Full sweep results:
MATCHES (18 — empirically confirmed in real Linux VMs):
pwnkit ubuntu2004 5.4.0-169 VULNERABLE
cgroup_release_agent debian11 5.10.0-27 VULNERABLE
netfilter_xtcompat debian11 5.10.0-27 VULNERABLE
fuse_legacy debian11 5.10.0-27 VULNERABLE
nft_fwd_dup debian11 5.10.0-27 VULNERABLE
entrybleed ubuntu2204 5.15.0-91 VULNERABLE
overlayfs ubuntu2004 5.4.0-169 VULNERABLE
overlayfs_setuid ubuntu2204 5.15.0-91 VULNERABLE
sudoedit_editor ubuntu2204 5.15.0-91 PRECOND_FAIL (no sudoers grant)
ptrace_traceme ubuntu1804 4.15.0-213 VULNERABLE
sudo_samedit ubuntu1804 4.15.0-213 VULNERABLE
af_packet ubuntu1804 4.15.0-213 OK (4.15 is post-fix)
pack2theroot debian12 6.1.0-17 PRECOND_FAIL (no PackageKit installed)
cls_route4 ubuntu2004 5.15.0-43 VULNERABLE
nft_payload ubuntu2004 5.15.0-43 VULNERABLE
af_packet2 ubuntu2004 5.4.0-26 VULNERABLE
sequoia ubuntu2004 5.4.0-26 VULNERABLE
dirty_pipe ubuntu2204 5.15.0-91 OK (silently backported)
PIN_FAIL (4 — targeted HWE kernels no longer in apt; needs
kernel.ubuntu.com mainline integration, deferred):
nf_tables wanted ubuntu2204 + 5.15.0-43-generic
af_unix_gc wanted ubuntu2204 + 5.15.0-43-generic
stackrot wanted ubuntu2204 + 6.1.0-13-generic
nft_set_uaf wanted ubuntu2204 + 5.19.0-32-generic
MANUAL / SPECIAL TARGETS (5 — flagged in targets.yaml):
vmwgfx — VMware-guest only; no Vagrant box covers it
dirtydecrypt — needs Linux 7.0 (not shipping yet)
fragnesia — needs Linux 7.0 (not shipping yet)
dirty_cow — needs <= 4.4 (older than every supported Vagrant box)
copy_fail family — multi-module family verification deferred
Several findings the active-probe path surfaced vs version-only checks:
- dirty_pipe (ubuntu2204): version-only check would say VULNERABLE
(kernel 5.15.0 < 5.15.25 backport in our table), but Ubuntu has
silently backported the fix into the -91 patch level. --active
probe correctly identified the primitive as blocked → OK.
- af_packet (ubuntu1804): the bug was fixed in 4.10.6 mainline +
4.9.18 backport. Ubuntu 18.04's stock 4.15.0 is post-fix — detect()
correctly returns OK. The targets.yaml entry was originally wrong;
fixed now.
- sudoedit_editor: version-wise the host is vulnerable (sudo 1.9.9),
but the bug requires an actual sudoedit grant in /etc/sudoers — and
the default Vagrant user has none. detect() correctly returns
PRECOND_FAIL ('vuln version present, no grant to abuse'). Same as
one of our unit tests.
- pack2theroot: needs an active PackageKit daemon on the system bus.
Debian 12's generic cloud image is server-oriented and omits
PackageKit. detect() correctly returns PRECOND_FAIL. Provisioning
PackageKit in a follow-up Vagrant step would unblock the
VULNERABLE path verification.
Plumbing fixes that landed in the sweep:
- core/nft_compat.h — NFTA_CHAIN_FLAGS (kernel 5.7) + NFTA_CHAIN_ID
(5.13). Without these, nft_fwd_dup fails to compile against
Ubuntu 18.04's 4.15-era nf_tables uapi, which blocked the entire
skeletonkey binary from building on that box and prevented
verification of ptrace_traceme / sudo_samedit / af_packet.
- tools/verify-vm/Vagrantfile — 'privileged: false' on the
build-and-verify provisioner. Vagrant's default runs as root;
pack2theroot's detect() short-circuits with 'already root —
nothing to do' when running as uid 0, which would invalidate
every euid-aware module's verification.
- tools/verify-vm/targets.yaml — corrected expectations for af_packet
(stock 18.04 4.15 is post-fix), pack2theroot (no PackageKit on
server cloud image), sudoedit_editor (no sudoers grant), and
dirty_pipe (silent Ubuntu backport).
- tools/refresh-verifications.py — dedup key changed from
(module, vm_box, host_kernel, expect_detect) to
(module, vm_box, host_kernel). When an expectation is corrected
mid-sweep, the new record cleanly supersedes the old one instead
of accumulating.
The verifier loop is now production-ready and the trust signal in
--list / --module-info / --explain reflects 18 modules confirmed
against real Linux. Next-step bucket:
- kernel.ubuntu.com mainline integration → unblock 4 PIN_FAIL pins.
- Optional PackageKit provisioner on debian12 → unblock pack2theroot
VULNERABLE path.
leviathan
2c131df1bf