Files

T

leviathan 270ddc1681 verify-vm: per-module provisioner hook + old-mainline URL fallback

Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup
(build vulnerable sudo from source, drop polkit allow rule, add sudoers
grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile
runs the script as root before build-and-verify if it exists.

Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to
/v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64
subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-'
(new) deb names.

Wires up 4 previously-deferred targets to expect VULNERABLE:
- sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local
- udisks_libblockdev: installs udisks2 + polkit rule for vagrant user
- mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix)
- sudo_runas_neg1: adds (ALL,!root) sudoers grant

2026-05-23 22:36:02 -04:00

provisioners

verify-vm: per-module provisioner hook + old-mainline URL fallback

2026-05-23 22:36:02 -04:00

README.md

tools/verify-vm: turnkey Vagrant + Parallels verification scaffolding

2026-05-23 11:19:28 -04:00

setup.sh

tools/verify-vm: turnkey Vagrant + Parallels verification scaffolding

2026-05-23 11:19:28 -04:00

targets.yaml

verify-vm: per-module provisioner hook + old-mainline URL fallback

2026-05-23 22:36:02 -04:00

Vagrantfile

verify-vm: per-module provisioner hook + old-mainline URL fallback

2026-05-23 22:36:02 -04:00

verify.sh

verify-vm: kernel.ubuntu.com mainline integration — 22 modules verified

2026-05-23 17:35:13 -04:00

README.md

SKELETONKEY VM verification

Auto-provisions a Parallels Desktop VM with a known-vulnerable kernel, runs skeletonkey --explain <module> --active inside it, and emits a verification record. Closes the loop between "detect() compiles & passes unit tests" and "exploit() actually works on a real vulnerable kernel."

One-time setup

./tools/verify-vm/setup.sh

That installs (if missing): Vagrant via Homebrew, the vagrant-parallels plugin, and pre-downloads ~5 GB of base boxes (Ubuntu 18.04/20.04/22.04

Debian 11/12). Idempotent — re-run any time.

To skip boxes you don't need (save disk):

./tools/verify-vm/setup.sh ubuntu2004 debian11   # only those two

Verify a single module

./tools/verify-vm/verify.sh nf_tables

What that does:

Reads tools/verify-vm/targets.yaml: finds nf_tables → box generic/ubuntu2204 + kernel pin linux-image-5.15.0-43-generic.
vagrant up skk-nf_tables (provisions on first call, resumes on subsequent).
Installs the pinned vulnerable kernel via apt, reboots.
Mounts the local repo at /vagrant, runs make, then runs skeletonkey --explain nf_tables --active.
Parses the VERDICT: line, compares against expect_detect from targets.yaml, emits a JSON verification record on stdout.
Suspends the VM (vagrant suspend) — instant resume next run.

Lifecycle flags:

./tools/verify-vm/verify.sh nf_tables --keep      # leave VM running; ssh in to inspect
./tools/verify-vm/verify.sh nf_tables --destroy   # full teardown after run

List every target

./tools/verify-vm/verify.sh --list

Shows the (module, box, target kernel, expected verdict, notes) matrix for all 26 modules. Three are flagged manual: true because no public Vagrant box covers them:

vmwgfx — only reachable on VMware guests; needs a vSphere/Fusion VM not Parallels.
dirtydecrypt, fragnesia — only present in Linux 7.0+ which isn't shipping as a distro kernel yet.

For those, verification needs a hand-built or special-distro VM.

Verification records

verify.sh emits JSON on stdout after each run. Example:

{
  "module":        "nf_tables",
  "verified_at":   "2026-05-23T17:42:11Z",
  "host_kernel":   "5.15.0-43-generic",
  "host_distro":   "Ubuntu 22.04.5 LTS",
  "vm_box":        "generic/ubuntu2204",
  "expect_detect": "VULNERABLE",
  "actual_detect": "VULNERABLE",
  "status":        "match",
  "log":           "tools/verify-vm/logs/verify-nf_tables-20260523-174211.log"
}

status: match means detect() returned what we expected on a known- vulnerable kernel. Anything else (MISMATCH, status code != 0) means either:

The kernel pin didn't take (check host_kernel against kernel_version in targets.yaml).
The exploit's preconditions aren't met in the default Vagrant image (e.g. apparmor blocks unprivileged userns; need to adjust the Vagrantfile provisioner).
The detect() logic is wrong for this kernel/distro combo (a real bug — fix it).

Records are intended to feed a per-module verified_on[] table (next project step) so --list can show a ✓ verified <date> column.

How it routes module → box

Mapping lives in tools/verify-vm/targets.yaml. Each entry has:

box — which boxes/ template (e.g. ubuntu2204)
kernel_pkg — apt package name to install if the stock kernel is patched (omit / empty if stock is already vulnerable)
kernel_version — what uname -r should report after install
expect_detect — VULNERABLE | OK | PRECOND_FAIL
notes — short rationale; comments in the file have the full context

Adding a new module is one block in targets.yaml. The verifier picks it up automatically.

Files

tools/verify-vm/
├── README.md       this file
├── setup.sh        one-time bootstrap (Vagrant, plugin, box cache)
├── verify.sh       per-module verifier
├── Vagrantfile     parameterized VM config (driven by SKK_VM_* env vars)
├── targets.yaml    module → box mapping with rationale
└── logs/           per-verification stdout/stderr capture

Why Vagrant + Parallels

You already have Parallels Desktop. vagrant-parallels gives a scriptable per-VM config + a curated public box library + idempotent vagrant up/provision/reload/suspend lifecycle. The Vagrantfile is parameterized via env vars so a single file drives every target.

Alternative providers (Lima, Multipass) would also work; Vagrant was chosen for ergonomic continuity with the existing Parallels install.