n");
+  print(fd_stderr, "  --paranoid\n");
+  print(fd_stderr, "    Watches for the removal of any removable device whatsoever. An\n");
+  print(fd_stderr, "    emergency shutdown will be triggered if any device is removed.\n");
+  print(fd_stderr, "    Cannot be combined with --devices.\n");
+  print(fd_stderr, "  --instant-shutdown\n");
+  print(fd_stderr, "    Immediately triggers an emergency shutdown. Cannot be combined\n");
+  print(fd_stderr, "    with other options.\n");
+  print(fd_stderr, "  --monitor-fifo\n");
+  print(fd_stderr, "    Used internally to implement the ensure-shutdown service. Do\n");
+  print(fd_stderr, "    not use.\n");
+  print(fd_stderr, "  --timeout=TIMEOUT\n");
+  print(fd_stderr, "    Used internally to implement the ensure-shutdown service. Do\n");
+  print(fd_stderr, "    not use.\n");
  print(fd_stderr, "Example:\n");
  print(fd_stderr, "  emerg-shutdown --devices=/dev/sda3 --keys=KEY_POWER\n");
+  print(fd_stderr, "See /etc/security-misc/emerg-shutdown/30_security-misc.cofn to\n");
+  print(fd_stderr, "configure the emerg-shutdown service.\n");
 }

 void *safe_calloc(size_t nmemb, size_t size) {
@ -318,7 +343,7 @@ void *safe_reallocarray(void *ptr, size_t nmemb, size_t size) {
 /* Inspired by https://www.strudel.org.uk/itoa/ */
 char *int_to_str(uint32_t val) {
  static char buf[11];
-  int8_t i;
+  uint8_t i;
  char *rslt = NULL;
  const char *digits = "0123456789";

@ -340,7 +365,7 @@ char *int_to_str(uint32_t val) {
 void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list_ref, const char *sep, bool parse_opt) {
  char **result_list = NULL;
  size_t result_list_len = 0;
-  int arg_copy_len = strlen(arg) + 1;
+  size_t arg_copy_len = strlen(arg) + 1;
  char *arg_copy = safe_calloc(1, arg_copy_len);
  char *arg_val;
  char *arg_part;
@ -372,7 +397,7 @@ void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list
  free(arg_copy);
 }

-int kill_system() {
+long int kill_system() {
  /*
   * It isn't safe to simply call the reboot syscall here - there is a
   * graphics driver bug in the i915 driver on Bookworm that will throw a
@ -451,20 +476,21 @@ void hw_monitor(int argc, char **argv) {
  size_t panic_key_list_len = 0;
  char **panic_key_str_list = NULL;
  char **target_dev_list = NULL;
-  int **panic_key_list = NULL;
+  uint32_t **panic_key_list = NULL;
  bool *panic_key_active_list = NULL;
  size_t event_fd_list_len = 0;
  int *event_fd_list = NULL;
  char input_path_buf[input_path_size];
  struct pollfd *pollfd_list = NULL;
  struct input_event ie_buf[64];
+  bool paranoid_mode = false;

  /* Index variables */
  int arg_idx = 0;
  size_t tdl_idx = 0;
  size_t tdp_char_idx = 0;
  size_t pkl_idx = 0;
-  int input_idx = 0;
+  uint32_t input_idx = 0;
  size_t efl_idx = 0;
  int ie_idx = 0;
  size_t kg_idx = 0;
@ -477,6 +503,8 @@ void hw_monitor(int argc, char **argv) {
        exit(1);
      }
      load_list(argv[arg_idx], &target_dev_list_len, &target_dev_name_raw_list, ",", true);
+    } else if (strcmp(argv[arg_idx], "--paranoid") == 0) {
+      paranoid_mode = true;
    } else if (strncmp(argv[arg_idx], "--keys=", strlen("--keys=")) == 0) {
      if (panic_key_str_list != NULL) {
        print(fd_stderr, "--keys cannot be passed more than once!\n");
@ -492,6 +520,11 @@ void hw_monitor(int argc, char **argv) {
      exit(1);
    }
  }
+  if (target_dev_name_raw_list != NULL && paranoid_mode) {
+    print(fd_stderr, "--devices and --paranoid are mutually exclusive!\n");
+    print_usage();
+    exit(1);
+  }

  console_fd = open("/dev/console", O_RDWR);
  if (console_fd == -1) {
@ -500,7 +533,7 @@ void hw_monitor(int argc, char **argv) {
  }

  target_dev_list = safe_calloc(target_dev_list_len, sizeof(char *));
-  panic_key_list = safe_calloc(panic_key_list_len, sizeof(int *));
+  panic_key_list = safe_calloc(panic_key_list_len, sizeof(uint32_t *));
  panic_key_active_list = safe_calloc(panic_key_list_len, sizeof(bool));

  for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) {
@ -567,12 +600,12 @@ void hw_monitor(int argc, char **argv) {
    size_t keygroup_str_list_len = 0;
    char **keygroup_str_list = NULL;
    load_list(panic_key_str_list[pkl_idx], &keygroup_str_list_len, &keygroup_str_list, "|", false);
-    int *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(int));
+    uint32_t *pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(uint32_t));

