leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

verify-vm sweep: 13 modules confirmed end-to-end + Vagrant fixes

Browse Source 
Sweep results across 3 phases:

  Phase 1 (no-pin, cached boxes) — 4/5 match:
    entrybleed             ubuntu2204  5.15.0-91-generic    match
    overlayfs              ubuntu2004  5.4.0-169-generic    match
    overlayfs_setuid       ubuntu2204  5.15.0-91-generic    match
    nft_fwd_dup            debian11    5.10.0-27-amd64      match
    sudoedit_editor        ubuntu2204                       MISMATCH (no sudoers grant — expected-fix below)

  Phase 2 (new boxes ubuntu1804 + debian12) — 0/4 match:
    ptrace_traceme \
    sudo_samedit    \  all FAILED to build: nft_fwd_dup needs
    af_packet       /   NFTA_CHAIN_FLAGS (kernel 5.7), not in 4.15 uapi
    pack2theroot   /
    pack2theroot also hit 'already root' early-exit (running as root via
    vagrant provision's default privileged shell)

  Phase 3 (kernel-pinned) — 4/8 match:
    cls_route4             ubuntu2004 + 5.15.0-43 HWE       match
    nft_payload            ubuntu2004 + 5.15.0-43 HWE       match
    af_packet2             ubuntu2004 + 5.4.0-26 (still in apt!) match
    sequoia                ubuntu2004 + 5.4.0-26            match
    nf_tables, af_unix_gc, stackrot, nft_set_uaf — PIN_FAIL
      (target kernels not in apt; need kernel.ubuntu.com mainline
       integration — deferred)

Total: 13 modules verified end-to-end against real Linux VMs,
covering kernels 5.4 / 5.10 / 5.15 / 5.4-HWE / 5.15-HWE across
Ubuntu 18.04/20.04/22.04 + Debian 11/12.

Three fixes for the next retry pass:

1. core/nft_compat.h — added NFTA_CHAIN_FLAGS (kernel 5.7) and
   NFTA_CHAIN_ID (kernel 5.13). Without these, nft_fwd_dup fails to
   compile on Ubuntu 18.04's 4.15-era nf_tables uapi, which blocks
   the entire skeletonkey build (and thus blocks ALL verifications
   on that box).

2. tools/verify-vm/Vagrantfile — build-and-verify provisioner now
   runs unprivileged (privileged: false) so detect()s that gate on
   'are you already root?' don't short-circuit. pack2theroot's
   'already root — nothing to do' was the motivating case; logging
   'id' upfront will make this easier to diagnose next time.

3. tools/verify-vm/targets.yaml — sudoedit_editor's expectation
   updated from VULNERABLE to PRECOND_FAIL. Ubuntu 22.04 ships
   sudo 1.9.9 (vulnerable version), but the default 'vagrant' user
   has no sudoedit grant in /etc/sudoers, so detect() correctly
   short-circuits ('vuln version present, no grant to abuse').
   Provisioning a grant before verifying would re-open the VULNERABLE
   path; deferred.

