leviathan
48d5f15828
Sweep results across 3 phases:
Phase 1 (no-pin, cached boxes) — 4/5 match:
entrybleed ubuntu2204 5.15.0-91-generic match
overlayfs ubuntu2004 5.4.0-169-generic match
overlayfs_setuid ubuntu2204 5.15.0-91-generic match
nft_fwd_dup debian11 5.10.0-27-amd64 match
sudoedit_editor ubuntu2204 MISMATCH (no sudoers grant — expected-fix below)
Phase 2 (new boxes ubuntu1804 + debian12) — 0/4 match:
ptrace_traceme \
sudo_samedit \ all FAILED to build: nft_fwd_dup needs
af_packet / NFTA_CHAIN_FLAGS (kernel 5.7), not in 4.15 uapi
pack2theroot /
pack2theroot also hit 'already root' early-exit (running as root via
vagrant provision's default privileged shell)
Phase 3 (kernel-pinned) — 4/8 match:
cls_route4 ubuntu2004 + 5.15.0-43 HWE match
nft_payload ubuntu2004 + 5.15.0-43 HWE match
af_packet2 ubuntu2004 + 5.4.0-26 (still in apt!) match
sequoia ubuntu2004 + 5.4.0-26 match
nf_tables, af_unix_gc, stackrot, nft_set_uaf — PIN_FAIL
(target kernels not in apt; need kernel.ubuntu.com mainline
integration — deferred)
Total: 13 modules verified end-to-end against real Linux VMs,
covering kernels 5.4 / 5.10 / 5.15 / 5.4-HWE / 5.15-HWE across
Ubuntu 18.04/20.04/22.04 + Debian 11/12.
Three fixes for the next retry pass:
1. core/nft_compat.h — added NFTA_CHAIN_FLAGS (kernel 5.7) and
NFTA_CHAIN_ID (kernel 5.13). Without these, nft_fwd_dup fails to
compile on Ubuntu 18.04's 4.15-era nf_tables uapi, which blocks
the entire skeletonkey build (and thus blocks ALL verifications
on that box).
2. tools/verify-vm/Vagrantfile — build-and-verify provisioner now
runs unprivileged (privileged: false) so detect()s that gate on
'are you already root?' don't short-circuit. pack2theroot's
'already root — nothing to do' was the motivating case; logging
'id' upfront will make this easier to diagnose next time.
3. tools/verify-vm/targets.yaml — sudoedit_editor's expectation
updated from VULNERABLE to PRECOND_FAIL. Ubuntu 22.04 ships
sudo 1.9.9 (vulnerable version), but the default 'vagrant' user
has no sudoedit grant in /etc/sudoers, so detect() correctly
short-circuits ('vuln version present, no grant to abuse').
Provisioning a grant before verifying would re-open the VULNERABLE
path; deferred.
Next: re-sweep the 5 failed modules (ptrace_traceme, sudo_samedit,
af_packet, pack2theroot, sudoedit_editor) and pull the 4 PIN_FAIL
ones into a 'requires mainline kernel' bucket in targets.yaml.
230 lines
7.4 KiB
C
230 lines
7.4 KiB
C
/*
|
|
* SKELETONKEY — verification records table
|
|
*
|
|
* AUTO-GENERATED by tools/refresh-verifications.py from
|
|
* docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.
|
|
*
|
|
* Source: tools/verify-vm/verify.sh appends one JSON record per
|
|
* run; this generator dedupes to (module, vm_box, kernel, expect)
|
|
* and keeps the latest by verified_at.
|
|
*/
|
|
|
|
#include "verifications.h"
|
|
|
|
#include <stddef.h>
|
|
#include <string.h>
|
|
#include <stdbool.h>
|
|
|
|
const struct verification_record verifications[] = {
|
|
{
|
|
.module = "af_packet",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "4.15.0-213-generic",
|
|
.host_distro = "Ubuntu 18.04.6 LTS",
|
|
.vm_box = "generic/ubuntu1804",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "?",
|
|
.status = "MISMATCH",
|
|
},
|
|
{
|
|
.module = "af_packet2",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "cgroup_release_agent",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "cls_route4",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-43-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "dirty_pipe",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "OK",
|
|
.actual_detect = "OK",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "entrybleed",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "fuse_legacy",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "netfilter_xtcompat",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "nft_fwd_dup",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.10.0-27-amd64",
|
|
.host_distro = "Debian GNU/Linux 11 (bullseye)",
|
|
.vm_box = "generic/debian11",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "nft_payload",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-43-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "overlayfs",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "overlayfs_setuid",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "pack2theroot",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "6.1.0-17-amd64",
|
|
.host_distro = "Debian GNU/Linux 12 (bookworm)",
|
|
.vm_box = "generic/debian12",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "OK",
|
|
.status = "MISMATCH",
|
|
},
|
|
{
|
|
.module = "ptrace_traceme",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "4.15.0-213-generic",
|
|
.host_distro = "Ubuntu 18.04.6 LTS",
|
|
.vm_box = "generic/ubuntu1804",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "?",
|
|
.status = "MISMATCH",
|
|
},
|
|
{
|
|
.module = "pwnkit",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "sequoia",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.4.0-169-generic",
|
|
.host_distro = "Ubuntu 20.04.6 LTS",
|
|
.vm_box = "generic/ubuntu2004",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "VULNERABLE",
|
|
.status = "match",
|
|
},
|
|
{
|
|
.module = "sudo_samedit",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "4.15.0-213-generic",
|
|
.host_distro = "Ubuntu 18.04.6 LTS",
|
|
.vm_box = "generic/ubuntu1804",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "?",
|
|
.status = "MISMATCH",
|
|
},
|
|
{
|
|
.module = "sudoedit_editor",
|
|
.verified_at = "2026-05-23",
|
|
.host_kernel = "5.15.0-91-generic",
|
|
.host_distro = "Ubuntu 22.04.3 LTS",
|
|
.vm_box = "generic/ubuntu2204",
|
|
.expect_detect = "VULNERABLE",
|
|
.actual_detect = "PRECOND_FAIL",
|
|
.status = "MISMATCH",
|
|
},
|
|
};
|
|
|
|
const size_t verifications_count =
|
|
sizeof(verifications) / sizeof(verifications[0]);
|
|
|
|
const struct verification_record *
|
|
verifications_for_module(const char *module, size_t *count_out)
|
|
{
|
|
if (count_out) *count_out = 0;
|
|
if (!module) return NULL;
|
|
const struct verification_record *first = NULL;
|
|
size_t n = 0;
|
|
for (size_t i = 0; i < verifications_count; i++) {
|
|
if (strcmp(verifications[i].module, module) == 0) {
|
|
if (first == NULL) first = &verifications[i];
|
|
n++;
|
|
}
|
|
}
|
|
if (count_out) *count_out = n;
|
|
return first;
|
|
}
|
|
|
|
bool verifications_module_has_match(const char *module)
|
|
{
|
|
size_t n = 0;
|
|
const struct verification_record *r = verifications_for_module(module, &n);
|
|
for (size_t i = 0; i < n; i++)
|
|
if (r[i].status && strcmp(r[i].status, "match") == 0)
|
|
return true;
|
|
return false;
|
|
}
|