leviathan
2c131df1bf
Full sweep results:
MATCHES (18 — empirically confirmed in real Linux VMs):
pwnkit ubuntu2004 5.4.0-169 VULNERABLE
cgroup_release_agent debian11 5.10.0-27 VULNERABLE
netfilter_xtcompat debian11 5.10.0-27 VULNERABLE
fuse_legacy debian11 5.10.0-27 VULNERABLE
nft_fwd_dup debian11 5.10.0-27 VULNERABLE
entrybleed ubuntu2204 5.15.0-91 VULNERABLE
overlayfs ubuntu2004 5.4.0-169 VULNERABLE
overlayfs_setuid ubuntu2204 5.15.0-91 VULNERABLE
sudoedit_editor ubuntu2204 5.15.0-91 PRECOND_FAIL (no sudoers grant)
ptrace_traceme ubuntu1804 4.15.0-213 VULNERABLE
sudo_samedit ubuntu1804 4.15.0-213 VULNERABLE
af_packet ubuntu1804 4.15.0-213 OK (4.15 is post-fix)
pack2theroot debian12 6.1.0-17 PRECOND_FAIL (no PackageKit installed)
cls_route4 ubuntu2004 5.15.0-43 VULNERABLE
nft_payload ubuntu2004 5.15.0-43 VULNERABLE
af_packet2 ubuntu2004 5.4.0-26 VULNERABLE
sequoia ubuntu2004 5.4.0-26 VULNERABLE
dirty_pipe ubuntu2204 5.15.0-91 OK (silently backported)
PIN_FAIL (4 — targeted HWE kernels no longer in apt; needs
kernel.ubuntu.com mainline integration, deferred):
nf_tables wanted ubuntu2204 + 5.15.0-43-generic
af_unix_gc wanted ubuntu2204 + 5.15.0-43-generic
stackrot wanted ubuntu2204 + 6.1.0-13-generic
nft_set_uaf wanted ubuntu2204 + 5.19.0-32-generic
MANUAL / SPECIAL TARGETS (5 — flagged in targets.yaml):
vmwgfx — VMware-guest only; no Vagrant box covers it
dirtydecrypt — needs Linux 7.0 (not shipping yet)
fragnesia — needs Linux 7.0 (not shipping yet)
dirty_cow — needs <= 4.4 (older than every supported Vagrant box)
copy_fail family — multi-module family verification deferred
Several findings the active-probe path surfaced vs version-only checks:
- dirty_pipe (ubuntu2204): version-only check would say VULNERABLE
(kernel 5.15.0 < 5.15.25 backport in our table), but Ubuntu has
silently backported the fix into the -91 patch level. --active
probe correctly identified the primitive as blocked → OK.
- af_packet (ubuntu1804): the bug was fixed in 4.10.6 mainline +
4.9.18 backport. Ubuntu 18.04's stock 4.15.0 is post-fix — detect()
correctly returns OK. The targets.yaml entry was originally wrong;
fixed now.
- sudoedit_editor: version-wise the host is vulnerable (sudo 1.9.9),
but the bug requires an actual sudoedit grant in /etc/sudoers — and
the default Vagrant user has none. detect() correctly returns
PRECOND_FAIL ('vuln version present, no grant to abuse'). Same as
one of our unit tests.
- pack2theroot: needs an active PackageKit daemon on the system bus.
Debian 12's generic cloud image is server-oriented and omits
PackageKit. detect() correctly returns PRECOND_FAIL. Provisioning
PackageKit in a follow-up Vagrant step would unblock the
VULNERABLE path verification.
Plumbing fixes that landed in the sweep:
- core/nft_compat.h — NFTA_CHAIN_FLAGS (kernel 5.7) + NFTA_CHAIN_ID
(5.13). Without these, nft_fwd_dup fails to compile against
Ubuntu 18.04's 4.15-era nf_tables uapi, which blocked the entire
skeletonkey binary from building on that box and prevented
verification of ptrace_traceme / sudo_samedit / af_packet.
- tools/verify-vm/Vagrantfile — 'privileged: false' on the
build-and-verify provisioner. Vagrant's default runs as root;
pack2theroot's detect() short-circuits with 'already root —
nothing to do' when running as uid 0, which would invalidate
every euid-aware module's verification.
