core/host: shared host fingerprint refactor

Adds core/host.{h,c} — a single struct skeletonkey_host populated once at startup and handed to every module callback via ctx->host. Replaces the per-detect uname / /etc/os-release / sysctl / userns-fork-probe calls scattered across the corpus with O(1) cached lookups, and gives the dispatcher one consistent view of the host. What's in the fingerprint: - Identity: kernel_version (parsed from uname.release), arch (machine), nodename, distro_id / distro_version_id / distro_pretty (parsed once from /etc/os-release). - Process state: euid, real_uid (defeats userns illusion via /proc/self/uid_map), egid, username, is_root, is_ssh_session. - Platform family: is_linux, is_debian_family, is_rpm_family, is_arch_family, is_suse_family (file-existence checks once). - Capability gates (Linux): unprivileged_userns_allowed (live fork+unshare probe), apparmor_restrict_userns, unprivileged_bpf_disabled, kpti_enabled, kernel_lockdown_active, selinux_enforcing, yama_ptrace_restricted. - System services: has_systemd, has_dbus_system. Wiring: - core/module.h forward-declares struct skeletonkey_host and adds the pointer to skeletonkey_ctx. Modules opt-in by including ../../core/host.h. - core/host.c is fully POD (no heap pointers) — uses a single file- static instance, returns a stable pointer on every call. Lazily populated on first skeletonkey_host_get(). - skeletonkey.c calls skeletonkey_host_get() at main() entry, stores in ctx.host before any register_*() runs. - cmd_auto's bespoke distro-fingerprint code (was an inline read_os_release helper) is replaced with skeletonkey_host_print_banner(), which emits a two-line banner of identity + capability gates. Migrations: - dirtydecrypt: kernel_version_current() -> ctx->host->kernel. - fragnesia: removed local fg_userns_allowed() fork-probe in favour of ctx->host->unprivileged_userns_allowed (no per-scan fork). Also pulls kernel from ctx->host. The PRECOND_FAIL message now notes whether AppArmor restriction is on. - pack2theroot: access('/etc/debian_version') -> ctx->host->is_debian_family; also short-circuits when ctx->host->has_dbus_system is false (saves the GLib g_bus_get_sync attempt on systems without system D-Bus). - overlayfs: replaced the inline is_ubuntu() /etc/os-release parser with ctx->host->distro_id comparison. Local helper preserved for symmetry / standalone builds. Documentation: docs/ARCHITECTURE.md gains a 'Host fingerprint' section describing the struct, the opt-in include pattern, and example detect() usage. ROADMAP --auto accuracy log notes the landing and flags remaining modules as an incremental follow-up. Build verification: - macOS (local): make clean && make -> Mach-O x86_64, 31 modules, banner prints with distro=?/? (no /etc/os-release). - Linux (docker gcc:latest + libglib2.0-dev): make clean && make -> ELF 64-bit, 31 modules. Banner prints with kernel + distro=debian/13 + 7 capability gates. dirtydecrypt correctly says 'predates the rxgk code added in 7.0'; fragnesia PRECOND_FAILs with '(host fingerprint)' annotation; pack2theroot PRECOND_FAILs on no-DBus; overlayfs reports 'not Ubuntu (distro=debian)'.
2026-05-22 23:18:00 -04:00
parent 3e6e0d869b
commit 4f30d00a1c
11 changed files with 498 additions and 74 deletions
@@ -46,6 +46,7 @@
 /* _GNU_SOURCE / _FILE_OFFSET_BITS are passed via -D in the top-level
 * Makefile; do not redefine here (warning: redefined). */
 #include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <stdint.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -684,19 +685,23 @@ static skeletonkey_result_t dd_detect(const struct skeletonkey_ctx *ctx)
 {
 	dd_verbose = !ctx->json;

-	struct kernel_version v;
-	if (!kernel_version_current(&v)) {
+	/* Consult the shared host fingerprint instead of calling
+	 * kernel_version_current() ourselves — populated once at startup
+	 * and identical across every module's detect(). */
+	const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+	if (!v || v->major == 0) {
 		if (!ctx->json)
-			fprintf(stderr, "[!] dirtydecrypt: could not parse kernel version\n");
+			fprintf(stderr, "[!] dirtydecrypt: host fingerprint missing kernel "
+				"version — bailing\n");
 		return SKELETONKEY_TEST_ERROR;
 	}