    pkl_element[keygroup_str_list_len] = 0;
    for (kg_idx = 0; kg_idx < keygroup_str_list_len; kg_idx++) {
-      int keycode = lookup_keycode(keygroup_str_list[kg_idx]);
-      if (keycode < 0) {
+      uint32_t keycode = lookup_keycode(keygroup_str_list[kg_idx]);
+      if (keycode == 0) {
        print(fd_stderr, "Invalid key code '");
        print(fd_stderr, keygroup_str_list[kg_idx]);
        print(fd_stderr, "'!\n");
@ -591,7 +624,7 @@ void hw_monitor(int argc, char **argv) {
  struct sockaddr_nl sa = {
    .nl_family = AF_NETLINK,
    .nl_pad = 0,
-    .nl_pid = getpid(),
+    .nl_pid = (uint32_t)getpid(),
    .nl_groups = NETLINK_KOBJECT_UEVENT,
  };
  int ns = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
@ -684,11 +717,10 @@ void hw_monitor(int argc, char **argv) {
        continue;
      }

-      size_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64);
+      ssize_t ieread_bytes = read(event_fd_list[efl_idx], ie_buf, sizeof(struct input_event) * 64);

-      if (ieread_bytes == -1
-        || ieread_bytes == 0
-        || (ieread_bytes % sizeof(struct input_event)) != 0) {
+      if (ieread_bytes <= 0
+        || ((size_t)ieread_bytes % sizeof(struct input_event)) != 0) {
        /* This will probably terminate the service if the user unplugs a
         * keyboard or similar, however systemd can start it again. The
         * alternative is to handle device hotplug, which sounds like a
@ -697,7 +729,8 @@ void hw_monitor(int argc, char **argv) {
        exit(1);
      }

-      for (ie_idx = 0; ie_idx < ieread_bytes / sizeof(struct input_event); ie_idx++) {
+      for (ie_idx = 0; ie_idx < (size_t)ieread_bytes / sizeof(struct input_event);
+        ie_idx++) {
        if (ie_buf[ie_idx].type != EV_KEY) {
          continue;
        }
@ -745,7 +778,7 @@ void hw_monitor(int argc, char **argv) {
       *   NUL-terminated string "libudev" so they're easy to filter out.
       */

-      int len;
+      ssize_t len;
      char buf[16384];
      struct iovec iov = { buf, sizeof(buf) };
      struct sockaddr_nl sa2;
@ -760,6 +793,7 @@ void hw_monitor(int argc, char **argv) {
      char *tmpbuf = NULL;
      bool device_removed = false;
      bool device_changed = false;
+      bool disk_media_changed = false;

      len = recvmsg(ns, &msg, 0);
      if (len == -1) {
@ -788,6 +822,10 @@ void hw_monitor(int argc, char **argv) {
          device_changed = true;
          goto next_str;
        }
+        if (strcmp(tmpbuf, "DISK_MEDIA_CHANGE=1") == 0) {
+          disk_media_changed = true;
+          goto next_str;
+        }

        if (strncmp(tmpbuf, "DEVNAME=", strlen("DEVNAME=")) == 0) {
          if (device_removed || device_changed) {
@ -828,6 +866,16 @@ void hw_monitor(int argc, char **argv) {
              goto next_str;
            }

+            if (device_changed && !disk_media_changed) {
+              free(rem_devname_line);
+              goto next_str;
+            }
+
+            if (paranoid_mode) {
+              /* Something was removed, we don't care what, shut down now */
+              kill_system();
+            }
+
            for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) {
              if (strcmp(rem_dev_name, target_dev_list[tdl_idx]) == 0) {
                kill_system();
@ -841,7 +889,7 @@ void hw_monitor(int argc, char **argv) {
        }

 next_str:
-        len -= strlen(tmpbuf) + 1;
+        len = len - (ssize_t)(strlen(tmpbuf) + 1);
        tmpbuf += strlen(tmpbuf) + 1;
      }
    }
@ -883,8 +931,9 @@ void fifo_monitor(int argc, char **argv) {
  arg_part = strtok(arg_copy, "=");
  /* returns everything after the = sign */
  arg_part = strtok(NULL, "");
+  errno = 0;
  monitor_fifo_timeout = strtol(arg_part, &arg_num_end, 10);
-  if (errno == ERANGE) {
+  if (errno == ERANGE || monitor_fifo_timeout > UINT_MAX) {
    print(fd_stderr, "Timeout out of range!\n");
    print_usage();
    exit(1);
@ -949,7 +998,7 @@ void fifo_monitor(int argc, char **argv) {
    if (trigger_fifo_charbuf == 'k') {
      kill_system();
    } else if (trigger_fifo_charbuf == 'd') {
-      sleep(monitor_fifo_timeout);
+      sleep((unsigned int)monitor_fifo_timeout);
      kill_system();
    }
  }