From 97be306fd21b5326e686d2eb14a929204b6df058 Mon Sep 17 00:00:00 2001 From: KaraZajac Date: Sat, 23 May 2026 00:22:18 -0400 Subject: [PATCH] release: bump version to v0.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This release captures the session's reliability + accuracy work on top of v0.5.0: - Shared host fingerprint (core/host.{h,c}): kernel/distro/userns gates / sudo + polkit versions, populated once at startup; every module consults ctx->host instead of doing its own probes. - Test harness (tests/test_detect.c, make test): 44 unit tests over mocked host fingerprints, wired into CI as a non-root step. - --auto upgrades: auto-enables --active, per-detect 15s timeout, fork-isolated detect + exploit so a crashing module can't tear down the dispatcher, per-module verdict table + scan summary. - --dry-run flag (preview without firing; --i-know not required). - Pinned mainline fix commits for the 3 ported modules (dirtydecrypt / fragnesia / pack2theroot) — detect() is now version-pinned with kernel_range tables, not precondition-only. - New modules: dirtydecrypt (CVE-2026-31635), fragnesia (CVE-2026-46300), pack2theroot (CVE-2026-41651). - macOS dev build works for the first time (all Linux-only code wrapped in #ifdef __linux__). - docs/JSON_SCHEMA.md: stable consumer contract for --scan --json. Version bump: - SKELETONKEY_VERSION = '0.6.0' in skeletonkey.c - README status line updated with the v0.6.0 changelog - docs/JSON_SCHEMA.md example refreshed --- README.md | 33 +++++++++++++++++++++++---------- docs/JSON_SCHEMA.md | 2 +- skeletonkey.c | 2 +- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 9ab3e13..86b4a85 100644 --- a/README.md +++ b/README.md @@ -181,16 +181,29 @@ also compile (modules with Linux-only headers stub out gracefully). ## Status -**v0.5.0 cut 2026-05-17.** 28 verified modules, plus 3 -ported-but-unverified (`dirtydecrypt`, `fragnesia`, `pack2theroot`) -added since the cut. All 31 build clean on Debian 13 (kernel 6.12) -and refuse cleanly on patched hosts. `--auto` now auto-enables -`--active` and runs each `detect()` in a fork-isolated child so one -crashing probe cannot tear down the scan. Empirical end-to-end -validation on a vulnerable-target VM matrix is the next roadmap item; -until then, the corpus is best understood as "compiles + detects + -structurally correct + honest on failure" — and the three ported -modules have not been run against a vulnerable target at all. +**v0.6.0 cut 2026-05-23.** 28 verified modules, plus 3 +ported-but-unverified (`dirtydecrypt`, `fragnesia`, `pack2theroot`). +All 31 build clean on Debian 13 (kernel 6.12) and refuse cleanly on +patched hosts. + +Reliability + accuracy work in v0.6.0: +- Shared **host fingerprint** (`core/host.{h,c}`) populated once at + startup — kernel/distro/userns gates/sudo+polkit versions — exposed + to every module via `ctx->host`. 26 of 27 distinct modules consume it. +- **Test harness** (`tests/test_detect.c`, `make test`) — 44 unit + tests over mocked host fingerprints; runs as a non-root user in CI. +- `--auto` upgrades: auto-enables `--active`, per-detect 15s timeout, + fork-isolated detect + exploit so a crashing module can't tear down + the dispatcher, structured per-module verdict table, scan summary. +- `--dry-run` flag (preview without firing; no `--i-know` needed). +- Pinned mainline fix commits for the 3 ported modules — `detect()` + is version-pinned, not just precondition-only. + +Empirical end-to-end validation on a vulnerable-target VM matrix is +the next roadmap item; until then, the corpus is best understood as +"compiles + detects + structurally correct + honest on failure" — +and the three ported modules have not been run against a vulnerable +target at all. See [`ROADMAP.md`](ROADMAP.md) for the next planned modules and infrastructure work. diff --git a/docs/JSON_SCHEMA.md b/docs/JSON_SCHEMA.md index 2e13ca3..d49d511 100644 --- a/docs/JSON_SCHEMA.md +++ b/docs/JSON_SCHEMA.md @@ -15,7 +15,7 @@ major-version bump. ```json { - "version": "0.5.0", + "version": "0.6.0", "modules": [ /* ... per-module entries ... */ ] } ``` diff --git a/skeletonkey.c b/skeletonkey.c index efbe2fd..abbb44c 100644 --- a/skeletonkey.c +++ b/skeletonkey.c @@ -33,7 +33,7 @@ #include #include -#define SKELETONKEY_VERSION "0.5.0" +#define SKELETONKEY_VERSION "0.6.0" static const char BANNER[] = "\n"