core/host: skeletonkey_host_kernel_at_least + 9 new detect() tests

core/host helper: - Adds bool skeletonkey_host_kernel_at_least(h, M, m, p) — the canonical 'kernel >= X.Y.Z' check. Replaces the manual 'v->major < X || (v->major == X && v->minor < Y)' pattern that many modules use for their 'predates the bug' pre-check. Returns false when h is NULL or h->kernel.major == 0 (degenerate cases), true otherwise iff the host kernel sorts at or above the supplied version. - dirtydecrypt migrated as the demo: the 'kernel < 7.0 → predates' pre-check now reads 'if (!host_kernel_at_least(ctx->host, 7, 0, 0))'. Other modules still using the manual pattern continue to work unchanged; migrating them is incremental polish. tests/test_detect.c expansion (8 → 17 cases): New fingerprints: - h_kernel_4_4 — ancient (Linux 4.4 LTS); used for 'predates the bug' on dirty_pipe. - h_kernel_6_12 — recent (Linux 6.12 LTS); above every backport threshold in the corpus — modules report OK via the 'patched by mainline inheritance' branch of kernel_range_is_patched. - h_kernel_5_14_no_userns — vulnerable-era kernel (5.14.0, past every relevant predates check while below every backport entry) with unprivileged_userns_allowed deliberately false; lets the userns gate fire after the version check confirms vulnerable. New tests (9): - dirty_pipe + kernel 4.4 → OK (predates 5.8 introduction) - dirty_pipe + kernel 6.12 → OK (above every backport) - dirty_cow + kernel 6.12 → OK (above 4.9 fix) - ptrace_traceme + kernel 6.12 → OK (above 5.1.17 fix) - cgroup_release_agent + kernel 6.12 → OK (above 5.17 fix) - nf_tables + vuln kernel + userns=false → PRECOND_FAIL - fuse_legacy + vuln kernel + userns=false → PRECOND_FAIL - cls_route4 + vuln kernel + userns=false → PRECOND_FAIL - overlayfs_setuid + vuln kernel + userns=false → PRECOND_FAIL Process note: initial 8th and 9th userns tests failed because the chosen test kernel (5.10.0) tripped each module's predates check (nf_tables bug introduced 5.14; overlayfs_setuid 5.11). Switched to 5.14.0, which is past every predates threshold AND below every backport entry in this batch — the version verdict is now genuinely 'vulnerable' and the userns gate fires next. The bug-finding tests caught a real-but-narrow modeling gap in the original picks. Verification: - Linux (docker gcc:latest, non-root user): 17/17 pass. - macOS (local): builds clean, suite reports 'skipped — Linux-only' as designed.
2026-05-22 23:52:10 -04:00
parent 36814f272d
commit 1571b88725
4 changed files with 133 additions and 1 deletions
@@ -242,6 +242,16 @@ const struct skeletonkey_host *skeletonkey_host_get(void)
 	return &g_host;
 }

+bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
+				      int major, int minor, int patch)
+{
+	if (!h || h->kernel.major == 0)
+		return false;
+	if (h->kernel.major != major) return h->kernel.major > major;
+	if (h->kernel.minor != minor) return h->kernel.minor > minor;
+	return h->kernel.patch >= patch;
+}
+
 void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json)
 {
 	if (json || h == NULL) return;
@@ -88,4 +88,19 @@ const struct skeletonkey_host *skeletonkey_host_get(void);
 * --auto / --scan verbose output. Silent on JSON mode. */
 void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json);

+/* True iff h->kernel >= the (major, minor, patch) provided. Returns
+ * false if h is NULL or its kernel version was never populated (major
+ * == 0). Replaces the manual `v->major < X` / `(v->major == X &&
+ * v->minor < Y)` patterns scattered across detect()s — cleaner reads
+ * and one place to get the comparison right.
+ *
+ * Examples:
+ *   if (!host_kernel_at_least(h, 7, 0, 0))    // kernel predates 7.0
+ *       return SKELETONKEY_OK;
+ *   if ( host_kernel_at_least(h, 6, 8, 0))    // kernel post-fix
+ *       return SKELETONKEY_OK;
+ */
+bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
+                                      int major, int minor, int patch);
+
 #endif /* SKELETONKEY_HOST_H */