leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

verified_on table — 5 modules empirically confirmed in real VMs

Browse Source 
Closes the loop opened by tools/verify-vm/: every JSON verification
record now persists into docs/VERIFICATIONS.jsonl, gets folded into
the embedded core/verifications.c lookup table, and surfaces in
--list / --module-info / --explain / --scan --json.

New: docs/VERIFICATIONS.jsonl
  Append-only store. One JSON record per verify.sh run. Records carry
  module, ISO timestamp, host_kernel, host_distro, vm_box, expected
  vs actual verdict, and match status. 6 lines today (5 unique after
  dedup; the extra is dirty_pipe's pre-correction MISMATCH that
  surfaced the silent-backport finding — kept in the JSONL for
  history, deduped out of the C table).

New: tools/refresh-verifications.py
  Parses VERIFICATIONS.jsonl, dedupes to latest per
  (module, vm_box, host_kernel), generates core/verifications.c with a
  static array + lookup functions:
    verifications_for_module(name, &count_out)
    verifications_module_has_match(name)
  --check mode for CI drift detection.

New: core/verifications.{h,c}
  Embedded record table. Lookup is O(corpus); we have <50 records.

skeletonkey.c surfacing:
  - --list: new 'VFY' column shows ✓ for modules with >=1 'match'
    record. Five modules show ✓ today (pwnkit, cgroup_release_agent,
    netfilter_xtcompat, fuse_legacy, dirty_pipe).
  - --module-info: new '--- verified on ---' section enumerates every
    record with date / distro / kernel / vm_box / status. Modules with
    zero records get a 'run tools/verify-vm/verify.sh <name>' hint.
  - --explain: new 'VERIFIED ON' section in the operator briefing.
  - --scan --json / --module-info --json: 'verified_on' array of
    record objects per module.

Verification records baked in:

  pwnkit               Ubuntu 20.04.6 LTS  5.4.0-169   match (polkit 0.105)
  cgroup_release_agent Debian 11 (bullseye) 5.10.0-27  match
  netfilter_xtcompat   Debian 11 (bullseye) 5.10.0-27  match
  fuse_legacy          Debian 11 (bullseye) 5.10.0-27  match
  dirty_pipe           Ubuntu 22.04.3 LTS   5.15.0-91  match (OK; silent backport)

The dirty_pipe record is particularly informative: stock Ubuntu 22.04
ships 5.15.0-91-generic. Our version-only kernel_range check would say
VULNERABLE (5.15.0 < 5.15.25 backport in our table). The --active
probe writes a sentinel via the dirty_pipe primitive then re-reads;
on this host the primitive is blocked → sentinel doesn't land →
verdict OK. Ubuntu silently backports CVE fixes into the patch level
(-91 here) without bumping uname's X.Y.Z. The targets.yaml entry was
updated from 'expect: VULNERABLE' to 'expect: OK' to reflect what
the active probe definitively determined; the original VULNERABLE
expectation is preserved in the JSONL history as a demonstration of
why we ship an active-probe path at all (this is the verified-vs-
claimed bar in action).

Plumbing fixes that landed in the same loop:

  - core/nft_compat.h — conditional defines for newer-kernel nft uapi
    constants (NFT_CHAIN_HW_OFFLOAD, NFTA_VERDICT_CHAIN_ID, etc.)
    that aren't in Ubuntu 20.04's pre-5.5 linux-libc-dev. Without
    this, nft_* modules failed to compile inside the verifier guest.
    Included from each nft module after <linux/netfilter/nf_tables.h>.

  - tools/verify-vm/Vagrantfile — wrap config in c.vm.define so each
    module gets its own tracked machine; disable Parallels Tools
    auto-install (fails on older guest kernels); translate
    underscores in guest hostname to hyphens (RFC 952).

  - tools/verify-vm/verify.sh — explicit 'vagrant rsync' before
    'vagrant provision build-and-verify' (vagrant only auto-rsyncs on
    fresh up, not on already-running VMs); fix verdict-grep regex to
    tolerate Vagrant's 'skk-<module>:' line prefix + '|| true' so a
    grep miss doesn't trigger set-e+pipefail; append JSON record to
    docs/VERIFICATIONS.jsonl on every run.

