8ac041a295ff03918c84599cacefd7d09660d0fd
5 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 leviathan
|
8ac041a295 |
release v0.9.1: VM verification sweep 22 → 27
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / build (x86_64-static / musl) (push) Waiting to run
release / build (arm64-static / musl) (push) Waiting to run
release / release (push) Blocked by required conditions
Five more CVEs empirically confirmed end-to-end against real Linux VMs:
- CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant)
- CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26)
- CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5)
- CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source)
- CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule)
Required real plumbing work:
- Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh)
- Two-phase provision in verify.sh (prep → reboot if needed → verify)
fixes silent-fail where new kernel installed but VM never rebooted
- GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks
(kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target)
- Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/)
mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on
Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config
mismatch). Genuinely needs a CentOS 6 / Debian 7 image.
|
||
|
leviathan
|
312e7d89b5 |
verify-vm: kernel.ubuntu.com mainline integration — 22 modules verified
Unblocks the 4 previously-PIN_FAIL modules by adding a fallback path to kernel.ubuntu.com/mainline/ for any kernel no longer in apt. Adds 4 more matches to the verified_on table for a total of 22 modules confirmed against real Linux VMs: af_unix_gc ubuntu2204 + mainline 5.15.5 match nf_tables ubuntu2204 + mainline 5.15.5 match nft_set_uaf ubuntu2204 + mainline 5.15.5 match stackrot ubuntu2204 + mainline 6.1.10 match Mechanism: tools/verify-vm/Vagrantfile — new 'pin-mainline-<X.Y.Z>' shell provisioner. Fetches the directory index at https://kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/, parses out the 4 canonical .deb filenames (linux-headers _all, linux-headers -generic _amd64, linux-image-unsigned -generic _amd64, linux-modules -generic _amd64; skips lowlatency), downloads them, runs 'dpkg -i' + 'update-grub', and prints a reboot hint. Mainline package version like '5.15.5-051505' sorts ABOVE Ubuntu's stock '5.15.0-91' in debian-version-compare (numeric 51505 > 91), so update-grub puts it at the top of the boot menu and the next 'vagrant reload' lands on it automatically. uname then reports '5.15.5-051505-generic' which our parser sees as 5.15.5 → in our kernel_range table's vulnerable window → empirical VULNERABLE. tools/verify-vm/verify.sh — new SKK_VM_MAINLINE_VERSION env passed to the Vagrantfile. Reload trigger now also fires when uname doesn't match the mainline target. tools/verify-vm/targets.yaml — new 'mainline_version' field on the 4 PIN_FAIL targets. kernel_pkg is left empty; mainline_version drives the fetch. Picked 5.15.5 (Nov 2021) for the 5.15-line CVEs and 6.1.10 (Feb 2023) for stackrot — both below every relevant backport. Final sweep status (22 of 26 CVEs): ✓ MATCHES (22): pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy, nft_fwd_dup, entrybleed, overlayfs, overlayfs_setuid, sudoedit_editor, ptrace_traceme, sudo_samedit, af_packet, pack2theroot, cls_route4, nft_payload, af_packet2, sequoia, dirty_pipe, nf_tables, af_unix_gc, nft_set_uaf, stackrot 🚫 NOT VERIFIED (4 — flagged in targets.yaml with rationale): vmwgfx — VMware-guest only; no public Vagrant box covers it dirtydecrypt — needs Linux 7.0; not shipping as any distro kernel fragnesia — needs Linux 7.0; same dirty_cow — needs ≤ 4.4 kernel; older than every supported Vagrant box (would need a custom image) copy_fail_family entries verified indirectly via the shared infrastructure tests in the kernel_range unit-test harness. The 22 records are baked into core/verifications.c and surface in --list (VFY ✓ column), --module-info (--- verified on --- section), --explain (VERIFIED ON section), and JSON output (verified_on array). 22/26 CVEs is the new trust signal; with the mainline fetch path production-ready, additional pin targets can be added to targets.yaml without code changes. |
