leviathan
a4b7238e4a
dirty_pipe detect: active sentinel probe (Phase 1.5-ish improvement)
- New dirty_pipe_active_probe(): creates a /tmp probe file with known
sentinel bytes, fires the Dirty Pipe primitive against it, re-reads
via the page cache, returns true if the poisoning landed.
- detect() gated on ctx->active_probe: --scan does version-only check
(fast, no side effects); --scan --active fires the empirical probe
and overrides version inference with the empirical verdict. Catches
silent distro backports that don't bump uname() version.
- Three verdicts now distinguishable:
(a) version says patched, no active probe → 'patched (version-only)'
(b) version says vulnerable, --active fires + probe lands → CONFIRMED
(c) version says vulnerable, --active fires + probe blocked → 'likely
patched via distro backport'
- Probe is safe: only /tmp, no /etc/passwd.
nf_tables CVE-2024-1086 (detect-only, new module):
- Famous Notselwyn UAF in nft_verdict_init. Affects 5.14 ≤ K, fixed
mainline 6.8 with backports landing in 5.4.269 / 5.10.210 / 5.15.149
/ 6.1.74 / 6.6.13 / 6.7.2.
- detect() checks: kernel version range, AND unprivileged user_ns clone
availability (the exploit's reachability gate — kernel-vulnerable
but userns-locked-down hosts report PRECOND_FAIL, signalling that
the kernel still needs patching but unprivileged path is closed).
- Ships auditd + sigma detection rules: unshare(CLONE_NEWUSER) chained
with setresuid(0,0,0) on a previously-non-root process is the
exploit's canonical telltale.
- Full Notselwyn-style exploit (cross-cache UAF → arbitrary R/W → cred
overwrite or modprobe_path hijack) is the next commit.
9 modules total now. CVES.md and ROADMAP.md updated.
30 lines
896 B
C
30 lines
896 B
C
/*
|
|
* IAMROOT — module registry
|
|
*
|
|
* Global list of registered modules. Each family contributes via
|
|
* register_<family>_modules() called from iamroot main() at startup.
|
|
*/
|
|
|
|
#ifndef IAMROOT_REGISTRY_H
|
|
#define IAMROOT_REGISTRY_H
|
|
|
|
#include "module.h"
|
|
|
|
void iamroot_register(const struct iamroot_module *m);
|
|
|
|
size_t iamroot_module_count(void);
|
|
const struct iamroot_module *iamroot_module_at(size_t i);
|
|
|
|
/* Find a module by name. Returns NULL if not found. */
|
|
const struct iamroot_module *iamroot_module_find(const char *name);
|
|
|
|
/* Each module family declares one of these in its public header. The
|
|
* top-level iamroot main() calls them in order at startup. */
|
|
void iamroot_register_copy_fail_family(void);
|
|
void iamroot_register_dirty_pipe(void);
|
|
void iamroot_register_entrybleed(void);
|
|
void iamroot_register_pwnkit(void);
|
|
void iamroot_register_nf_tables(void);
|
|
|
|
#endif /* IAMROOT_REGISTRY_H */
|