verify-vm: close the loop — first successful end-to-end VM verification

Five fixes that landed us at a working 'verify.sh <module> -> JSON verification record' loop. Tested with pwnkit on generic/ubuntu2004 / Ubuntu 20.04.6 LTS / 5.4.0-169-generic. 1. core/nft_compat.h — shim header that conditionally defines newer- kernel nft uapi constants that aren't in older distro headers: NFT_CHAIN_HW_OFFLOAD kernel 5.5 NFT_CHAIN_BINDING kernel 5.9 NFTA_VERDICT_CHAIN_ID kernel 5.14 NFTA_SET_DESC_CONCAT kernel 5.6 NFTA_SET_EXPR kernel 5.12 NFTA_SET_EXPRESSIONS kernel 5.16 NFTA_SET_ELEM_KEY_END kernel 5.6 NFTA_SET_ELEM_EXPRESSIONS kernel 5.16 Numeric values are stable kernel ABI; the target vulnerable kernel understands them at runtime regardless of the build host's headers. Without this, nf_tables / nft_fwd_dup / nft_payload / nft_set_uaf modules fail to compile on Ubuntu 20.04's libc-dev (5.4 uapi). 2. modules/{nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf}/ skeletonkey_modules.c — each #includes the new compat shim after <linux/netfilter/nf_tables.h>. 3. tools/verify-vm/Vagrantfile — wrap config in 'c.vm.define host do |m| ... end' block so 'vagrant up <skk-MODULE>' finds the machine. (Earlier without define block, vagrant always treated the Vagrantfile as a single anonymous machine.) Also disable Parallels Tools auto- install — it fails on Ubuntu 20.04's 5.4 kernel ('current Linux kernel version is outdated and not supported by latest tools'); we use rsync sync_folder over plain SSH which doesn't need the tools. 4. tools/verify-vm/verify.sh — explicit 'vagrant rsync' before 'vagrant provision build-and-verify' so the source tree gets synced even on already-running VMs (vagrant up runs rsync automatically; vagrant provision does not). 5. tools/verify-vm/verify.sh — fix verdict parser. Vagrant prefixes provisioner stdout with the VM name (' skk-pwnkit: VERDICT: VULNERABLE'), so the previous '^VERDICT: ' regex never matched. New grep allows the prefix; added '|| true' so a grep miss doesn't trigger set-e+pipefail and silently exit the script before the JSON verification record gets emitted. First successful verification record: { "module": "pwnkit", "verified_at": "2026-05-23T19:26:02Z", "host_kernel": "5.4.0-169-generic", "host_distro": "Ubuntu 20.04.6 LTS", "vm_box": "generic/ubuntu2004", "expect_detect": "VULNERABLE", "actual_detect": "VULNERABLE", "status": "match" } SKELETONKEY correctly identifies polkit 0.105 on Ubuntu 20.04 as vulnerable to CVE-2021-4034. The verifier pipeline is now ready for sweep across the rest of the corpus.
2026-05-23 15:26:51 -04:00
parent 2c4cde1031
commit f792a3c4a6
6 changed files with 99 additions and 2 deletions
@@ -88,6 +88,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"  /* shims for newer-kernel uapi constants */

 /* ------------------------------------------------------------------
 * Kernel-range table
@@ -77,6 +77,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"

 /* ------------------------------------------------------------------
 * Kernel range table — fixes per branch.
@@ -80,6 +80,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"

 /* ------------------------------------------------------------------
 * Kernel-range table
@@ -79,6 +79,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
+#include "../../core/nft_compat.h"

 /* NFT_SET_EVAL was added in 5.6; older UAPI headers may not define it.
 * Anonymous-set + lookup exploit shape works on builds with this flag,