Previous attempt failed with:
modules/copy_fail_family/src/apparmor_bypass.c:23:10:
fatal error: linux/capability.h: No such file or directory
musl-gcc points at musl's libc headers, which (correctly) don't
include Linux kernel uapi (linux/netfilter/*.h, linux/capability.h,
etc.). On Ubuntu these come from the linux-libc-dev package living
at /usr/include + /usr/include/aarch64-linux-gnu.
Fix: -isystem both paths so musl-gcc can find Linux uapi without
those paths shadowing musl's own libc decls (which they would if
we used a plain -I). The Alpine x86_64 build doesn't hit this
because Alpine's linux-headers package installs into musl's own
include path.
The v0.7.1 arm64-static build failed with:
'JavaScript Actions in Alpine containers are only supported on
x64 Linux runners. Detected Linux Arm64'
actions/checkout (and most other GitHub Actions) ship as Node.js
bundles. On x86_64, GitHub's runner injects a glibc-compatible Node
into Alpine containers; on arm64, that injection isn't available.
The container fails to even check out the repo.
Fix: run the arm64 static build natively on ubuntu-24.04-arm (a
glibc-based runner that actions/checkout works on out of the box),
and use Ubuntu's musl-tools package to get musl-gcc + musl-dev for
the static link. The produced binary is still statically-linked
against musl — just built outside an Alpine container.
Refactor: the previous build-static matrix becomes two distinct
jobs (build-static-x86_64 still Alpine-on-x64; build-static-arm64
now musl-tools-on-arm64). The release job's needs[] list and the
artifact list are unchanged at the consumer level — the same four
binaries (x86_64 dyn + static, arm64 dyn + static) plus install.sh
still get published.
Two additions on top of v0.7.0:
1. skeletonkey-arm64-static is now published alongside the existing
x86_64-static binary. Built native-arm64 in Alpine via GitHub's
ubuntu-24.04-arm runner pool (free for public repos as of 2024).
install.sh auto-picks it based on 'uname -m'; SKELETONKEY_DYNAMIC=1
fetches the dynamic build instead. Works on Raspberry Pi 4+, Apple
Silicon Linux VMs, AWS Graviton, Oracle Ampere, Hetzner ARM, etc.
.github/workflows/release.yml refactor: the previous single
build-static-x86_64 job becomes a build-static matrix with two
entries (x86_64-static on ubuntu-latest, arm64-static on
ubuntu-24.04-arm). Both share the same Alpine container + build
recipe.
2. .arch_support field on struct skeletonkey_module — honest per-module
labeling of which architectures the exploit() body has been verified
on. Three categories:
'any' (4 modules): pwnkit, sudo_samedit, sudoedit_editor,
pack2theroot. Purely userspace; arch-independent.
'x86_64' (1 module): entrybleed. KPTI prefetchnta side-channel;
x86-only by physics. Already source-gated (returns
PRECOND_FAIL on non-x86_64).
'x86_64+unverified-arm64' (26 modules): kernel exploitation
code. The bug class is generic but the exploit primitives
(msg_msg sprays, finisher chain, struct offsets) haven't been
confirmed on arm64. detect() still works (just reads ctx->host);
only the --exploit path is in question.
--list now has an ARCH column (any / x64 / x64?) and the footer
prints 'N arch-independent (any)'.
--module-info prints 'arch support: <value>'.
--scan --json adds 'arch_support' to each module record.
This is the honest 'arm64 works for detection on every module +
exploitation on 4 of them today; the rest await empirical arm64
sweep' framing — not pretending the kernel exploits already work
there, but not blocking the arm64 binary on that either. arm64
users get the full triage workflow + a handful of userspace exploits
out of the box, plus a clear roadmap for the rest.
Future work to promote modules from 'x86_64+unverified-arm64' to
'any': add an arm64 Vagrant box (generic/debian12-arm64 etc.) to
tools/verify-vm/ and run a verification sweep on Apple Silicon /
ARM Linux hardware.