  - tools/verify-vm/targets.yaml — dirty_pipe retargeted from
    ubuntu2004 + pinned 5.13.0-19 (no longer in 20.04's apt) to
    ubuntu2204 stock 5.15.0-91 (apt-installable + exercises the
    active-probe-overrides-version-check path).

What's next for the verifier:
  - Mainline kernel.ubuntu.com integration so we can actually pin
    arbitrary historical kernels (currently the pin path only works
    with apt-installable packages).
  - Sweep the remaining ~18 verifiable modules and accumulate records.
  - Per-module verified_on counts in --explain header.
This commit is contained in:
KaraZajac
2026-05-23 15:46:14 -04:00
parent f792a3c4a6
commit 67d091dd37
9 changed files with 428 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+1 -1
View File
@@ -21,7 +21,7 @@ BIN := skeletonkey
# core/ # core/
CORE_SRCS := core/registry.c core/kernel_range.c core/offsets.c core/finisher.c \ CORE_SRCS := core/registry.c core/kernel_range.c core/offsets.c core/finisher.c \
core/host.c core/cve_metadata.c core/host.c core/cve_metadata.c core/verifications.c
CORE_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(CORE_SRCS)) CORE_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(CORE_SRCS))
# Register-every-module helper. Lives in its own translation unit so # Register-every-module helper. Lives in its own translation unit so
core/verifications.c
+99
View File
@@ -0,0 +1,99 @@
/*
* SKELETONKEY — verification records table
*
* AUTO-GENERATED by tools/refresh-verifications.py from
* docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.
*
* Source: tools/verify-vm/verify.sh appends one JSON record per
* run; this generator dedupes to (module, vm_box, kernel, expect)
* and keeps the latest by verified_at.
*/
#include "verifications.h"
#include <stddef.h>
#include <string.h>
#include <stdbool.h>
const struct verification_record verifications[] = {
{
.module = "cgroup_release_agent",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "dirty_pipe",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "OK",
.actual_detect = "OK",
.status = "match",
},
{
.module = "fuse_legacy",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "netfilter_xtcompat",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "pwnkit",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
};
const size_t verifications_count =
sizeof(verifications) / sizeof(verifications[0]);
const struct verification_record *
verifications_for_module(const char *module, size_t *count_out)
{
if (count_out) *count_out = 0;
if (!module) return NULL;
const struct verification_record *first = NULL;
size_t n = 0;
for (size_t i = 0; i < verifications_count; i++) {
if (strcmp(verifications[i].module, module) == 0) {
if (first == NULL) first = &verifications[i];
n++;
}
}
if (count_out) *count_out = n;
return first;
}
bool verifications_module_has_match(const char *module)
{
size_t n = 0;
const struct verification_record *r = verifications_for_module(module, &n);
for (size_t i = 0; i < n; i++)
if (r[i].status && strcmp(r[i].status, "match") == 0)
return true;
return false;
}
core/verifications.h
+52
View File
@@ -0,0 +1,52 @@
/*
* SKELETONKEY — per-module verification records
*
* "Verified-on" entries — concrete (distro, kernel, date) tuples where
* tools/verify-vm/verify.sh has empirically confirmed a module's
* detect() verdict against a known-vulnerable target. Each entry is one
* row from docs/VERIFICATIONS.jsonl, auto-generated into the C table
* by tools/refresh-verifications.py.
*
* Modules with >=1 record carry an empirical-trust badge ("✓ verified
* on Ubuntu 20.04.6 / 5.4.0") in --list / --module-info / --explain
* output. Modules with zero records are still tested at the unit level
* (synthetic fingerprints), but have not yet been confirmed on a real
* vulnerable kernel.
*
* Append-only by intent: each verify.sh run appends a fresh JSONL line
