leviathan
3e6e0d869b
Preview-only mode for --auto / --exploit / --mitigate / --cleanup.
Walks the full scan (with active probes, fork isolation, verdict
table — everything the real --auto does) and prints what would be
launched, without ever calling the exploit/mitigate/cleanup callback.
Wiring:
- struct skeletonkey_ctx gains a 'dry_run' field (core/module.h).
- Long option --dry-run, getopt case 10.
- cmd_auto: after picking the safest, if dry_run, print
[*] auto: --dry-run: would launch `--exploit <NAME> --i-know`; not firing.
plus the remaining ranked candidates, then return 0.
- cmd_one (used for --exploit/--mitigate/--cleanup) shorts on dry_run
with [*] <module>: --dry-run: would run --<op>; not firing.
UX: --auto --dry-run does NOT require --i-know (nothing fires). The
refusal message for bare --auto now points to --dry-run for the
preview path:
[-] --auto requires --i-know (or --dry-run for a preview that never fires).
ROADMAP --auto accuracy section updated with the dry-run + the
version-pinned detect work from the previous commit.
Smoke-tested locally on macOS: scanning runs, verdicts print, the
'would launch' line fires, exit 0.
101 lines
4.1 KiB
C
101 lines
4.1 KiB
C
/*
|
|
* SKELETONKEY — core module interface
|
|
*
|
|
* Every CVE module exports one or more `struct skeletonkey_module` entries
|
|
* via a registry function. The top-level dispatcher (skeletonkey.c) walks
|
|
* the global registry to implement --scan, --exploit, --mitigate, etc.
|
|
*
|
|
* This is intentionally a small interface. Modules carry the
|
|
* complexity; the dispatcher just routes.
|
|
*/
|
|
|
|
#ifndef SKELETONKEY_MODULE_H
|
|
#define SKELETONKEY_MODULE_H
|
|
|
|
#include <stddef.h>
|
|
#include <stdbool.h>
|
|
|
|
/* Standard result codes returned by detect()/exploit()/mitigate().
|
|
*
|
|
* These map to top-level exit codes when skeletonkey is invoked with a
|
|
* single-module operation:
|
|
*
|
|
* SKELETONKEY_OK exit 0 detect: not vulnerable / clean
|
|
* SKELETONKEY_VULNERABLE exit 2 detect: confirmed vulnerable
|
|
* SKELETONKEY_PRECOND_FAIL exit 4 detect: preconditions missing
|
|
* SKELETONKEY_TEST_ERROR exit 1 detect/exploit: error
|
|
* SKELETONKEY_EXPLOIT_OK exit 5 exploit: succeeded (root achieved)
|
|
* SKELETONKEY_EXPLOIT_FAIL exit 3 exploit: attempted but did not land
|
|
*
|
|
* Implementation note: copy_fail_family's df_result_t shares these
|
|
* numeric values intentionally so the family code can return its
|
|
* existing constants without translation.
|
|
*/
|
|
typedef enum {
|
|
SKELETONKEY_OK = 0,
|
|
SKELETONKEY_TEST_ERROR = 1,
|
|
SKELETONKEY_VULNERABLE = 2,
|
|
SKELETONKEY_EXPLOIT_FAIL = 3,
|
|
SKELETONKEY_PRECOND_FAIL = 4,
|
|
SKELETONKEY_EXPLOIT_OK = 5,
|
|
} skeletonkey_result_t;
|
|
|
|
/* Per-invocation context passed to module callbacks. Lightweight for
|
|
* now; will grow as modules need shared state (host fingerprint,
|
|
* leaked kbase, etc.). */
|
|
struct skeletonkey_ctx {
|
|
bool no_color; /* --no-color */
|
|
bool json; /* --json (machine-readable output) */
|
|
bool active_probe; /* --active (do invasive probes in detect) */
|
|
bool no_shell; /* --no-shell (exploit prep but don't pop) */
|
|
bool authorized; /* user typed --i-know on exploit */
|
|
bool full_chain; /* --full-chain (attempt root-pop after primitive) */
|
|
bool dry_run; /* --dry-run (preview only; never call exploit/mitigate/cleanup) */
|
|
};
|
|
|
|
struct skeletonkey_module {
|
|
/* Short id used on the command line: `skeletonkey --exploit copy_fail`. */
|
|
const char *name;
|
|
|
|
/* CVE identifier (or "VARIANT" if no CVE assigned). */
|
|
const char *cve;
|
|
|
|
/* One-line human description. */
|
|
const char *summary;
|
|
|
|
/* Family this module belongs to (e.g. "copy_fail_family"). Modules
|
|
* with shared infrastructure live in the same family. */
|
|
const char *family;
|
|
|
|
/* Affected kernel range, prose. Machine-readable range goes in
|
|
* the module's kernel-range.json (consumed by CI). */
|
|
const char *kernel_range;
|
|
|
|
/* Probe the host. Should be side-effect-free unless ctx->active_probe
|
|
* is true. Return SKELETONKEY_VULNERABLE if confirmed,
|
|
* SKELETONKEY_PRECOND_FAIL if not applicable here, SKELETONKEY_OK if patched
|
|
* or otherwise immune, SKELETONKEY_TEST_ERROR on probe error. */
|
|
skeletonkey_result_t (*detect)(const struct skeletonkey_ctx *ctx);
|
|
|
|
/* Run the exploit. Caller has already passed the --i-know gate. */
|
|
skeletonkey_result_t (*exploit)(const struct skeletonkey_ctx *ctx);
|
|
|
|
/* Apply a temporary mitigation. NULL if none offered. */
|
|
skeletonkey_result_t (*mitigate)(const struct skeletonkey_ctx *ctx);
|
|
|
|
/* Undo --exploit (e.g. evict from page cache) or --mitigate side
|
|
* effects. NULL if no cleanup applies. */
|
|
skeletonkey_result_t (*cleanup)(const struct skeletonkey_ctx *ctx);
|
|
|
|
/* Detection rule corpus — embedded so the binary is self-
|
|
* contained. Each may be NULL if this module ships no rules for
|
|
* that format. Strings are NUL-terminated; concatenated in the
|
|
* order modules register. */
|
|
const char *detect_auditd; /* auditd .rules content */
|
|
const char *detect_sigma; /* sigma YAML content */
|
|
const char *detect_yara; /* yara rules content */
|
|
const char *detect_falco; /* falco rules content */
|
|
};
|
|
|
|
#endif /* SKELETONKEY_MODULE_H */
|