leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

skeletonkey: add --dry-run flag

Browse Source 
Preview-only mode for --auto / --exploit / --mitigate / --cleanup.
Walks the full scan (with active probes, fork isolation, verdict
table — everything the real --auto does) and prints what would be
launched, without ever calling the exploit/mitigate/cleanup callback.

Wiring:
- struct skeletonkey_ctx gains a 'dry_run' field (core/module.h).
- Long option --dry-run, getopt case 10.
- cmd_auto: after picking the safest, if dry_run, print
    [*] auto: --dry-run: would launch `--exploit <NAME> --i-know`; not firing.
  plus the remaining ranked candidates, then return 0.
- cmd_one (used for --exploit/--mitigate/--cleanup) shorts on dry_run
  with [*] <module>: --dry-run: would run --<op>; not firing.

UX: --auto --dry-run does NOT require --i-know (nothing fires). The
refusal message for bare --auto now points to --dry-run for the
preview path:
  [-] --auto requires --i-know (or --dry-run for a preview that never fires).

ROADMAP --auto accuracy section updated with the dry-run + the
version-pinned detect work from the previous commit.

Smoke-tested locally on macOS: scanning runs, verdicts print, the
'would launch' line fires, exit 0.
This commit is contained in:
KaraZajac
2026-05-22 23:08:24 -04:00
parent a26f471ecf
commit 3e6e0d869b
3 changed files with 41 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+11
View File
@@ -216,6 +216,17 @@ of the 28-module verified corpus):**
module's probe is contained and the scan continues. Surfaced module's probe is contained and the scan continues. Surfaced
while testing entrybleed's `prefetchnta` sweep under emulated while testing entrybleed's `prefetchnta` sweep under emulated
CPUs: exactly the failure mode the isolation now handles. CPUs: exactly the failure mode the isolation now handles.
- [x] `--dry-run` flag: previews the picked exploit (or single-module
operation) without firing. Works with `--auto`, `--exploit`,
`--mitigate`, `--cleanup`. `--auto --dry-run` does NOT require
`--i-know` (nothing fires) so operators can inspect the host's
attack surface without arming. Bare `--auto` still gates on
`--i-know` and now points to `--dry-run` in the refusal message.
- [x] Version-pinned `detect()` for the 3 ported modules — Debian
tracker provided the fix commits: `dirtydecrypt` against mainline
`a2567217` (Linux 7.0); `fragnesia` against 7.0.9; `pack2theroot`
against PackageKit 1.3.5. The `kernel_range` model now drives
their verdicts; `--active` confirms empirically on top.
**Carry-overs:** **Carry-overs:**
core/module.h
+1
View File
@@ -50,6 +50,7 @@ struct skeletonkey_ctx {
bool no_shell; /* --no-shell (exploit prep but don't pop) */ bool no_shell; /* --no-shell (exploit prep but don't pop) */
bool authorized; /* user typed --i-know on exploit */ bool authorized; /* user typed --i-know on exploit */
bool full_chain; /* --full-chain (attempt root-pop after primitive) */ bool full_chain; /* --full-chain (attempt root-pop after primitive) */
bool dry_run; /* --dry-run (preview only; never call exploit/mitigate/cleanup) */
}; };
struct skeletonkey_module { struct skeletonkey_module {
skeletonkey.c
+29 -3
View File
@@ -74,6 +74,9 @@ static void usage(const char *prog)
" --i-know authorization gate for --exploit modes\n" " --i-know authorization gate for --exploit modes\n"
" --active in --scan, do invasive sentinel probes (no /etc/passwd writes)\n" " --active in --scan, do invasive sentinel probes (no /etc/passwd writes)\n"
" --no-shell in --exploit modes, prepare but don't drop to shell\n" " --no-shell in --exploit modes, prepare but don't drop to shell\n"
" --dry-run preview only — do the scan + pick, never call exploit/\n"
" mitigate/cleanup. Useful with --auto to see what would\n"
" fire before authorizing it.\n"