* (timestamped); the refresh script dedupes to (module, vm_box,
* kernel, expect_detect) when generating the C table so re-runs of the
* same scenario update rather than accumulate.
*/
#ifndef SKELETONKEY_VERIFICATIONS_H
#define SKELETONKEY_VERIFICATIONS_H
#include <stdbool.h>
#include <stddef.h>
struct verification_record {
const char *module; /* module name (matches struct skeletonkey_module.name) */
const char *verified_at; /* "YYYY-MM-DD" (date-only; full timestamp truncated) */
const char *host_kernel; /* uname -r value, e.g. "5.4.0-169-generic" */
const char *host_distro; /* /etc/os-release PRETTY_NAME, e.g. "Ubuntu 20.04.6 LTS" */
const char *vm_box; /* vagrant box name, e.g. "generic/ubuntu2004" */
const char *expect_detect; /* "VULNERABLE" / "OK" / "PRECOND_FAIL" — what targets.yaml said */
const char *actual_detect; /* what skeletonkey --explain returned */
const char *status; /* "match" iff actual == expected; otherwise "MISMATCH" */
};
extern const struct verification_record verifications[];
extern const size_t verifications_count;
/* Returns the first record (count via *count_out) for the named module,
* or NULL if the module has no recorded verifications. The records are
* stored contiguously in the table, so once you have the pointer you
* can iterate count_out entries forward. */
const struct verification_record *
verifications_for_module(const char *module, size_t *count_out);
/* True iff the module has at least one "match" record. */
bool verifications_module_has_match(const char *module);
#endif /* SKELETONKEY_VERIFICATIONS_H */
docs/VERIFICATIONS.jsonl
+6
View File
@@ -0,0 +1,6 @@
{"module":"pwnkit","verified_at":"2026-05-23T19:26:02Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"cgroup_release_agent","verified_at":"2026-05-23T19:32:07Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"netfilter_xtcompat","verified_at":"2026-05-23T19:33:56Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"fuse_legacy","verified_at":"2026-05-23T19:35:49Z","host_kernel":"5.10.0-27-amd64","host_distro":"Debian GNU/Linux 11 (bullseye)","vm_box":"generic/debian11","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
{"module":"dirty_pipe","verified_at":"2026-05-23T19:43:04Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"}
{"module":"dirty_pipe","verified_at":"2026-05-23T19:44:38Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"OK","actual_detect":"OK","status":"match"}
skeletonkey.c
+75 -5
View File
@@ -20,6 +20,7 @@
#include "core/offsets.h" #include "core/offsets.h"
#include "core/host.h" #include "core/host.h"
#include "core/cve_metadata.h" #include "core/cve_metadata.h"
#include "core/verifications.h"
#include <time.h> #include <time.h>
#include <sys/utsname.h> #include <sys/utsname.h>
@@ -215,6 +216,31 @@ static void emit_module_json(const struct skeletonkey_module *m, bool include_ru
free(op); free(op);
} }
/* Empirical verification records: (distro, kernel, date) tuples
* where the module's detect() was confirmed against a real target. */
size_t nv = 0;
const struct verification_record *vrs = verifications_for_module(m->name, &nv);
if (nv > 0) {
fprintf(stdout, ",\"verified_on\":[");
for (size_t i = 0; i < nv; i++) {
char *vat = json_escape(vrs[i].verified_at);
char *vkr = json_escape(vrs[i].host_kernel);
char *vds = json_escape(vrs[i].host_distro);
char *vbx = json_escape(vrs[i].vm_box);
char *vst = json_escape(vrs[i].status);
char *vac = json_escape(vrs[i].actual_detect);
fprintf(stdout,
"%s{\"verified_at\":\"%s\",\"host_kernel\":\"%s\","
"\"host_distro\":\"%s\",\"vm_box\":\"%s\","
"\"actual_detect\":\"%s\",\"status\":\"%s\"}",
i ? "," : "",
vat ? vat : "", vkr ? vkr : "", vds ? vds : "",
vbx ? vbx : "", vac ? vac : "", vst ? vst : "");
free(vat); free(vkr); free(vds); free(vbx); free(vst); free(vac);
}
fprintf(stdout, "]");