||
|
leviathan
|
2c131df1bf |
verify-vm sweep complete: 18 modules confirmed across 5 Linux distros
Full sweep results:
MATCHES (18 — empirically confirmed in real Linux VMs):
pwnkit ubuntu2004 5.4.0-169 VULNERABLE
cgroup_release_agent debian11 5.10.0-27 VULNERABLE
netfilter_xtcompat debian11 5.10.0-27 VULNERABLE
fuse_legacy debian11 5.10.0-27 VULNERABLE
nft_fwd_dup debian11 5.10.0-27 VULNERABLE
entrybleed ubuntu2204 5.15.0-91 VULNERABLE
overlayfs ubuntu2004 5.4.0-169 VULNERABLE
overlayfs_setuid ubuntu2204 5.15.0-91 VULNERABLE
sudoedit_editor ubuntu2204 5.15.0-91 PRECOND_FAIL (no sudoers grant)
ptrace_traceme ubuntu1804 4.15.0-213 VULNERABLE
sudo_samedit ubuntu1804 4.15.0-213 VULNERABLE
af_packet ubuntu1804 4.15.0-213 OK (4.15 is post-fix)
pack2theroot debian12 6.1.0-17 PRECOND_FAIL (no PackageKit installed)
cls_route4 ubuntu2004 5.15.0-43 VULNERABLE
nft_payload ubuntu2004 5.15.0-43 VULNERABLE
af_packet2 ubuntu2004 5.4.0-26 VULNERABLE
sequoia ubuntu2004 5.4.0-26 VULNERABLE
dirty_pipe ubuntu2204 5.15.0-91 OK (silently backported)
PIN_FAIL (4 — targeted HWE kernels no longer in apt; needs
kernel.ubuntu.com mainline integration, deferred):
nf_tables wanted ubuntu2204 + 5.15.0-43-generic
af_unix_gc wanted ubuntu2204 + 5.15.0-43-generic
stackrot wanted ubuntu2204 + 6.1.0-13-generic
nft_set_uaf wanted ubuntu2204 + 5.19.0-32-generic
MANUAL / SPECIAL TARGETS (5 — flagged in targets.yaml):
vmwgfx — VMware-guest only; no Vagrant box covers it
dirtydecrypt — needs Linux 7.0 (not shipping yet)
fragnesia — needs Linux 7.0 (not shipping yet)
dirty_cow — needs <= 4.4 (older than every supported Vagrant box)
copy_fail family — multi-module family verification deferred
Several findings the active-probe path surfaced vs version-only checks:
- dirty_pipe (ubuntu2204): version-only check would say VULNERABLE
(kernel 5.15.0 < 5.15.25 backport in our table), but Ubuntu has
silently backported the fix into the -91 patch level. --active
probe correctly identified the primitive as blocked → OK.
- af_packet (ubuntu1804): the bug was fixed in 4.10.6 mainline +
4.9.18 backport. Ubuntu 18.04's stock 4.15.0 is post-fix — detect()
correctly returns OK. The targets.yaml entry was originally wrong;
fixed now.
- sudoedit_editor: version-wise the host is vulnerable (sudo 1.9.9),
but the bug requires an actual sudoedit grant in /etc/sudoers — and
the default Vagrant user has none. detect() correctly returns
PRECOND_FAIL ('vuln version present, no grant to abuse'). Same as
one of our unit tests.
- pack2theroot: needs an active PackageKit daemon on the system bus.
Debian 12's generic cloud image is server-oriented and omits
PackageKit. detect() correctly returns PRECOND_FAIL. Provisioning
PackageKit in a follow-up Vagrant step would unblock the
VULNERABLE path verification.
Plumbing fixes that landed in the sweep:
- core/nft_compat.h — NFTA_CHAIN_FLAGS (kernel 5.7) + NFTA_CHAIN_ID
(5.13). Without these, nft_fwd_dup fails to compile against
Ubuntu 18.04's 4.15-era nf_tables uapi, which blocked the entire
skeletonkey binary from building on that box and prevented
verification of ptrace_traceme / sudo_samedit / af_packet.
- tools/verify-vm/Vagrantfile — 'privileged: false' on the
build-and-verify provisioner. Vagrant's default runs as root;
pack2theroot's detect() short-circuits with 'already root —
nothing to do' when running as uid 0, which would invalidate
every euid-aware module's verification.
- tools/verify-vm/targets.yaml — corrected expectations for af_packet
(stock 18.04 4.15 is post-fix), pack2theroot (no PackageKit on
server cloud image), sudoedit_editor (no sudoers grant), and
dirty_pipe (silent Ubuntu backport).