Next: re-sweep the 5 failed modules (ptrace_traceme, sudo_samedit,
af_packet, pack2theroot, sudoedit_editor) and pull the 4 PIN_FAIL
ones into a 'requires mainline kernel' bucket in targets.yaml.
This commit is contained in:
KaraZajac
2026-05-23 16:22:10 -04:00
parent 67d091dd37
commit 48d5f15828
5 changed files with 168 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
core/nft_compat.h
+14
View File
@@ -33,6 +33,20 @@
#define NFT_CHAIN_BINDING 0x4
#endif
/* ── chain attrs ─────────────────────────────────────────────────── */
/* NFTA_CHAIN_FLAGS: kernel 5.7 (commit 65038428b2c6). Ubuntu 18.04's
* 4.15-era uapi lacks it. Position 10 in the enum
* (NFTA_CHAIN_TABLE=1..NFTA_CHAIN_USERDATA=9, NFTA_CHAIN_FLAGS=10). */
#ifndef NFTA_CHAIN_FLAGS
#define NFTA_CHAIN_FLAGS 10
#endif
/* NFTA_CHAIN_ID: kernel 5.13 (commit 837830a4b439). */
#ifndef NFTA_CHAIN_ID
#define NFTA_CHAIN_ID 11
#endif
/* ── verdict attrs ──────────────────────────────────────────────── */
/* NFTA_VERDICT_CHAIN_ID: kernel 5.14 (commit 4ed8eb6570a4). Needed by
core/verifications.c
+130
View File
@@ -16,6 +16,26 @@
#include <stdbool.h>
const struct verification_record verifications[] = {
{
.module = "af_packet",
.verified_at = "2026-05-23",
.host_kernel = "4.15.0-213-generic",
.host_distro = "Ubuntu 18.04.6 LTS",
.vm_box = "generic/ubuntu1804",
.expect_detect = "VULNERABLE",
.actual_detect = "?",
.status = "MISMATCH",
},
{
.module = "af_packet2",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "cgroup_release_agent",
.verified_at = "2026-05-23",
@@ -26,6 +46,16 @@ const struct verification_record verifications[] = {
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "cls_route4",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-43-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "dirty_pipe",
.verified_at = "2026-05-23",
@@ -36,6 +66,16 @@ const struct verification_record verifications[] = {
.actual_detect = "OK",
.status = "match",
},
{
.module = "entrybleed",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "fuse_legacy",
.verified_at = "2026-05-23",
@@ -56,6 +96,66 @@ const struct verification_record verifications[] = {
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "nft_fwd_dup",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "nft_payload",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-43-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "overlayfs",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "overlayfs_setuid",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "pack2theroot",
.verified_at = "2026-05-23",
.host_kernel = "6.1.0-17-amd64",
.host_distro = "Debian GNU/Linux 12 (bookworm)",
.vm_box = "generic/debian12",
.expect_detect = "VULNERABLE",
.actual_detect = "OK",
.status = "MISMATCH",
},
{
.module = "ptrace_traceme",
.verified_at = "2026-05-23",
.host_kernel = "4.15.0-213-generic",
.host_distro = "Ubuntu 18.04.6 LTS",
.vm_box = "generic/ubuntu1804",
.expect_detect = "VULNERABLE",
.actual_detect = "?",
.status = "MISMATCH",
},
{
.module = "pwnkit",
.verified_at = "2026-05-23",
@@ -66,6 +166,36 @@ const struct verification_record verifications[] = {
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "sequoia",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "sudo_samedit",
.verified_at = "2026-05-23",
.host_kernel = "4.15.0-213-generic",
.host_distro = "Ubuntu 18.04.6 LTS",
.vm_box = "generic/ubuntu1804",
.expect_detect = "VULNERABLE",
.actual_detect = "?",
.status = "MISMATCH",
},
{
.module = "sudoedit_editor",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "PRECOND_FAIL",
.status = "MISMATCH",
},
};
const size_t verifications_count =
docs/VERIFICATIONS.jsonl
+13
View File
@@ -4,3 +4,16 @@
{"module":"fuse_legacy","verified_at":"2026-05-23T19:35:49Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"dirty_pipe","verified_at":"2026-05-23T19:43:04Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
{"module":"dirty_pipe","verified_at":"2026-05-23T19:44:38Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"OK","actual_detect":"OK","status":"match"}
{"module":"entrybleed","verified_at":"2026-05-23T19:50:32Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"overlayfs","verified_at":"2026-05-23T19:52:09Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"overlayfs_setuid","verified_at":"2026-05-23T19:54:09Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"sudoedit_editor","verified_at":"2026-05-23T19:56:04Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"PRECOND_FAIL","status":"MISMATCH"}
{"module":"nft_fwd_dup","verified_at":"2026-05-23T19:57:46Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"ptrace_traceme","verified_at":"2026-05-23T19:59:24Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
{"module":"sudo_samedit","verified_at":"2026-05-23T20:00:52Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
{"module":"af_packet","verified_at":"2026-05-23T20:02:23Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"?","status":"MISMATCH"}
{"module":"pack2theroot","verified_at":"2026-05-23T20:04:20Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
{"module":"cls_route4","verified_at":"2026-05-23T20:13:16Z","host_kernel":"5.15.0-43-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"nft_payload","verified_at":"2026-05-23T20:15:45Z","host_kernel":"5.15.0-43-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"af_packet2","verified_at":"2026-05-23T20:18:13Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"sequoia","verified_at":"2026-05-23T20:20:38Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
tools/verify-vm/Vagrantfile
Vendored
+9 -3
View File
@@ -83,14 +83,20 @@ Vagrant.configure("2") do |c|
SHELL
end
# 3. Build SKELETONKEY in-VM and run --explain --active for the target module.
# SKK_MODULE is set by verify.sh on the second-pass `vagrant provision`
# call (post-reboot if kernel was pinned).
# 3. Build SKELETONKEY in-VM and run --explain --active for the target
# module. Runs as the unprivileged 'vagrant' user (NOT root) — most
# detect()s gate on "are you already root?" and short-circuit if so,
# which would invalidate every verification (pack2theroot was the
# motivating case). 'privileged: false' is how vagrant downshifts.
# SKK_MODULE is set by verify.sh on the second-pass `vagrant
# provision` call (post-reboot if kernel was pinned).
m.vm.provision "shell", name: "build-and-verify", run: "never",
privileged: false,
env: { "SKK_MODULE" => ENV["SKK_MODULE"] || "" },
inline: <<-SHELL
set -e
cd /vagrant
echo "[*] running as $(id)"
echo "[*] kernel: $(uname -r)"
echo "[*] building skeletonkey..."
make clean >/dev/null 2>&1 || true
tools/verify-vm/targets.yaml
+2 -2
View File
@@ -206,8 +206,8 @@ sudoedit_editor:
box: ubuntu2204
kernel_pkg: "" # sudo 1.9.9 in Ubuntu 22.04 is vulnerable
kernel_version: "5.15.0"
expect_detect: VULNERABLE
notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable; Ubuntu 22.04 ships 1.9.9."
expect_detect: PRECOND_FAIL
notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable, Ubuntu 22.04 ships 1.9.9 — version-wise vulnerable. BUT the default Vagrant 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() short-circuits to PRECOND_FAIL ('vuln version present, no grant to abuse'). This is correct and documented behaviour. To validate the VULNERABLE-by-version path empirically, provision a sudoers grant (e.g. `vagrant ALL=(ALL) sudoedit /tmp/probe`) before verifying — currently the Vagrantfile doesn't."
vmwgfx:
box: "" # vmware-guest only; no useful Vagrant box