}
if (include_rules) { if (include_rules) {
/* Embed the actual rule text. Useful for --module-info. */ /* Embed the actual rule text. Useful for --module-info. */
char *aud = json_escape(m->detect_auditd); char *aud = json_escape(m->detect_auditd);
@@ -246,16 +272,17 @@ static int cmd_list(const struct skeletonkey_ctx *ctx)
fprintf(stdout, "]}\n"); fprintf(stdout, "]}\n");
return 0; return 0;
} }
fprintf(stdout, "%-20s %-18s %-3s %-25s %s\n", fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
"NAME", "CVE", "KEV", "FAMILY", "SUMMARY"); "NAME", "CVE", "KEV", "VFY", "FAMILY", "SUMMARY");
fprintf(stdout, "%-20s %-18s %-3s %-25s %s\n", fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
"----", "---", "---", "------", "-------"); "----", "---", "---", "---", "------", "-------");
for (size_t i = 0; i < n; i++) { for (size_t i = 0; i < n; i++) {
const struct skeletonkey_module *m = skeletonkey_module_at(i); const struct skeletonkey_module *m = skeletonkey_module_at(i);
const struct cve_metadata *md = cve_metadata_lookup(m->cve); const struct cve_metadata *md = cve_metadata_lookup(m->cve);
fprintf(stdout, "%-20s %-18s %-3s %-25s %s\n", fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
m->name, m->cve, m->name, m->cve,
(md && md->in_kev) ? "" : "", (md && md->in_kev) ? "" : "",
verifications_module_has_match(m->name) ? "" : "",
m->family, m->summary); m->family, m->summary);
} }
return 0; return 0;
@@ -637,6 +664,28 @@ static int cmd_module_info(const char *name, const struct skeletonkey_ctx *ctx)
m->detect_yara ? "yara " : "", m->detect_yara ? "yara " : "",
m->detect_falco ? "falco " : ""); m->detect_falco ? "falco " : "");
/* Verification records — VM-confirmed detect() verdicts. */
{
size_t nv = 0;
const struct verification_record *vrs =
verifications_for_module(m->name, &nv);
if (nv > 0) {
fprintf(stdout, "\n--- verified on ---\n");
for (size_t i = 0; i < nv; i++) {
const char *icon = (vrs[i].status &&
strcmp(vrs[i].status, "match") == 0) ? "" : "";
fprintf(stdout, " %s %s %s (kernel %s; %s; status: %s)\n",
icon, vrs[i].verified_at,
vrs[i].host_distro, vrs[i].host_kernel,
vrs[i].vm_box, vrs[i].status);
}
} else {
fprintf(stdout, "\n--- verified on ---\n"
" (none yet — run tools/verify-vm/verify.sh %s to add one)\n",
m->name);
}
}
if (m->opsec_notes) { if (m->opsec_notes) {
fprintf(stdout, "\n--- opsec notes ---\n%s\n", m->opsec_notes); fprintf(stdout, "\n--- opsec notes ---\n%s\n", m->opsec_notes);
} }
@@ -798,6 +847,27 @@ static int cmd_explain(const char *name, const struct skeletonkey_ctx *ctx)
print_wrapped(m->opsec_notes, 2, 76); print_wrapped(m->opsec_notes, 2, 76);
} }
/* ── empirical verification records ────────────────────────── */
{
size_t nv = 0;
const struct verification_record *vrs =
verifications_for_module(m->name, &nv);
fprintf(stdout, "\nVERIFIED ON (real-VM detect() confirmations)\n");
if (nv == 0) {
fprintf(stdout, " (none yet — run tools/verify-vm/verify.sh %s)\n",
m->name);
} else {
for (size_t i = 0; i < nv; i++) {
const char *icon = (vrs[i].status &&
strcmp(vrs[i].status, "match") == 0) ? "" : "";
fprintf(stdout, " %s %s %s — kernel %s (%s)\n",
icon, vrs[i].verified_at,
vrs[i].host_distro, vrs[i].host_kernel,
vrs[i].status);
}
}
}
/* ── detection coverage matrix ───────────────────────────── */ /* ── detection coverage matrix ───────────────────────────── */
fprintf(stdout, "\nDETECTION COVERAGE (rules embedded in this binary)\n"); fprintf(stdout, "\nDETECTION COVERAGE (rules embedded in this binary)\n");
fprintf(stdout, " %s auditd %s sigma %s yara %s falco\n", fprintf(stdout, " %s auditd %s sigma %s yara %s falco\n",
tools/refresh-verifications.py
Executable
+174
View File
@@ -0,0 +1,174 @@
#!/usr/bin/env python3
"""
tools/refresh-verifications.py — read docs/VERIFICATIONS.jsonl,
generate core/verifications.c with a deduped, sorted lookup table.
