leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
75 Commits 1 Branch 20 Tags
97be306fd21b5326e686d2eb14a929204b6df058
Commit Graph

7 Commits

Author SHA1 Message Date
leviathan a9c8f7d8c6 tests: 5 happy-path VULNERABLE assertions (44 total) 
Adds h_kernel_5_14_userns_ok fingerprint (vulnerable kernel +
userns allowed) and uses it to assert the VULNERABLE branch is
reached on the 5 netfilter-class modules whose detect()
short-circuits there once both gates are satisfied:

- nf_tables    (CVE-2024-1086) -> VULNERABLE
- cls_route4   (CVE-2022-2588) -> VULNERABLE
- nft_set_uaf  (CVE-2023-32233) -> VULNERABLE
- nft_fwd_dup  (CVE-2022-25636) -> VULNERABLE
- nft_payload  (CVE-2023-0179) -> VULNERABLE

Combined with the earlier sudo_samedit and pwnkit
vulnerable-version tests, this gives us positive-verdict coverage
on 7 modules (was 2). The detect() logic that decides VULNERABLE
when conditions match is now exercised, not just the precondition
short-circuits.

39 -> 44 cases, all pass on Linux.
 2026-05-23 00:17:17 -04:00
leviathan 150f16bc97 pwnkit + sudoedit_editor: ctx->host migration + 4 more tests (39 total) 
pwnkit: migrate detect() to consult ctx->host->polkit_version with
the same graceful-fallback pattern as the sudo modules. The version
is populated once at startup by core/host.c (via pkexec --version);
detect() skips the per-scan popen when the host fingerprint has the
version. Falls back to the inline popen path when ctx->host is
missing the version (degenerate test contexts).

sudoedit_editor: already migrated; this commit adds direct test
coverage.

tests/test_detect.c expansion (35 → 39):
- pwnkit: polkit_version='0.105'  -> VULNERABLE (pre-0.121 fix)
- pwnkit: polkit_version='0.121'  -> OK (fix release)
- sudoedit_editor: vuln sudo + no sudoers grant -> PRECOND_FAIL
  (documented behaviour: vulnerable version, but the dispatcher
   has no usable sudoedit grant on the host)
- sudoedit_editor: fixed sudo (1.9.13p1) -> OK

The sudoedit_editor 'vuln + no grant' case is the first test to
exercise the second-level precondition gate AFTER the version
check passes — proves the version-pinned detect logic AND the
sudo -ln target-discovery short-circuit both work as intended.

The h_vuln_sudo / h_fixed_sudo synthetic fingerprints gained the
.polkit_version field alongside .sudo_version so a single fingerprint
exercises both pwnkit and the sudo modules.

Verification: 39/39 pass on Linux (docker gcc:latest + libglib2.0-dev
+ sudo, non-root user skeletonkeyci). macOS dev box still reports
'skipped — Linux-only' as designed.
 2026-05-23 00:15:01 -04:00
leviathan 86812b043d core/host: userspace version fingerprint (sudo, polkit) 
The host fingerprint now captures sudo + polkit versions at startup
so userspace-LPE modules can consult a single source of truth
instead of each popen-ing the relevant binary themselves on every
scan. Pack2theroot already queries PackageKit version via D-Bus
in-module, so PackageKit stays there for now.

core/host.h:
- new fields: char sudo_version[64], char polkit_version[64].
  Empty string when the tool isn't installed or version parse fails;
  modules should treat that as PRECOND_FAIL.
- documented next to has_systemd / has_dbus_system in the struct.

core/host.c:
- new populate_userspace_versions(h) called from
  skeletonkey_host_get() after the other populators.
- capture_first_line() helper runs a command via popen, grabs first
  stdout line, strips newline. Best-effort: failure leaves dst empty.
- extract_version_after_prefix() pulls the version token after a
  fixed prefix string ('Sudo version', 'pkexec version'), handling
  the colon/space variants.
- skeletonkey_host_print_banner() gained a third line when either
  version is non-empty:
    [*] userspace: sudo=1.9.17p2  polkit=-

Module migration (graceful fallback pattern — modules still work
without ctx->host populated):
- sudo_samedit detect: if ctx->host->sudo_version is set, skip the
  popen and synthesize a 'Sudo version <X>' line for the existing
  parser. Falls back to the original find_sudo + popen path if the
  host fingerprint didn't capture a version.
- sudoedit_editor detect: same pattern — host fingerprint sudo_version
  takes precedence over the local get_sudo_version popen.

tests/test_detect.c additions (2 new cases, 33 → 35):
- h_vuln_sudo  fingerprint (sudo_version='1.8.31', kernel 5.15) —
  asserts sudo_samedit reports VULNERABLE via the host-provided
  version string.
- h_fixed_sudo fingerprint (sudo_version='1.9.13p1', kernel 6.12) —
  asserts sudo_samedit reports OK on a patched sudo.