- tools/verify-vm/targets.yaml — corrected expectations for af_packet
(stock 18.04 4.15 is post-fix), pack2theroot (no PackageKit on
server cloud image), sudoedit_editor (no sudoers grant), and
dirty_pipe (silent Ubuntu backport).
- tools/refresh-verifications.py — dedup key changed from
(module, vm_box, host_kernel, expect_detect) to
(module, vm_box, host_kernel). When an expectation is corrected
mid-sweep, the new record cleanly supersedes the old one instead
of accumulating.
The verifier loop is now production-ready and the trust signal in
--list / --module-info / --explain reflects 18 modules confirmed
against real Linux. Next-step bucket:
- kernel.ubuntu.com mainline integration → unblock 4 PIN_FAIL pins.
- Optional PackageKit provisioner on debian12 → unblock pack2theroot
VULNERABLE path.
230 lines
7.4 KiB
C
230 lines
7.4 KiB
C
/*
|
|
* SKELETONKEY — verification records table
|
|
*
|
|
* AUTO-GENERATED by tools/refresh-verifications.py from
|
|
* docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.
|
|
*
|
|
* Source: tools/verify-vm/verify.sh appends one JSON record per
|
|
* run; this generator dedupes to (module, vm_box, kernel, expect)
|
|
* and keeps the latest by verified_at.
|
|
*/
|
|
|
|
#include "verifications.h"
|
|
|
|
#include <stddef.h>
|
|
#include <string.h>
|
|
#include <stdbool.h>
|
|
|
|
const struct verification_record verifications[] = {
|
|
{
|
|
.module = "af_packet",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "4.15.0-213-generic",
|
|
.host_distro = "Ubuntu 18.04.6 LTS",
|
|
.vm_box = "generic/ubuntu1804",
|
|
.expect_detect = "OK",
|
|
.actual_detect = "OK",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "af_packet2",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "cgroup_release_agent",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "cls_route4",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-43-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "dirty_pipe",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "OK",
|
|
.actual_detect = "OK",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "entrybleed",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "fuse_legacy",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "netfilter_xtcompat",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "nft_fwd_dup",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "nft_payload",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-43-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "overlayfs",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "overlayfs_setuid",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "pack2theroot",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "6.1.0-17-amd64",
|
|
.host_distro = "Debian GNU/Linux 12 (bookworm)",
|
|
.vm_box = "generic/debian12",
|
|
.expect_detect = "PRECOND_FAIL",
|
|
.actual_detect = "PRECOND_FAIL",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "ptrace_traceme",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "4.15.0-213-generic",
|
|
.host_distro = "Ubuntu 18.04.6 LTS",
|
|
.vm_box = "generic/ubuntu1804",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "pwnkit",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "sequoia",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "sudo_samedit",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "4.15.0-213-generic",
|
|
.host_distro = "Ubuntu 18.04.6 LTS",
|
|
.vm_box = "generic/ubuntu1804",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "sudoedit_editor",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "PRECOND_FAIL",
|
|
.actual_detect = "PRECOND_FAIL",
|
|
.status = "match",
|
|
},
|
|
};
|
|
|
|
const size_t verifications_count =
|
|
sizeof(verifications) / sizeof(verifications[0]);
|
|
|
|
const struct verification_record *
|
|
verifications_for_module(const char *module, size_t *count_out)
|
|
{
|
|
if (count_out) *count_out = 0;
|
|
if (!module) return NULL;
|
|
const struct verification_record *first = NULL;
|
|
size_t n = 0;
|
|
for (size_t i = 0; i < verifications_count; i++) {
|
|
if (strcmp(verifications[i].module, module) == 0) {
|
|
if (first == NULL) first = &verifications[i];
|
|
n++;
|
|
}
|
|
}
|
|
if (count_out) *count_out = n;
|
|
return first;
|
|
}
|
|
|
|
bool verifications_module_has_match(const char *module)
|
|
{
|
|
size_t n = 0;
|
|
const struct verification_record *r = verifications_for_module(module, &n);
|
|
for (size_t i = 0; i < n; i++)
|
|
if (r[i].status && strcmp(r[i].status, "match") == 0)
|
|
return true;
|
|
return false;
|
|
}
|