leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 6 (partial): --mitigate bridged for copy_fail_family

Browse Source 
- copy_fail_family/iamroot_modules.c: two new bridge functions
  - copy_fail_family_mitigate: calls existing mitigate_apply() which
    blacklists algif_aead + esp4 + esp6 + rxrpc, sets
    kernel.apparmor_restrict_unprivileged_userns=1, drops caches.
  - copy_fail_family_cleanup: heuristic-routed cleanup. If the
    mitigation conf file (/etc/modprobe.d/dirtyfail-mitigations.conf)
    exists → mitigate_revert(). Otherwise → try_revert_passwd_page_cache()
    to evict /etc/passwd from page cache.
- All 5 copy_fail_family modules' .mitigate and .cleanup fields now
  point at these shared family-wide handlers (the mitigation is
  family-wide, not per-CVE).
- dirty_pipe and entrybleed: no --mitigate offered (no canonical
  patches / only-fix-is-upgrade). Documented in ROADMAP.

Verified end-to-end on kctf-mgr as non-root user:
  iamroot --mitigate copy_fail → 'mitigate requires root' (correct)
  iamroot --cleanup  copy_fail → 'no mitigation conf; evicting page cache'

CVES.md gains a per-module ops table; ROADMAP.md marks Phase 6 partial.
This commit is contained in:
KaraZajac
2026-05-16 20:04:32 -04:00
parent 4943b82129
commit 28ad566964
3 changed files with 84 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+16 -5
View File
@@ -115,12 +115,23 @@ primitive** that other modules can chain. Bundled because:
embedded C string. Self-contained binary, no data-dir install needed.
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md` — followup
## Phase 6 — Mitigation mode
## Phase 6 — Mitigation mode (PARTIAL — copy_fail_family bridged 2026-05-16)
- [ ] `iamroot --mitigate` walks the host's vulnerabilities, applies
temporary sysctl / module-blacklist / LSM workarounds
- [ ] Per-CVE rollback procedure if the mitigation breaks something
- [ ] Idempotent: running twice is safe
- [x] copy_fail_family: `iamroot --mitigate copy_fail` (or any family
member) blacklists algif_aead + esp4 + esp6 + rxrpc, sets
`kernel.apparmor_restrict_unprivileged_userns=1`, drops page
cache. Bridged from existing DIRTYFAIL `mitigate_apply()`.
- [x] copy_fail_family: `iamroot --cleanup <name>` routes by visible
state: if `/etc/modprobe.d/dirtyfail-mitigations.conf` exists →
`mitigate_revert()`; else evict /etc/passwd page cache. Heuristic
sufficient for common usage patterns.
- [x] dirty_pipe: `iamroot --cleanup dirty_pipe` evicts /etc/passwd
(already landed in Phase 2 complete).
- [ ] dirty_pipe `--mitigate`: only real fix is "upgrade your kernel";
no automated mitigation possible. Document and skip.
- [ ] entrybleed `--mitigate`: same — no canonical patch; document.
- [ ] Idempotent re-run safety: copy_fail_family's apply is already
idempotent (overwrites conf files). Re-verify per module.
## Phase 7+ — More modules