" --full-chain in --exploit modes, attempt full root-pop after primitive\n" " --full-chain in --exploit modes, attempt full root-pop after primitive\n"
" (the 🟡 modules return primitive-only by default; with\n" " (the 🟡 modules return primitive-only by default; with\n"
" --full-chain they continue to leak → arb-write →\n" " --full-chain they continue to leak → arb-write →\n"
@@ -750,10 +753,11 @@ static void read_os_release(char *id_out, size_t id_cap,
static int cmd_auto(struct skeletonkey_ctx *ctx) static int cmd_auto(struct skeletonkey_ctx *ctx)
{ {
if (!ctx->authorized) { if (!ctx->authorized && !ctx->dry_run) {
fprintf(stderr, fprintf(stderr,
"[-] --auto requires --i-know. About to attempt root via the safest available\n" "[-] --auto requires --i-know (or --dry-run for a preview that never fires).\n"
" LPE on this host. Authorized testing only. See docs/ETHICS.md.\n"); " About to attempt root via the safest available LPE on this host.\n"
" Authorized testing only. See docs/ETHICS.md.\n");
return 1; return 1;
} }
if (geteuid() == 0) { if (geteuid() == 0) {
@@ -864,6 +868,21 @@ static int cmd_auto(struct skeletonkey_ctx *ctx)
} }
const struct skeletonkey_module *pick = cands[0].m; const struct skeletonkey_module *pick = cands[0].m;
if (ctx->dry_run) {
fprintf(stderr,
"\n[*] auto: %d vulnerable module(s) found. Safest is '%s' (rank %d).\n"
"[*] auto: --dry-run: would launch `--exploit %s --i-know`; not firing.\n",
nc, pick->name, cands[0].rank, pick->name);
if (nc > 1) {
fprintf(stderr, "[i] auto: other candidates (ranked):\n");
for (int i = 1; i < nc; i++)
fprintf(stderr, " %-22s safety rank %d\n",
cands[i].m->name, cands[i].rank);
}
return 0;
}
fprintf(stderr, fprintf(stderr,
"\n[*] auto: %d vulnerable module(s) found. Safest is '%s' (rank %d).\n" "\n[*] auto: %d vulnerable module(s) found. Safest is '%s' (rank %d).\n"
"[*] auto: launching --exploit %s...\n\n", "[*] auto: launching --exploit %s...\n\n",
@@ -883,6 +902,11 @@ static int cmd_auto(struct skeletonkey_ctx *ctx)
static int cmd_one(const struct skeletonkey_module *m, const char *op, static int cmd_one(const struct skeletonkey_module *m, const char *op,
const struct skeletonkey_ctx *ctx) const struct skeletonkey_ctx *ctx)
{ {
if (ctx->dry_run) {
fprintf(stderr, "[*] %s: --dry-run: would run --%s; not firing.\n",
m->name, op);
return 0;
}
skeletonkey_result_t (*fn)(const struct skeletonkey_ctx *) = NULL; skeletonkey_result_t (*fn)(const struct skeletonkey_ctx *) = NULL;
if (strcmp(op, "exploit") == 0) fn = m->exploit; if (strcmp(op, "exploit") == 0) fn = m->exploit;
else if (strcmp(op, "mitigate") == 0) fn = m->mitigate; else if (strcmp(op, "mitigate") == 0) fn = m->mitigate;
@@ -953,6 +977,7 @@ int main(int argc, char **argv)
{"json", no_argument, 0, 4 }, {"json", no_argument, 0, 4 },
{"no-color", no_argument, 0, 5 }, {"no-color", no_argument, 0, 5 },
{"full-chain", no_argument, 0, 7 }, {"full-chain", no_argument, 0, 7 },
{"dry-run", no_argument, 0, 10 },
{"version", no_argument, 0, 'V'}, {"version", no_argument, 0, 'V'},
{"help", no_argument, 0, 'h'}, {"help", no_argument, 0, 'h'},
{0, 0, 0, 0} {0, 0, 0, 0}
@@ -977,6 +1002,7 @@ int main(int argc, char **argv)
case 7 : ctx.full_chain = true; break; case 7 : ctx.full_chain = true; break;
case 8 : mode = MODE_DUMP_OFFSETS; break; case 8 : mode = MODE_DUMP_OFFSETS; break;
case 9 : mode = MODE_AUTO; ctx.authorized = i_know ? true : ctx.authorized; break; case 9 : mode = MODE_AUTO; ctx.authorized = i_know ? true : ctx.authorized; break;
case 10 : ctx.dry_run = true; break;
case 6 : case 6 :
if (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD; if (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD;
else if (strcmp(optarg, "sigma") == 0) dr_fmt = FMT_SIGMA; else if (strcmp(optarg, "sigma") == 0) dr_fmt = FMT_SIGMA;