From a9c8f7d8c669ba54c9639ed450f1564a933fcaad Mon Sep 17 00:00:00 2001 From: KaraZajac Date: Sat, 23 May 2026 00:17:17 -0400 Subject: [PATCH] tests: 5 happy-path VULNERABLE assertions (44 total) Adds h_kernel_5_14_userns_ok fingerprint (vulnerable kernel + userns allowed) and uses it to assert the VULNERABLE branch is reached on the 5 netfilter-class modules whose detect() short-circuits there once both gates are satisfied: - nf_tables (CVE-2024-1086) -> VULNERABLE - cls_route4 (CVE-2022-2588) -> VULNERABLE - nft_set_uaf (CVE-2023-32233) -> VULNERABLE - nft_fwd_dup (CVE-2022-25636) -> VULNERABLE - nft_payload (CVE-2023-0179) -> VULNERABLE Combined with the earlier sudo_samedit and pwnkit vulnerable-version tests, this gives us positive-verdict coverage on 7 modules (was 2). The detect() logic that decides VULNERABLE when conditions match is now exercised, not just the precondition short-circuits. 39 -> 44 cases, all pass on Linux. --- tests/test_detect.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/tests/test_detect.c b/tests/test_detect.c index 1b2239c..86a2378 100644 --- a/tests/test_detect.c +++ b/tests/test_detect.c @@ -221,6 +221,24 @@ static const struct skeletonkey_host h_kernel_6_12 = { .unprivileged_userns_allowed = true, }; +/* Vulnerable-era kernel (5.14.0) with userns ENABLED. The mirror + * of h_kernel_5_14_no_userns — for testing the VULNERABLE-by-version + * happy path on modules whose detect() reaches VULNERABLE once both + * version and userns gates are satisfied. Carrier file presence + * (sudo, su, etc.) is read from the actual filesystem; in CI the + * standard Debian containers provide those, so these tests are + * deterministic on Linux. */ +static const struct skeletonkey_host h_kernel_5_14_userns_ok = { + .kernel = { .major = 5, .minor = 14, .patch = 0, + .release = "5.14.0-vuln-userns-ok" }, + .arch = "x86_64", + .nodename = "test", + .distro_id = "debian", + .is_linux = true, + .is_debian_family = true, + .unprivileged_userns_allowed = true, +}; + /* Vulnerable-era kernel (5.14.0) with userns DISABLED. Most * netfilter / overlayfs / cgroup-class modules need both an in-range * kernel AND unprivileged userns. Kernel 5.14 was deliberately @@ -442,6 +460,32 @@ static void run_all(void) run_one("sudoedit_editor: sudo_version=1.9.13p1 → OK", &sudoedit_editor_module, &h_fixed_sudo, SKELETONKEY_OK); + + /* ── happy-path VULNERABLE coverage ────────────────────────── + * Vulnerable kernel + userns allowed reaches the VULNERABLE + * branch on modules whose detect() short-circuits there once + * both gates are satisfied. Tests the affirmative verdict + * path, not just precondition gates. */ + + run_one("nf_tables: vuln kernel 5.14 + userns ok → VULNERABLE", + &nf_tables_module, &h_kernel_5_14_userns_ok, + SKELETONKEY_VULNERABLE); + + run_one("cls_route4: vuln kernel 5.14 + userns ok → VULNERABLE", + &cls_route4_module, &h_kernel_5_14_userns_ok, + SKELETONKEY_VULNERABLE); + + run_one("nft_set_uaf: vuln kernel 5.14 + userns ok → VULNERABLE", + &nft_set_uaf_module, &h_kernel_5_14_userns_ok, + SKELETONKEY_VULNERABLE); + + run_one("nft_fwd_dup: vuln kernel 5.14 + userns ok → VULNERABLE", + &nft_fwd_dup_module, &h_kernel_5_14_userns_ok, + SKELETONKEY_VULNERABLE); + + run_one("nft_payload: vuln kernel 5.14 + userns ok → VULNERABLE", + &nft_payload_module, &h_kernel_5_14_userns_ok, + SKELETONKEY_VULNERABLE); #else fprintf(stderr, "[i] non-Linux platform: detect() bodies are stubbed; " "tests skipped (would tautologically pass).\n");