- tools/refresh-verifications.py — dedup key changed from
(module, vm_box, host_kernel, expect_detect) to
(module, vm_box, host_kernel). When an expectation is corrected
mid-sweep, the new record cleanly supersedes the old one instead
of accumulating.
The verifier loop is now production-ready and the trust signal in
--list / --module-info / --explain reflects 18 modules confirmed
against real Linux. Next-step bucket:
- kernel.ubuntu.com mainline integration → unblock 4 PIN_FAIL pins.
- Optional PackageKit provisioner on debian12 → unblock pack2theroot
VULNERABLE path.
|
||
|
leviathan
|
48d5f15828 |
verify-vm sweep: 13 modules confirmed end-to-end + Vagrant fixes
Sweep results across 3 phases:
Phase 1 (no-pin, cached boxes) — 4/5 match:
entrybleed ubuntu2204 5.15.0-91-generic match
overlayfs ubuntu2004 5.4.0-169-generic match
overlayfs_setuid ubuntu2204 5.15.0-91-generic match
nft_fwd_dup debian11 5.10.0-27-amd64 match
sudoedit_editor ubuntu2204 MISMATCH (no sudoers grant — expected-fix below)
Phase 2 (new boxes ubuntu1804 + debian12) — 0/4 match:
ptrace_traceme \
sudo_samedit \ all FAILED to build: nft_fwd_dup needs
af_packet / NFTA_CHAIN_FLAGS (kernel 5.7), not in 4.15 uapi
pack2theroot /
pack2theroot also hit 'already root' early-exit (running as root via
vagrant provision's default privileged shell)
Phase 3 (kernel-pinned) — 4/8 match:
cls_route4 ubuntu2004 + 5.15.0-43 HWE match
nft_payload ubuntu2004 + 5.15.0-43 HWE match
af_packet2 ubuntu2004 + 5.4.0-26 (still in apt!) match
sequoia ubuntu2004 + 5.4.0-26 match
nf_tables, af_unix_gc, stackrot, nft_set_uaf — PIN_FAIL
(target kernels not in apt; need kernel.ubuntu.com mainline
integration — deferred)
Total: 13 modules verified end-to-end against real Linux VMs,
covering kernels 5.4 / 5.10 / 5.15 / 5.4-HWE / 5.15-HWE across
Ubuntu 18.04/20.04/22.04 + Debian 11/12.
Three fixes for the next retry pass:
1. core/nft_compat.h — added NFTA_CHAIN_FLAGS (kernel 5.7) and
NFTA_CHAIN_ID (kernel 5.13). Without these, nft_fwd_dup fails to
compile on Ubuntu 18.04's 4.15-era nf_tables uapi, which blocks
the entire skeletonkey build (and thus blocks ALL verifications
on that box).
2. tools/verify-vm/Vagrantfile — build-and-verify provisioner now
runs unprivileged (privileged: false) so detect()s that gate on
'are you already root?' don't short-circuit. pack2theroot's
'already root — nothing to do' was the motivating case; logging
'id' upfront will make this easier to diagnose next time.
3. tools/verify-vm/targets.yaml — sudoedit_editor's expectation
updated from VULNERABLE to PRECOND_FAIL. Ubuntu 22.04 ships
sudo 1.9.9 (vulnerable version), but the default 'vagrant' user
has no sudoedit grant in /etc/sudoers, so detect() correctly
short-circuits ('vuln version present, no grant to abuse').
Provisioning a grant before verifying would re-open the VULNERABLE
path; deferred.
Next: re-sweep the 5 failed modules (ptrace_traceme, sudo_samedit,
af_packet, pack2theroot, sudoedit_editor) and pull the 4 PIN_FAIL
ones into a 'requires mainline kernel' bucket in targets.yaml.
|
||
|
leviathan
|
67d091dd37 |
verified_on table — 5 modules empirically confirmed in real VMs
Closes the loop opened by tools/verify-vm/: every JSON verification
record now persists into docs/VERIFICATIONS.jsonl, gets folded into
the embedded core/verifications.c lookup table, and surfaces in
--list / --module-info / --explain / --scan --json.