This is the first test pair to cover the *vulnerable* path of a
module rather than just precondition gates — proves the
version-parsing logic itself, not only the short-circuits.

Verification: 35/35 pass on Linux. macOS banner shows
'userspace: sudo=1.9.17p2 polkit=-' as the dev box has Homebrew
sudo but no polkit.
 2026-05-23 00:05:39 -04:00
leviathan 0d87cbc71c copy_fail_family: bridge-level userns gate + 4 new tests (33 total) 
The 4 dirty_frag siblings + the GCM variant all gate on unprivileged
user-namespace creation (the XFRM-ESP / AF_RXRPC paths are
unreachable without it). The inner DIRTYFAIL detect functions
already check this, but the check happened deep inside the legacy
code — invisible to the test harness, and the bridge wrappers would
delegate first and only short-circuit afterwards.

Move the check up to the bridge: a single cff_check_userns() helper
inspects ctx->host->unprivileged_userns_allowed and returns
PRECOND_FAIL (with a host-fingerprint-annotated message) BEFORE
calling the inner detect. The inner check stays in place as belt-
and-suspenders.

copy_fail itself uses AF_ALG (no userns needed) and bypasses the
gate — its inner detect still confirms the primitive empirically
via the active probe.

modules/copy_fail_family/skeletonkey_modules.c:
- #include "../../core/host.h" alongside the existing includes.
- new static cff_check_userns(modname, ctx) helper.
- copy_fail_gcm_detect_wrap, dirty_frag_esp_detect_wrap,
  dirty_frag_esp6_detect_wrap, dirty_frag_rxrpc_detect_wrap all
  call cff_check_userns before delegating.
- copy_fail_detect_wrap is intentionally untouched.

tests/test_detect.c: 4 new EXPECT_DETECT cases assert that all 4
gated bridge wrappers return PRECOND_FAIL when
unprivileged_userns_allowed=false, using the existing
h_kernel_5_14_no_userns fingerprint.

29 → 33 tests, all pass on Linux.
 2026-05-23 00:02:23 -04:00
leviathan 2b1e96336e core/host: in_range helper + 13-module migration + 12 more tests (29 total) 
Three coordinated changes that build on the host_kernel_at_least
landed in 1571b88:

1. core/host gains skeletonkey_host_kernel_in_range(h, lo..., hi...)
   — a [lo, hi) bounded-interval check for modules that want the
   'vulnerable window' semantics directly. Implemented in terms of
   host_kernel_at_least (so the comparison logic stays in one place).
   No module uses it yet; available for new modules that want it.

2. 13 modules migrated off the manual
        if (v->major < X || (v->major == X && v->minor < Y)) { ... }
   pattern onto
        if (!skeletonkey_host_kernel_at_least(ctx->host, X, Y, 0)) { ... }
   One-line replacements, mechanical, no behavior change.

   Migrated: af_packet2, dirty_pipe, fuse_legacy, netfilter_xtcompat,
   nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf, overlayfs,
   overlayfs_setuid, ptrace_traceme, stackrot, vmwgfx. The repo now
   has zero manual 'v->major < X' patterns — every predates-check
   reads the same way.

3. tests/test_detect.c expanded from 17 to 29 cases. Adds:

   Above-fix coverage on h_kernel_6_12 (10 modules previously
   untested): af_packet, af_packet2, af_unix_gc, netfilter_xtcompat,
   nft_set_uaf, nft_fwd_dup, nft_payload, stackrot, sequoia, vmwgfx.

   Ancient-kernel predates coverage on h_kernel_4_4 (2 more cases):
   nft_set_uaf (introduced 5.1), stackrot (introduced 6.1).

   Detect-path test coverage now spans most of the corpus that
   has a testable host-fingerprint gate. Untested modules from
   here on are either userspace bugs whose detect() doesn't gate
   on host fields (pwnkit, sudo_samedit, sudoedit_editor),
   entrybleed (sysfs-direct, no host gate), or the copy_fail_family
   bridge (no ctx->host integration yet).

Verification: Linux (docker gcc:latest, non-root user): 29/29 pass.
macOS (local): 31-module build clean, suite reports 'skipped —
Linux-only' as designed.
 2026-05-22 23:58:38 -04:00
leviathan 1571b88725 core/host: skeletonkey_host_kernel_at_least + 9 new detect() tests 
core/host helper:
- Adds bool skeletonkey_host_kernel_at_least(h, M, m, p) — the
  canonical 'kernel >= X.Y.Z' check. Replaces the manual
  'v->major < X || (v->major == X && v->minor < Y)' pattern that
  many modules use for their 'predates the bug' pre-check. Returns
  false when h is NULL or h->kernel.major == 0 (degenerate cases),
  true otherwise iff the host kernel sorts at or above the supplied
  version.
- dirtydecrypt migrated as the demo: the 'kernel < 7.0 → predates'
  pre-check now reads 'if (!host_kernel_at_least(ctx->host, 7, 0, 0))'.
  Other modules still using the manual pattern continue to work
  unchanged; migrating them is incremental polish.