 	/* Predates the bug: rxgk RESPONSE-handling code was added in 7.0. */
-	if (v.major < 7) {
+	if (v->major < 7) {
 		if (!ctx->json)
 			fprintf(stderr, "[i] dirtydecrypt: kernel %s predates the rxgk "
 				"RESPONSE-handling code added in 7.0 — not applicable\n",
-				v.release);
+				v->release);
 		return SKELETONKEY_OK;
 	}

@@ -718,7 +723,7 @@ static skeletonkey_result_t dd_detect(const struct skeletonkey_ctx *ctx)
 		return SKELETONKEY_PRECOND_FAIL;
 	}

-	bool patched_by_version = kernel_range_is_patched(&dirtydecrypt_range, &v);
+	bool patched_by_version = kernel_range_is_patched(&dirtydecrypt_range, v);

 	if (ctx->active_probe) {
 		if (!ctx->json)
@@ -729,7 +734,7 @@ static skeletonkey_result_t dd_detect(const struct skeletonkey_ctx *ctx)
 			if (!ctx->json)
 				fprintf(stderr, "[!] dirtydecrypt: ACTIVE PROBE "
 					"CONFIRMED — rxgk in-place decrypt corrupts "
-					"the page cache (kernel %s)\n", v.release);
+					"the page cache (kernel %s)\n", v->release);
 			return SKELETONKEY_VULNERABLE;
 		}
 		if (p == 0) {
@@ -748,14 +753,14 @@ static skeletonkey_result_t dd_detect(const struct skeletonkey_ctx *ctx)
 		if (!ctx->json)
 			fprintf(stderr, "[+] dirtydecrypt: kernel %s is patched "
 				"(commit a2567217 in Linux 7.0; version-only check — "
-				"use --active to confirm)\n", v.release);
+				"use --active to confirm)\n", v->release);
 		return SKELETONKEY_OK;
 	}
 	if (!ctx->json)
 		fprintf(stderr, "[!] dirtydecrypt: kernel %s appears VULNERABLE "
 			"(in 7.0-rc window before commit a2567217; version-only)\n"
 			"    Confirm empirically: skeletonkey --scan --active\n",
-			v.release);
+			v->release);
 	return SKELETONKEY_VULNERABLE;
 }

@@ -53,6 +53,7 @@
 /* _GNU_SOURCE / _FILE_OFFSET_BITS are passed via -D in the top-level
 * Makefile; do not redefine here (warning: redefined). */
 #include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <arpa/inet.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -837,19 +838,10 @@ static void fg_evict(const char *path)
 	if (dc >= 0) { if (write(dc, "3\n", 2) < 0) {} close(dc); }
 }

-/* --- precondition check: unprivileged user namespaces --- */
-
-static bool fg_userns_allowed(void)
-{
-	pid_t pid = fork();
-	if (pid < 0)
-		return false;
-	if (pid == 0)
-		_exit(unshare(CLONE_NEWUSER) == 0 ? 0 : 1);
-	int st;
-	waitpid(pid, &st, 0);
-	return WIFEXITED(st) && WEXITSTATUS(st) == 0;
-}
+/* The unprivileged-userns precondition is now read from the shared
+ * host fingerprint (ctx->host->unprivileged_userns_allowed), which
+ * probes once at startup via core/host.c. The previous per-detect
+ * fork-probe helper was removed. */

 /* ---- detect ------------------------------------------------------- */

@@ -927,18 +919,24 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 {
 	fg_verbose = !ctx->json;

-	struct kernel_version v;
-	if (!kernel_version_current(&v)) {
+	/* Pull kernel version and userns availability from the shared
+	 * host fingerprint — populated once at startup, no per-detect
+	 * fork or re-parse. */
+	const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+	if (!v || v->major == 0) {
 		if (!ctx->json)
-			fprintf(stderr, "[!] fragnesia: could not parse kernel version\n");
+			fprintf(stderr, "[!] fragnesia: host fingerprint missing kernel "
+				"version — bailing\n");
 		return SKELETONKEY_TEST_ERROR;
 	}

-	if (!fg_userns_allowed()) {
+	if (!ctx->host->unprivileged_userns_allowed) {
 		if (!ctx->json)
 			fprintf(stderr, "[i] fragnesia: unprivileged user "
-				"namespaces are disabled — XFRM gate closed "
-				"here (CAP_NET_ADMIN unreachable)\n");
+				"namespaces are disabled (host fingerprint) — "
+				"XFRM gate closed here (CAP_NET_ADMIN unreachable)%s\n",
+				ctx->host->apparmor_restrict_userns ?
+					"; AppArmor restriction is on" : "");
 		return SKELETONKEY_PRECOND_FAIL;
 	}

