SKELETONKEY

Author SHA1 Message Date

Author	SHA1	Message	Date
leviathan	2b1e96336e	core/host: in_range helper + 13-module migration + 12 more tests (29 total) Three coordinated changes that build on the host_kernel_at_least landed in `1571b88`: 1. core/host gains skeletonkey_host_kernel_in_range(h, lo..., hi...) — a [lo, hi) bounded-interval check for modules that want the 'vulnerable window' semantics directly. Implemented in terms of host_kernel_at_least (so the comparison logic stays in one place). No module uses it yet; available for new modules that want it. 2. 13 modules migrated off the manual if (v->major < X \|\| (v->major == X && v->minor < Y)) { ... } pattern onto if (!skeletonkey_host_kernel_at_least(ctx->host, X, Y, 0)) { ... } One-line replacements, mechanical, no behavior change. Migrated: af_packet2, dirty_pipe, fuse_legacy, netfilter_xtcompat, nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf, overlayfs, overlayfs_setuid, ptrace_traceme, stackrot, vmwgfx. The repo now has zero manual 'v->major < X' patterns — every predates-check reads the same way. 3. tests/test_detect.c expanded from 17 to 29 cases. Adds: Above-fix coverage on h_kernel_6_12 (10 modules previously untested): af_packet, af_packet2, af_unix_gc, netfilter_xtcompat, nft_set_uaf, nft_fwd_dup, nft_payload, stackrot, sequoia, vmwgfx. Ancient-kernel predates coverage on h_kernel_4_4 (2 more cases): nft_set_uaf (introduced 5.1), stackrot (introduced 6.1). Detect-path test coverage now spans most of the corpus that has a testable host-fingerprint gate. Untested modules from here on are either userspace bugs whose detect() doesn't gate on host fields (pwnkit, sudo_samedit, sudoedit_editor), entrybleed (sysfs-direct, no host gate), or the copy_fail_family bridge (no ctx->host integration yet). Verification: Linux (docker gcc:latest, non-root user): 29/29 pass. macOS (local): 31-module build clean, suite reports 'skipped — Linux-only' as designed.	2026-05-22 23:58:38 -04:00
leviathan	1571b88725	core/host: skeletonkey_host_kernel_at_least + 9 new detect() tests core/host helper: - Adds bool skeletonkey_host_kernel_at_least(h, M, m, p) — the canonical 'kernel >= X.Y.Z' check. Replaces the manual 'v->major < X \|\| (v->major == X && v->minor < Y)' pattern that many modules use for their 'predates the bug' pre-check. Returns false when h is NULL or h->kernel.major == 0 (degenerate cases), true otherwise iff the host kernel sorts at or above the supplied version. - dirtydecrypt migrated as the demo: the 'kernel < 7.0 → predates' pre-check now reads 'if (!host_kernel_at_least(ctx->host, 7, 0, 0))'. Other modules still using the manual pattern continue to work unchanged; migrating them is incremental polish. tests/test_detect.c expansion (8 → 17 cases): New fingerprints: - h_kernel_4_4 — ancient (Linux 4.4 LTS); used for 'predates the bug' on dirty_pipe. - h_kernel_6_12 — recent (Linux 6.12 LTS); above every backport threshold in the corpus — modules report OK via the 'patched by mainline inheritance' branch of kernel_range_is_patched. - h_kernel_5_14_no_userns — vulnerable-era kernel (5.14.0, past every relevant predates check while below every backport entry) with unprivileged_userns_allowed deliberately false; lets the userns gate fire after the version check confirms vulnerable. New tests (9): - dirty_pipe + kernel 4.4 → OK (predates 5.8 introduction) - dirty_pipe + kernel 6.12 → OK (above every backport) - dirty_cow + kernel 6.12 → OK (above 4.9 fix) - ptrace_traceme + kernel 6.12 → OK (above 5.1.17 fix) - cgroup_release_agent + kernel 6.12 → OK (above 5.17 fix) - nf_tables + vuln kernel + userns=false → PRECOND_FAIL - fuse_legacy + vuln kernel + userns=false → PRECOND_FAIL - cls_route4 + vuln kernel + userns=false → PRECOND_FAIL - overlayfs_setuid + vuln kernel + userns=false → PRECOND_FAIL Process note: initial 8th and 9th userns tests failed because the chosen test kernel (5.10.0) tripped each module's predates check (nf_tables bug introduced 5.14; overlayfs_setuid 5.11). Switched to 5.14.0, which is past every predates threshold AND below every backport entry in this batch — the version verdict is now genuinely 'vulnerable' and the userns gate fires next. The bug-finding tests caught a real-but-narrow modeling gap in the original picks. Verification: - Linux (docker gcc:latest, non-root user): 17/17 pass. - macOS (local): builds clean, suite reports 'skipped — Linux-only' as designed.	2026-05-22 23:52:10 -04:00
leviathan	ea1744e6f0	tests: detect() unit harness with mocked ctx->host Adds tests/test_detect.c — a standalone harness that constructs synthetic struct skeletonkey_host fingerprints (vulnerable / patched / specific-gate-closed) and asserts each migrated module's detect() returns the expected verdict. First real test coverage for the corpus; catches regressions in the host-fingerprint-consuming logic. Initial coverage — 8 deterministic cases across the 4 modules that already consume ctx->host: - dirtydecrypt: 3 cases verifying 'kernel < 7.0 -> predates the bug' short-circuit on synthetic 6.12 / 6.14 / 6.8 hosts. - fragnesia: unprivileged_userns_allowed=false -> PRECOND_FAIL. - pack2theroot: is_debian_family=false -> PRECOND_FAIL. - pack2theroot: has_dbus_system=false -> PRECOND_FAIL. - overlayfs: distro=debian / distro=fedora -> 'not Ubuntu' -> OK. Coverage grows automatically as more modules migrate to ctx->host (task #12 below adds them). Each new module that consults the host fingerprint can have its precondition gates tested with a one-line EXPECT_DETECT call against a pre-built fingerprint. Wiring: - Makefile: new MODULE_OBJS var consolidates the module .o list so both the main binary and the test binary can share it without duplication. New TEST_BIN := skeletonkey-test target. 'make test' builds and runs the suite. - .github/workflows/build.yml: install libglib2.0-dev + pkg-config so pack2theroot builds with GLib in CI (was previously stub-compiling). New 'tests — detect() unit suite' step runs 'make test' as a non-root user so modules' 'already root' gates don't short-circuit before the synthetic host checks fire. - Test harness compiles cross-platform but assertions are #ifdef __linux__ guarded (on non-Linux all module detect() bodies stub-out to PRECOND_FAIL, making assertions tautological); macOS dev build reports 'skipped'. Module change: - pack2theroot p2tr_detect now consults ctx->host->is_root (with a geteuid() fallback when ctx->host is null) instead of calling geteuid() directly. Production behaviour is identical (host->is_root is populated from geteuid() at startup); tests can now construct non-root fingerprints regardless of the test process's actual euid. Exposed a real consistency issue worth fixing. Verified in docker as non-root: 8/8 pass on Linux. macOS reports 'skipped' as designed.	2026-05-22 23:32:12 -04:00