Three new jobs in build.yml:
1. sanitizers (clang + ASan/UBSan)
Runs the same 88-test suite under AddressSanitizer +
UndefinedBehaviorSanitizer. -fno-sanitize-recover=all so any
finding fails CI loudly rather than scrolling past. -O1 + frame-
pointers preserved for usable backtraces. CC=clang because clang's
sanitizer integration is more mature than gcc's; gcc-built binaries
still get exercised by the matrix in the main 'build' job.
2. clang-tidy (advisory)
Lints core/ + skeletonkey.c (the files we control most directly;
module sources often bundle published PoC code we keep close to
upstream style, so they're excluded). continue-on-error: true for
now so it sets a baseline without blocking merges; we can tighten
incrementally as the warning surface shrinks.
3. drift-check (cron + workflow_dispatch)
Runs weekly (Mon 06:00 UTC) and on-demand. Two sub-steps:
- tools/refresh-cve-metadata.py --check (CISA KEV + NVD CWE)
- tools/refresh-kernel-ranges.py (Debian security tracker)
Both already exit non-zero on actionable drift. Network-required,
so NOT gated on regular PR runs — random PRs shouldn't fail because
CISA published a new KEV entry. The job runs ONLY on schedule +
manual trigger (if: github.event_name == 'schedule' || ...).
When it fires, the GH Actions warning annotation points the
maintainer at the right refresh script to rerun + commit.
Smoke-tested locally:
- macOS local ASan+UBSan build: kernel_range tests pass; detect()
tests skipped (non-Linux platform stubs).
- clang-tidy not installed locally; CI installs from apt.
Bumps SKELETONKEY_VERSION to 0.7.0 and adds docs/RELEASE_NOTES.md with
the full v0.7.0 changelog. release.yml updated to use the hand-written
notes file as the GitHub Release body (falls back to the auto-generated
stub when docs/RELEASE_NOTES.md isn't present, so older tags still
publish cleanly).
Headline: empirical VM verification across 22 of 26 CVEs, plus the
--explain operator briefing mode, OPSEC notes per module, CISA KEV +
NVD CWE + MITRE ATT&CK metadata pipeline, 119 detection rules across
all 4 SIEM formats, kernel.ubuntu.com mainline kernel fetch path, and
the new marketing-grade landing page. Full breakdown in
docs/RELEASE_NOTES.md.
Tag v0.7.0 next; release workflow auto-builds + publishes the 3
binaries (x86_64 dynamic, x86_64 static-musl via Alpine, arm64
dynamic) with checksums.
Adds a third matrix job that builds a static-musl binary on Alpine
so future tags ship 4 assets per arch: dynamic + static.
The dynamic x86_64 build (gcc on ubuntu-latest) hits a glibc-version
ceiling — built against glibc 2.39, refuses to run on Debian 12
(2.36), RHEL 8/9, etc. install.sh now fetches the static asset by
default for x86_64; the dynamic remains available via
SKELETONKEY_DYNAMIC=1.
Static build details:
- Alpine container (native musl + linux-headers from apk).
- -DMSG_COPY=040000 covers the only musl-vs-glibc gap
(netfilter_xtcompat uses MSG_COPY, which is a Linux-kernel
constant that glibc exposes but musl omits — kernel header:
include/uapi/linux/msg.h).
- LDFLAGS=-static produces a static-PIE ELF (~1.2 MB).
- Cross-distro verified locally: Alpine-built binary runs on
Debian/Ubuntu/Fedora/RHEL.
Locally-built static binary was uploaded to v0.6.2 by hand to
unblock the one-liner installer immediately.
Adds tests/test_detect.c — a standalone harness that constructs
synthetic struct skeletonkey_host fingerprints (vulnerable / patched /
specific-gate-closed) and asserts each migrated module's detect()
returns the expected verdict. First real test coverage for the corpus;
catches regressions in the host-fingerprint-consuming logic.
Initial coverage — 8 deterministic cases across the 4 modules that
already consume ctx->host:
- dirtydecrypt: 3 cases verifying 'kernel < 7.0 -> predates the bug'
short-circuit on synthetic 6.12 / 6.14 / 6.8 hosts.
- fragnesia: unprivileged_userns_allowed=false -> PRECOND_FAIL.
- pack2theroot: is_debian_family=false -> PRECOND_FAIL.