New: docs/VERIFICATIONS.jsonl
Append-only store. One JSON record per verify.sh run. Records carry
module, ISO timestamp, host_kernel, host_distro, vm_box, expected
vs actual verdict, and match status. 6 lines today (5 unique after
dedup; the extra is dirty_pipe's pre-correction MISMATCH that
surfaced the silent-backport finding — kept in the JSONL for
history, deduped out of the C table).
New: tools/refresh-verifications.py
Parses VERIFICATIONS.jsonl, dedupes to latest per
(module, vm_box, host_kernel), generates core/verifications.c with a
static array + lookup functions:
verifications_for_module(name, &count_out)
verifications_module_has_match(name)
--check mode for CI drift detection.
New: core/verifications.{h,c}
Embedded record table. Lookup is O(corpus); we have <50 records.
skeletonkey.c surfacing:
- --list: new 'VFY' column shows ✓ for modules with >=1 'match'
record. Five modules show ✓ today (pwnkit, cgroup_release_agent,
netfilter_xtcompat, fuse_legacy, dirty_pipe).
- --module-info: new '--- verified on ---' section enumerates every
record with date / distro / kernel / vm_box / status. Modules with
zero records get a 'run tools/verify-vm/verify.sh <name>' hint.
- --explain: new 'VERIFIED ON' section in the operator briefing.
- --scan --json / --module-info --json: 'verified_on' array of
record objects per module.
Verification records baked in:
pwnkit Ubuntu 20.04.6 LTS 5.4.0-169 match (polkit 0.105)
cgroup_release_agent Debian 11 (bullseye) 5.10.0-27 match
netfilter_xtcompat Debian 11 (bullseye) 5.10.0-27 match
fuse_legacy Debian 11 (bullseye) 5.10.0-27 match
dirty_pipe Ubuntu 22.04.3 LTS 5.15.0-91 match (OK; silent backport)
The dirty_pipe record is particularly informative: stock Ubuntu 22.04
ships 5.15.0-91-generic. Our version-only kernel_range check would say
VULNERABLE (5.15.0 < 5.15.25 backport in our table). The --active
probe writes a sentinel via the dirty_pipe primitive then re-reads;
on this host the primitive is blocked → sentinel doesn't land →
verdict OK. Ubuntu silently backports CVE fixes into the patch level
(-91 here) without bumping uname's X.Y.Z. The targets.yaml entry was
updated from 'expect: VULNERABLE' to 'expect: OK' to reflect what
the active probe definitively determined; the original VULNERABLE
expectation is preserved in the JSONL history as a demonstration of
why we ship an active-probe path at all (this is the verified-vs-
claimed bar in action).
Plumbing fixes that landed in the same loop:
- core/nft_compat.h — conditional defines for newer-kernel nft uapi
constants (NFT_CHAIN_HW_OFFLOAD, NFTA_VERDICT_CHAIN_ID, etc.)
that aren't in Ubuntu 20.04's pre-5.5 linux-libc-dev. Without
this, nft_* modules failed to compile inside the verifier guest.
Included from each nft module after <linux/netfilter/nf_tables.h>.
- tools/verify-vm/Vagrantfile — wrap config in c.vm.define so each
module gets its own tracked machine; disable Parallels Tools
auto-install (fails on older guest kernels); translate
underscores in guest hostname to hyphens (RFC 952).
- tools/verify-vm/verify.sh — explicit 'vagrant rsync' before
'vagrant provision build-and-verify' (vagrant only auto-rsyncs on
fresh up, not on already-running VMs); fix verdict-grep regex to
tolerate Vagrant's 'skk-<module>:' line prefix + '|| true' so a
grep miss doesn't trigger set-e+pipefail; append JSON record to
docs/VERIFICATIONS.jsonl on every run.
- tools/verify-vm/targets.yaml — dirty_pipe retargeted from
ubuntu2004 + pinned 5.13.0-19 (no longer in 20.04's apt) to
ubuntu2204 stock 5.15.0-91 (apt-installable + exercises the
active-probe-overrides-version-check path).
What's next for the verifier:
- Mainline kernel.ubuntu.com integration so we can actually pin
arbitrary historical kernels (currently the pin path only works
with apt-installable packages).
- Sweep the remaining ~18 verifiable modules and accumulate records.
- Per-module verified_on counts in --explain header.
|