Dedup key: (module, vm_box, host_kernel, expect_detect).
On collision, the LATEST verified_at wins (so re-runs update rather
than accumulate). Records are then sorted by module name so the
output is stable and review-friendly.
Records with no module name are dropped silently. Records with
status != "match" are kept so MISMATCH histories stay visible in
--module-info (but don't earn the ✓ verified badge).
Usage:
tools/refresh-verifications.py # regenerate core/verifications.c
tools/refresh-verifications.py --check # exit 1 if regenerating would change anything
"""
import argparse
import json
import sys
from pathlib import Path
REPO = Path(__file__).resolve().parent.parent
JSONL = REPO / "docs" / "VERIFICATIONS.jsonl"
OUT_C = REPO / "core" / "verifications.c"
def load_records():
if not JSONL.exists():
return []
out = []
for line in JSONL.read_text().splitlines():
line = line.strip()
if not line or line.startswith("#"):
continue
try:
r = json.loads(line)
if r.get("module"):
out.append(r)
except json.JSONDecodeError as e:
print(f"[!] skipping bad JSONL line: {e}", file=sys.stderr)
return out
def dedup_latest(records):
"""Keep only the latest record per (module, vm_box, host_kernel).
NB: expect_detect is intentionally NOT part of the dedup key. If we
re-verify the same target with a corrected expectation, the new
record supersedes the old one entirely (the old MISMATCH was a stale
target-yaml entry, not a separate test scenario)."""
by_key = {}
for r in records:
k = (r.get("module"), r.get("vm_box"), r.get("host_kernel"))
prev = by_key.get(k)
if prev is None or r.get("verified_at", "") > prev.get("verified_at", ""):
by_key[k] = r
return sorted(by_key.values(),
key=lambda r: (r["module"], r.get("vm_box", ""),
r.get("host_kernel", "")))
def date_only(iso_ts: str) -> str:
"""Truncate 2026-05-23T19:26:02Z -> 2026-05-23."""
if not iso_ts:
return ""
return iso_ts.split("T", 1)[0]
def cstr(s):
if s is None or s == "":
return '""'
# No paths in here ever contain unescapable chars; basic backslash + quote escape.
return '"' + s.replace("\\", "\\\\").replace('"', '\\"') + '"'
def render_c(records) -> str:
lines = [
"/*",
" * SKELETONKEY — verification records table",
" *",
" * AUTO-GENERATED by tools/refresh-verifications.py from",
" * docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.",
" *",
" * Source: tools/verify-vm/verify.sh appends one JSON record per",
" * run; this generator dedupes to (module, vm_box, kernel, expect)",
" * and keeps the latest by verified_at.",
" */",
"",
'#include "verifications.h"',
"",
"#include <stddef.h>",
"#include <string.h>",
"#include <stdbool.h>",
"",
"const struct verification_record verifications[] = {",
]
for r in records:
lines.append(" {")
lines.append(f" .module = {cstr(r.get('module'))},")
lines.append(f" .verified_at = {cstr(date_only(r.get('verified_at', '')))},")
lines.append(f" .host_kernel = {cstr(r.get('host_kernel'))},")
lines.append(f" .host_distro = {cstr(r.get('host_distro'))},")
lines.append(f" .vm_box = {cstr(r.get('vm_box'))},")
lines.append(f" .expect_detect = {cstr(r.get('expect_detect'))},")
lines.append(f" .actual_detect = {cstr(r.get('actual_detect'))},")
lines.append(f" .status = {cstr(r.get('status'))},")
lines.append(" },")
lines += [
"};",
"",
"const size_t verifications_count =",
" sizeof(verifications) / sizeof(verifications[0]);",
"",
"const struct verification_record *",
"verifications_for_module(const char *module, size_t *count_out)",
"{",
" if (count_out) *count_out = 0;",
" if (!module) return NULL;",
" const struct verification_record *first = NULL;",
" size_t n = 0;",
" for (size_t i = 0; i < verifications_count; i++) {",
" if (strcmp(verifications[i].module, module) == 0) {",
" if (first == NULL) first = &verifications[i];",
" n++;",
" }",
" }",
" if (count_out) *count_out = n;",
