leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

tests: 5 happy-path VULNERABLE assertions (44 total)

Browse Source 
Adds h_kernel_5_14_userns_ok fingerprint (vulnerable kernel +
userns allowed) and uses it to assert the VULNERABLE branch is
reached on the 5 netfilter-class modules whose detect()
short-circuits there once both gates are satisfied:

- nf_tables    (CVE-2024-1086) -> VULNERABLE
- cls_route4   (CVE-2022-2588) -> VULNERABLE
- nft_set_uaf  (CVE-2023-32233) -> VULNERABLE
- nft_fwd_dup  (CVE-2022-25636) -> VULNERABLE
- nft_payload  (CVE-2023-0179) -> VULNERABLE

Combined with the earlier sudo_samedit and pwnkit
vulnerable-version tests, this gives us positive-verdict coverage
on 7 modules (was 2). The detect() logic that decides VULNERABLE
when conditions match is now exercised, not just the precondition
short-circuits.

39 -> 44 cases, all pass on Linux.
This commit is contained in:
KaraZajac
2026-05-23 00:17:17 -04:00
parent 150f16bc97
commit a9c8f7d8c6
1 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_detect.c
+44
View File
@@ -221,6 +221,24 @@ static const struct skeletonkey_host h_kernel_6_12 = {
.unprivileged_userns_allowed = true, .unprivileged_userns_allowed = true,
}; };
/* Vulnerable-era kernel (5.14.0) with userns ENABLED. The mirror
* of h_kernel_5_14_no_userns — for testing the VULNERABLE-by-version
* happy path on modules whose detect() reaches VULNERABLE once both
* version and userns gates are satisfied. Carrier file presence
* (sudo, su, etc.) is read from the actual filesystem; in CI the
* standard Debian containers provide those, so these tests are
* deterministic on Linux. */
static const struct skeletonkey_host h_kernel_5_14_userns_ok = {
.kernel = { .major = 5, .minor = 14, .patch = 0,
.release = "5.14.0-vuln-userns-ok" },
.arch = "x86_64",
.nodename = "test",
.distro_id = "debian",
.is_linux = true,
.is_debian_family = true,
.unprivileged_userns_allowed = true,
};
/* Vulnerable-era kernel (5.14.0) with userns DISABLED. Most /* Vulnerable-era kernel (5.14.0) with userns DISABLED. Most
* netfilter / overlayfs / cgroup-class modules need both an in-range * netfilter / overlayfs / cgroup-class modules need both an in-range
* kernel AND unprivileged userns. Kernel 5.14 was deliberately * kernel AND unprivileged userns. Kernel 5.14 was deliberately
@@ -442,6 +460,32 @@ static void run_all(void)
run_one("sudoedit_editor: sudo_version=1.9.13p1 → OK", run_one("sudoedit_editor: sudo_version=1.9.13p1 → OK",
&sudoedit_editor_module, &h_fixed_sudo, &sudoedit_editor_module, &h_fixed_sudo,
SKELETONKEY_OK); SKELETONKEY_OK);
/* ── happy-path VULNERABLE coverage ──────────────────────────
* Vulnerable kernel + userns allowed reaches the VULNERABLE
* branch on modules whose detect() short-circuits there once
* both gates are satisfied. Tests the affirmative verdict
* path, not just precondition gates. */
run_one("nf_tables: vuln kernel 5.14 + userns ok → VULNERABLE",
&nf_tables_module, &h_kernel_5_14_userns_ok,
SKELETONKEY_VULNERABLE);
run_one("cls_route4: vuln kernel 5.14 + userns ok → VULNERABLE",
&cls_route4_module, &h_kernel_5_14_userns_ok,
SKELETONKEY_VULNERABLE);
run_one("nft_set_uaf: vuln kernel 5.14 + userns ok → VULNERABLE",
&nft_set_uaf_module, &h_kernel_5_14_userns_ok,
SKELETONKEY_VULNERABLE);
run_one("nft_fwd_dup: vuln kernel 5.14 + userns ok → VULNERABLE",
&nft_fwd_dup_module, &h_kernel_5_14_userns_ok,
SKELETONKEY_VULNERABLE);
run_one("nft_payload: vuln kernel 5.14 + userns ok → VULNERABLE",
&nft_payload_module, &h_kernel_5_14_userns_ok,
SKELETONKEY_VULNERABLE);
#else #else
fprintf(stderr, "[i] non-Linux platform: detect() bodies are stubbed; " fprintf(stderr, "[i] non-Linux platform: detect() bodies are stubbed; "
"tests skipped (would tautologically pass).\n"); "tests skipped (would tautologically pass).\n");