verify-vm: per-module provisioner hook + old-mainline URL fallback

Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup (build vulnerable sudo from source, drop polkit allow rule, add sudoers grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile runs the script as root before build-and-verify if it exists. Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to /v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64 subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-' (new) deb names. Wires up 4 previously-deferred targets to expect VULNERABLE: - sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local - udisks_libblockdev: installs udisks2 + polkit rule for vagrant user - mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix) - sudo_runas_neg1: adds (ALL,!root) sudoers grant
2026-05-23 22:36:02 -04:00
parent 7f4a6e1c7c
commit 270ddc1681
5 changed files with 126 additions and 16 deletions
@@ -101,17 +101,28 @@ Vagrant.configure("2") do |c|
            exit 0
        fi
        echo "[+] fetching kernel.ubuntu.com mainline v${KVER}"
-        URL="https://kernel.ubuntu.com/mainline/v${KVER}/amd64/"
+        # Newer mainline kernels live under /v${KVER}/amd64/; older ones
+        # (≤ ~4.15) put debs at /v${KVER}/ directly. Try /amd64/ first;
+        # fall back to bare. linux-image-unsigned was renamed from
+        # linux-image- around 4.18 — old kernels use the plain name.
+        BASE="https://kernel.ubuntu.com/mainline/v${KVER}"
+        for URL in "${BASE}/amd64/" "${BASE}/"; do
+            INDEX=$(curl -sL "$URL")
+            if echo "$INDEX" | grep -q '\\.deb"'; then
+                break
+            fi
+        done
        TMP=$(mktemp -d)
        cd "$TMP"
        # Pick the 4 canonical generic-kernel .debs by pattern match against
-        # the directory index. Skip lowlatency variants.
-        DEBS=$(curl -sL "$URL" | \\
+        # the directory index. Skip lowlatency variants. Accept both
+        # 'linux-image-unsigned-' (newer) and 'linux-image-' (older).
+        DEBS=$(echo "$INDEX" | \\
            grep -oE 'href="[^"]+\\.deb"' | sed 's/href="//; s/"$//' | \\
-            grep -E '(linux-image-unsigned|linux-modules|linux-headers)-[0-9.]+-[0-9]+-generic_|linux-headers-[0-9.]+-[0-9]+_[^_]+_all\\.deb' | \\
+            grep -E '(linux-image(-unsigned)?|linux-modules|linux-headers)-[0-9.]+-[0-9]+-generic_|linux-headers-[0-9.]+-[0-9]+_[^_]+_all\\.deb' | \\
            grep -v lowlatency)
        if [ -z "$DEBS" ]; then
-            echo "[-] no .debs found at $URL — does the version exist on kernel.ubuntu.com?" >&2
+            echo "[-] no .debs found at ${BASE}/ (tried /amd64/ and bare)" >&2
            exit 2
        fi
        for f in $DEBS; do
@@ -125,6 +136,20 @@ Vagrant.configure("2") do |c|
      SHELL
    end

+    # 2c. Optional per-module provisioner. If
+    # tools/verify-vm/provisioners/<module>.sh exists, run it as root
+    # before build-and-verify. Used for things only meaningful per-module:
+    # build sudo 1.9.16 from source (sudo_chwoot), drop a polkit allow
+    # rule (udisks_libblockdev), add a sudoers grant (sudo_runas_neg1).
+    skk_mod = ENV["SKK_MODULE"] || ""
+    if !skk_mod.empty?
+      prov_path = File.join(__dir__, "provisioners", "#{skk_mod}.sh")
+      if File.exist?(prov_path)
+        m.vm.provision "shell", name: "module-provision-#{skk_mod}",
+          path: prov_path
+      end
+    end
+
    # 3. Build SKELETONKEY in-VM and run --explain --active for the target
    #    module. Runs as the unprivileged 'vagrant' user (NOT root) — most
    #    detect()s gate on "are you already root?" and short-circuit if so,