@@ -950,7 +948,7 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 		return SKELETONKEY_PRECOND_FAIL;
 	}

-	bool patched_by_version = kernel_range_is_patched(&fragnesia_range, &v);
+	bool patched_by_version = kernel_range_is_patched(&fragnesia_range, v);

 	if (ctx->active_probe) {
 		if (!ctx->json)
@@ -961,7 +959,7 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 			if (!ctx->json)
 				fprintf(stderr, "[!] fragnesia: ACTIVE PROBE "
 					"CONFIRMED — ESP-in-TCP coalesce corrupts "
-					"the page cache (kernel %s)\n", v.release);
+					"the page cache (kernel %s)\n", v->release);
 			return SKELETONKEY_VULNERABLE;
 		}
 		if (p == 0) {
@@ -982,14 +980,14 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 		if (!ctx->json)
 			fprintf(stderr, "[+] fragnesia: kernel %s is patched "
 				"(7.0.9+; version-only check — use --active to "
-				"confirm)\n", v.release);
+				"confirm)\n", v->release);
 		return SKELETONKEY_OK;
 	}
 	if (!ctx->json)
 		fprintf(stderr, "[!] fragnesia: kernel %s appears VULNERABLE "
 			"(no backport entry for this branch; version-only)\n"
 			"    Confirm empirically: skeletonkey --scan --active\n",
-			v.release);
+			v->release);
 	return SKELETONKEY_VULNERABLE;
 }

@@ -47,6 +47,7 @@
 #ifdef __linux__

 #include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <fcntl.h>
 #include <sched.h>
 #include <sys/mount.h>
@@ -132,10 +133,18 @@ static skeletonkey_result_t overlayfs_detect(const struct skeletonkey_ctx *ctx)

    /* Ubuntu-specific bug. Non-Ubuntu kernels are largely immune
     * because upstream didn't enable the userns-mount path until
-     * 5.11. Bail early for non-Ubuntu. */
-    if (!is_ubuntu()) {
+     * 5.11. Bail early for non-Ubuntu. Consult the shared host
+     * fingerprint (distro_id == "ubuntu" — populated once at startup;
+     * the local is_ubuntu() helper is preserved for symmetry / future
+     * standalone use but the dispatcher path goes through ctx->host). */
+    bool ubuntu = ctx->host
+        ? (strcmp(ctx->host->distro_id, "ubuntu") == 0)
+        : is_ubuntu();
+    if (!ubuntu) {
        if (!ctx->json) {
-            fprintf(stderr, "[+] overlayfs: not Ubuntu — bug is Ubuntu-specific\n");
+            fprintf(stderr, "[+] overlayfs: not Ubuntu (distro=%s) — bug is "
+                "Ubuntu-specific\n",
+                ctx->host ? ctx->host->distro_id : "?");
        }
        return SKELETONKEY_OK;
    }
@@ -61,6 +61,7 @@

 /* _GNU_SOURCE / _FILE_OFFSET_BITS are passed via -D in the top-level
 * Makefile; do not redefine here. */
+#include "../../core/host.h"
 #include <stdint.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -310,10 +311,18 @@ static skeletonkey_result_t p2tr_detect(const struct skeletonkey_ctx *ctx)
 		return SKELETONKEY_OK;
 	}

-	if (access("/etc/debian_version", F_OK) != 0) {
+	/* Host fingerprint short-circuits — populated once at startup. */
+	if (ctx->host && !ctx->host->is_debian_family) {
 		if (!ctx->json)
-			fprintf(stderr, "[i] pack2theroot: not a Debian/Ubuntu host "
-				"(PoC's .deb builder is Debian-family-only)\n");
+			fprintf(stderr, "[i] pack2theroot: not a Debian-family host "
+				"(distro=%s) — PoC's .deb builder is Debian-only\n",
+				ctx->host->distro_id);
+		return SKELETONKEY_PRECOND_FAIL;
+	}
+	if (ctx->host && !ctx->host->has_dbus_system) {
+		if (!ctx->json)
+			fprintf(stderr, "[i] pack2theroot: no system D-Bus socket at "
+				"/run/dbus/system_bus_socket — PackageKit unreachable\n");
 		return SKELETONKEY_PRECOND_FAIL;
 	}