2b1e96336e

core/host: in_range helper + 13-module migration + 12 more tests (29 total)

Three coordinated changes that build on the host_kernel_at_least
landed in 1571b88:

1. core/host gains skeletonkey_host_kernel_in_range(h, lo..., hi...)
   — a [lo, hi) bounded-interval check for modules that want the
   'vulnerable window' semantics directly. Implemented in terms of
   host_kernel_at_least (so the comparison logic stays in one place).
   No module uses it yet; available for new modules that want it.

2. 13 modules migrated off the manual
        if (v->major < X || (v->major == X && v->minor < Y)) { ... }
   pattern onto
        if (!skeletonkey_host_kernel_at_least(ctx->host, X, Y, 0)) { ... }
   One-line replacements, mechanical, no behavior change.

   Migrated: af_packet2, dirty_pipe, fuse_legacy, netfilter_xtcompat,
   nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf, overlayfs,
   overlayfs_setuid, ptrace_traceme, stackrot, vmwgfx. The repo now
   has zero manual 'v->major < X' patterns — every predates-check
   reads the same way.

3. tests/test_detect.c expanded from 17 to 29 cases. Adds:

   Above-fix coverage on h_kernel_6_12 (10 modules previously
   untested): af_packet, af_packet2, af_unix_gc, netfilter_xtcompat,
   nft_set_uaf, nft_fwd_dup, nft_payload, stackrot, sequoia, vmwgfx.

   Ancient-kernel predates coverage on h_kernel_4_4 (2 more cases):
   nft_set_uaf (introduced 5.1), stackrot (introduced 6.1).

   Detect-path test coverage now spans most of the corpus that
   has a testable host-fingerprint gate. Untested modules from
   here on are either userspace bugs whose detect() doesn't gate
   on host fields (pwnkit, sudo_samedit, sudoedit_editor),
   entrybleed (sysfs-direct, no host gate), or the copy_fail_family
   bridge (no ctx->host integration yet).

Verification: Linux (docker gcc:latest, non-root user): 29/29 pass.
macOS (local): 31-module build clean, suite reports 'skipped —
Linux-only' as designed.