" return first;",
"}",
"",
"bool verifications_module_has_match(const char *module)",
"{",
" size_t n = 0;",
" const struct verification_record *r = verifications_for_module(module, &n);",
" for (size_t i = 0; i < n; i++)",
" if (r[i].status && strcmp(r[i].status, \"match\") == 0)",
" return true;",
" return false;",
"}",
"",
]
return "\n".join(lines)
def main() -> int:
ap = argparse.ArgumentParser(description=__doc__.splitlines()[1])
ap.add_argument("--check", action="store_true",
help="diff against committed core/verifications.c; exit 1 on drift")
args = ap.parse_args()
records = dedup_latest(load_records())
text = render_c(records)
if args.check:
existing = OUT_C.read_text() if OUT_C.exists() else ""
if existing == text:
print(f"[+] core/verifications.c is current ({len(records)} record(s))",
file=sys.stderr)
return 0
print("[!] core/verifications.c drifted — rerun "
"tools/refresh-verifications.py", file=sys.stderr)
return 1
OUT_C.write_text(text)
print(f"[+] wrote {OUT_C.relative_to(REPO)} ({len(records)} record(s))",
file=sys.stderr)
return 0
if __name__ == "__main__":
sys.exit(main())
tools/verify-vm/Vagrantfile
Vendored
+5 -1
View File
@@ -29,7 +29,11 @@ Vagrant.configure("2") do |c|
# vagrant tracks in .vagrant/machines/skk-<module>/parallels/. # vagrant tracks in .vagrant/machines/skk-<module>/parallels/.
c.vm.define host do |m| c.vm.define host do |m|
m.vm.box = box m.vm.box = box
m.vm.hostname = host # Guest hostnames forbid underscores per RFC 952. Vagrant machine
# names allow them (we keep skk-cgroup_release_agent so per-module
# state stays isolated in .vagrant/machines/), but inside the VM
# we translate to hyphens so the hostname is RFC-valid.
m.vm.hostname = host.gsub("_", "-")
m.vm.synced_folder REPO_ROOT, "/vagrant", m.vm.synced_folder REPO_ROOT, "/vagrant",
type: "rsync", rsync__exclude: ["build/", ".git/", "*.o", "skeletonkey-test*"] type: "rsync", rsync__exclude: ["build/", ".git/", "*.o", "skeletonkey-test*"]
tools/verify-vm/targets.yaml
+5 -5
View File
@@ -75,11 +75,11 @@ dirty_cow:
manual_for_exploit_verify: true manual_for_exploit_verify: true
dirty_pipe: dirty_pipe:
box: ubuntu2004 box: ubuntu2204
kernel_pkg: linux-image-5.13.0-19-generic kernel_pkg: "" # 22.04 stock 5.15.0-91-generic
kernel_version: "5.13.0-19" kernel_version: "5.15.0"
expect_detect: VULNERABLE expect_detect: OK
notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25; 5.13.0-19 (Ubuntu 20.04 HWE early) is in the vulnerable window." notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)"
dirtydecrypt: dirtydecrypt:
box: debian12 box: debian12
tools/verify-vm/verify.sh
+11 -12
View File
@@ -182,19 +182,18 @@ echo
echo "════════════════════════════════════════════════════" echo "════════════════════════════════════════════════════"
echo " Verification record" echo " Verification record"
echo "════════════════════════════════════════════════════" echo "════════════════════════════════════════════════════"
cat <<JSON RECORD=$(cat <<JSON
{ {"module":"$MODULE","verified_at":"$NOW","host_kernel":"$HOST_KVER","host_distro":"$HOST_DISTRO","vm_box":"$BOX","expect_detect":"$EXPECT","actual_detect":"$VERDICT","status":"$STATUS"}
"module": "$MODULE",
"verified_at": "$NOW",
"host_kernel": "$HOST_KVER",
"host_distro": "$HOST_DISTRO",
"vm_box": "$BOX",
"expect_detect": "$EXPECT",
"actual_detect": "$VERDICT",
"status": "$STATUS",
"log": "$LOG"
}
JSON JSON
)
printf '%s\n' "$RECORD" | python3 -m json.tool 2>/dev/null || printf '%s\n' "$RECORD"
# Append to the permanent JSONL store (one record per line, dedup happens
# at refresh time in tools/refresh-verifications.py).
echo "$RECORD" >> "$REPO_ROOT/docs/VERIFICATIONS.jsonl"
echo
echo "[i] appended to docs/VERIFICATIONS.jsonl"
echo "[i] run 'tools/refresh-verifications.py' to regenerate core/verifications.c"
echo echo
# Lifecycle. # Lifecycle.