tests/test_detect.c expansion (8 → 17 cases):

New fingerprints:
- h_kernel_4_4    — ancient (Linux 4.4 LTS); used for 'predates the
                    bug' on dirty_pipe.
- h_kernel_6_12   — recent (Linux 6.12 LTS); above every backport
                    threshold in the corpus — modules report OK via
                    the 'patched by mainline inheritance' branch of
                    kernel_range_is_patched.
- h_kernel_5_14_no_userns — vulnerable-era kernel (5.14.0, past
                    every relevant predates check while below every
                    backport entry) with unprivileged_userns_allowed
                    deliberately false; lets the userns gate fire
                    after the version check confirms vulnerable.

New tests (9):
- dirty_pipe + kernel 4.4 → OK (predates 5.8 introduction)
- dirty_pipe + kernel 6.12 → OK (above every backport)
- dirty_cow + kernel 6.12 → OK (above 4.9 fix)
- ptrace_traceme + kernel 6.12 → OK (above 5.1.17 fix)
- cgroup_release_agent + kernel 6.12 → OK (above 5.17 fix)
- nf_tables + vuln kernel + userns=false → PRECOND_FAIL
- fuse_legacy + vuln kernel + userns=false → PRECOND_FAIL
- cls_route4 + vuln kernel + userns=false → PRECOND_FAIL
- overlayfs_setuid + vuln kernel + userns=false → PRECOND_FAIL

Process note: initial 8th and 9th userns tests failed because the
chosen test kernel (5.10.0) tripped each module's predates check
(nf_tables bug introduced 5.14; overlayfs_setuid 5.11). Switched to
5.14.0, which is past every predates threshold AND below every
backport entry in this batch — the version verdict is now genuinely
'vulnerable' and the userns gate fires next. The bug-finding tests
caught a real-but-narrow modeling gap in the original picks.

Verification:
- Linux (docker gcc:latest, non-root user): 17/17 pass.
- macOS (local): builds clean, suite reports 'skipped — Linux-only'
  as designed.
 2026-05-22 23:52:10 -04:00
leviathan ea1744e6f0 tests: detect() unit harness with mocked ctx->host 
Adds tests/test_detect.c — a standalone harness that constructs
synthetic struct skeletonkey_host fingerprints (vulnerable / patched /
specific-gate-closed) and asserts each migrated module's detect()
returns the expected verdict. First real test coverage for the corpus;
catches regressions in the host-fingerprint-consuming logic.

Initial coverage — 8 deterministic cases across the 4 modules that
already consume ctx->host:
- dirtydecrypt: 3 cases verifying 'kernel < 7.0 -> predates the bug'
  short-circuit on synthetic 6.12 / 6.14 / 6.8 hosts.
- fragnesia: unprivileged_userns_allowed=false -> PRECOND_FAIL.
- pack2theroot: is_debian_family=false -> PRECOND_FAIL.
- pack2theroot: has_dbus_system=false -> PRECOND_FAIL.
- overlayfs: distro=debian / distro=fedora -> 'not Ubuntu' -> OK.

Coverage grows automatically as more modules migrate to ctx->host
(task #12 below adds them). Each new module that consults the host
fingerprint can have its precondition gates tested with a one-line
EXPECT_DETECT call against a pre-built fingerprint.

Wiring:
- Makefile: new MODULE_OBJS var consolidates the module .o list so
  both the main binary and the test binary can share it without
  duplication. New TEST_BIN := skeletonkey-test target. 'make test'
  builds and runs the suite.
- .github/workflows/build.yml: install libglib2.0-dev + pkg-config so
  pack2theroot builds with GLib in CI (was previously stub-compiling).
  New 'tests — detect() unit suite' step runs 'make test' as a
  non-root user so modules' 'already root' gates don't short-circuit
  before the synthetic host checks fire.
- Test harness compiles cross-platform but assertions are #ifdef
  __linux__ guarded (on non-Linux all module detect() bodies stub-out
  to PRECOND_FAIL, making assertions tautological); macOS dev build
  reports 'skipped'.

Module change:
- pack2theroot p2tr_detect now consults ctx->host->is_root (with a
  geteuid() fallback when ctx->host is null) instead of calling
  geteuid() directly. Production behaviour is identical
  (host->is_root is populated from geteuid() at startup); tests can
  now construct non-root fingerprints regardless of the test
  process's actual euid. Exposed a real consistency issue worth
  fixing.

Verified in docker as non-root: 8/8 pass on Linux. macOS reports
'skipped' as designed.
 2026-05-22 23:32:12 -04:00