- pack2theroot: has_dbus_system=false -> PRECOND_FAIL.
- overlayfs: distro=debian / distro=fedora -> 'not Ubuntu' -> OK.
Coverage grows automatically as more modules migrate to ctx->host
(task #12 below adds them). Each new module that consults the host
fingerprint can have its precondition gates tested with a one-line
EXPECT_DETECT call against a pre-built fingerprint.
Wiring:
- Makefile: new MODULE_OBJS var consolidates the module .o list so
both the main binary and the test binary can share it without
duplication. New TEST_BIN := skeletonkey-test target. 'make test'
builds and runs the suite.
- .github/workflows/build.yml: install libglib2.0-dev + pkg-config so
pack2theroot builds with GLib in CI (was previously stub-compiling).
New 'tests — detect() unit suite' step runs 'make test' as a
non-root user so modules' 'already root' gates don't short-circuit
before the synthetic host checks fire.
- Test harness compiles cross-platform but assertions are #ifdef
__linux__ guarded (on non-Linux all module detect() bodies stub-out
to PRECOND_FAIL, making assertions tautological); macOS dev build
reports 'skipped'.
Module change:
- pack2theroot p2tr_detect now consults ctx->host->is_root (with a
geteuid() fallback when ctx->host is null) instead of calling
geteuid() directly. Production behaviour is identical
(host->is_root is populated from geteuid() at startup); tests can
now construct non-root fingerprints regardless of the test
process's actual euid. Exposed a real consistency issue worth
fixing.
Verified in docker as non-root: 8/8 pass on Linux. macOS reports
'skipped' as designed.
The v0.1.0 tag's arm64 job failed with
fatal error: bits/wordsize.h: No such file or directory
because gcc-aarch64-linux-gnu alone doesn't pull in the cross libc
headers on Ubuntu 24.04 runners. Add libc6-dev-arm64-cross +
linux-libc-dev-arm64-cross so the cross-toolchain has its sysroot.
For 'people should say just use iamroot' framing, the install gate is
the single biggest discoverability bottleneck. This commit makes it:
curl -sSL https://github.com/KaraZajac/IAMROOT/releases/latest/download/install.sh | sh
.github/workflows/release.yml:
- Triggers on semver tag push (v*.*.*) + manual dispatch.
- Matrix build for x86_64 (gcc) and arm64 (aarch64-linux-gnu-gcc cross).
- Per-arch sha256sum alongside the binary.
- Auto-generates release notes pointing at CVES.md / ROADMAP.md and
including the install one-liner with the version-specific URL.
- Publishes via softprops/action-gh-release@v2.
install.sh (also uploaded as a release artifact, so the curl|sh
above is stable):
- Detects arch (x86_64 / aarch64 → arm64).
- Pulls iamroot-<arch> + iamroot-<arch>.sha256 from the requested
version (default: latest).
- Verifies sha256 via sha256sum or shasum -a 256.
- Installs to /usr/local/bin/iamroot (or $IAMROOT_PREFIX). Uses sudo
iff /usr/local/bin isn't already writable.
- Prints quickstart hints + ethics pointer at the end.
- Env knobs: IAMROOT_VERSION, IAMROOT_PREFIX, IAMROOT_REPO.
README.md gains a 'Quickstart' section at the top with the four
canonical commands: install, --scan, --audit, --detect-rules,
fleet-scan. Lands the 'curl|bash and go' UX as the first thing
visitors see.
- .github/workflows/build.yml: matrix of {gcc, clang} x {default,
debug} builds on every push + PR. Smoke tests after build:
--version, --list, --scan, --detect-rules auditd, --detect-rules
sigma. Build failure breaks merge gate.
- Static-build job runs continue-on-error (glibc + NSS issue with
static linking — getpwnam pulls in NSS at runtime; legacy DIRTYFAIL
Makefile noted this. Revisit with musl-gcc to get a truly portable
static binary).
- Kernel-VM matrix placeholder commented at the bottom of build.yml.
Real kernel matrix needs self-hosted runners or a paid VM service —
out of scope for tonight, in scope for Phase 4 followup.
leviathan