2026-05-22 23:58:38 -04:00

leviathan

1571b88725

core/host: skeletonkey_host_kernel_at_least + 9 new detect() tests

core/host helper:
- Adds bool skeletonkey_host_kernel_at_least(h, M, m, p) — the
  canonical 'kernel >= X.Y.Z' check. Replaces the manual
  'v->major < X || (v->major == X && v->minor < Y)' pattern that
  many modules use for their 'predates the bug' pre-check. Returns
  false when h is NULL or h->kernel.major == 0 (degenerate cases),
  true otherwise iff the host kernel sorts at or above the supplied
  version.
- dirtydecrypt migrated as the demo: the 'kernel < 7.0 → predates'
  pre-check now reads 'if (!host_kernel_at_least(ctx->host, 7, 0, 0))'.
  Other modules still using the manual pattern continue to work
  unchanged; migrating them is incremental polish.

tests/test_detect.c expansion (8 → 17 cases):

New fingerprints:
- h_kernel_4_4    — ancient (Linux 4.4 LTS); used for 'predates the
                    bug' on dirty_pipe.
- h_kernel_6_12   — recent (Linux 6.12 LTS); above every backport
                    threshold in the corpus — modules report OK via
                    the 'patched by mainline inheritance' branch of
                    kernel_range_is_patched.
- h_kernel_5_14_no_userns — vulnerable-era kernel (5.14.0, past
                    every relevant predates check while below every
                    backport entry) with unprivileged_userns_allowed
                    deliberately false; lets the userns gate fire
                    after the version check confirms vulnerable.

New tests (9):
- dirty_pipe + kernel 4.4 → OK (predates 5.8 introduction)
- dirty_pipe + kernel 6.12 → OK (above every backport)
- dirty_cow + kernel 6.12 → OK (above 4.9 fix)
- ptrace_traceme + kernel 6.12 → OK (above 5.1.17 fix)
- cgroup_release_agent + kernel 6.12 → OK (above 5.17 fix)
- nf_tables + vuln kernel + userns=false → PRECOND_FAIL
- fuse_legacy + vuln kernel + userns=false → PRECOND_FAIL
- cls_route4 + vuln kernel + userns=false → PRECOND_FAIL
- overlayfs_setuid + vuln kernel + userns=false → PRECOND_FAIL

Process note: initial 8th and 9th userns tests failed because the
chosen test kernel (5.10.0) tripped each module's predates check
(nf_tables bug introduced 5.14; overlayfs_setuid 5.11). Switched to
5.14.0, which is past every predates threshold AND below every
backport entry in this batch — the version verdict is now genuinely
'vulnerable' and the userns gate fires next. The bug-finding tests
caught a real-but-narrow modeling gap in the original picks.

Verification:
- Linux (docker gcc:latest, non-root user): 17/17 pass.
- macOS (local): builds clean, suite reports 'skipped — Linux-only'
  as designed.

2026-05-22 23:52:10 -04:00

leviathan

ea1744e6f0

tests: detect() unit harness with mocked ctx->host

Adds tests/test_detect.c — a standalone harness that constructs
synthetic struct skeletonkey_host fingerprints (vulnerable / patched /
specific-gate-closed) and asserts each migrated module's detect()
returns the expected verdict. First real test coverage for the corpus;
catches regressions in the host-fingerprint-consuming logic.

Initial coverage — 8 deterministic cases across the 4 modules that
already consume ctx->host:
- dirtydecrypt: 3 cases verifying 'kernel < 7.0 -> predates the bug'
  short-circuit on synthetic 6.12 / 6.14 / 6.8 hosts.
- fragnesia: unprivileged_userns_allowed=false -> PRECOND_FAIL.
- pack2theroot: is_debian_family=false -> PRECOND_FAIL.
- pack2theroot: has_dbus_system=false -> PRECOND_FAIL.
- overlayfs: distro=debian / distro=fedora -> 'not Ubuntu' -> OK.

Coverage grows automatically as more modules migrate to ctx->host
(task #12 below adds them). Each new module that consults the host
fingerprint can have its precondition gates tested with a one-line
EXPECT_DETECT call against a pre-built fingerprint.

Wiring:
- Makefile: new MODULE_OBJS var consolidates the module .o list so
  both the main binary and the test binary can share it without
  duplication. New TEST_BIN := skeletonkey-test target. 'make test'
  builds and runs the suite.
- .github/workflows/build.yml: install libglib2.0-dev + pkg-config so
  pack2theroot builds with GLib in CI (was previously stub-compiling).
  New 'tests — detect() unit suite' step runs 'make test' as a
  non-root user so modules' 'already root' gates don't short-circuit
  before the synthetic host checks fire.
- Test harness compiles cross-platform but assertions are #ifdef
  __linux__ guarded (on non-Linux all module detect() bodies stub-out
  to PRECOND_FAIL, making assertions tautological); macOS dev build
  reports 'skipped'.

Module change:
- pack2theroot p2tr_detect now consults ctx->host->is_root (with a
  geteuid() fallback when ctx->host is null) instead of calling
  geteuid() directly. Production behaviour is identical
  (host->is_root is populated from geteuid() at startup); tests can
  now construct non-root fingerprints regardless of the test
  process's actual euid. Exposed a real consistency issue worth
  fixing.

Verified in docker as non-root: 8/8 pass on Linux. macOS reports
'skipped' as designed.

2026-05-22 23:32:12 -04:00

3 Commits