leviathan
52e8c99022
- core/module.h: struct iamroot_module + iamroot_result_t
- core/registry.{h,c}: flat-array module registry with find-by-name
- modules/copy_fail_family/iamroot_modules.{h,c}: bridge layer
exposing 5 modules (copy_fail, copy_fail_gcm, dirty_frag_esp,
dirty_frag_esp6, dirty_frag_rxrpc) wired to the absorbed DIRTYFAIL
detect/exploit functions; df_result_t/iamroot_result_t share numeric
values intentionally for zero-cost translation
- iamroot.c: top-level CLI dispatcher with --scan / --list / --exploit /
--mitigate / --cleanup, JSON output, --i-know gate
- Restored modules/copy_fail_family/src/ structure (DIRTYFAIL Makefile
expects it; the initial flat copy broke that contract)
- Top-level Makefile builds one binary; filters out DIRTYFAIL's
original dirtyfail.c main so it doesn't conflict with iamroot.c
Verified end-to-end on kctf-mgr (Linux): clean compile, 5 modules
register, --scan --json output ingest-ready, exit codes propagate.
41 lines
1.6 KiB
C
41 lines
1.6 KiB
C
/*
|
|
* DIRTYFAIL — dirtyfrag_esp.h
|
|
*
|
|
* Public surface for the Dirty Frag xfrm-ESP variant (CVE-2026-43284).
|
|
*/
|
|
|
|
#ifndef DIRTYFAIL_DIRTYFRAG_ESP_H
|
|
#define DIRTYFAIL_DIRTYFRAG_ESP_H
|
|
|
|
#include "common.h"
|
|
|
|
/* Run all preconditions for the xfrm-ESP primitive. Detection here is
|
|
* precondition-only: we do not register an SA in detect mode because
|
|
* doing so requires a fresh user namespace and side-effects loopback
|
|
* routing inside that namespace. Returns DF_VULNERABLE if all
|
|
* prerequisites are satisfied. */
|
|
df_result_t dirtyfrag_esp_detect(void);
|
|
|
|
/* OUTER (init namespace): user prompts → resolve target → fork →
|
|
* wait for child to do the kernel work → read global page cache to
|
|
* verify → if do_shell, execlp("su", user) in init ns for REAL
|
|
* init-ns root via PAM. */
|
|
df_result_t dirtyfrag_esp_exploit(bool do_shell);
|
|
|
|
/* INNER (bypass userns): runs after AA bypass stage 2. Reads
|
|
* DIRTYFAIL_TARGET_USER from env, registers XFRM SA with seq_hi
|
|
* "0000", fires the splice trigger. No prompts, no su, no verify —
|
|
* the parent owns those. Exits with df_result_t cast to int. */
|
|
df_result_t dirtyfrag_esp_exploit_inner(void);
|
|
|
|
/* Active probe: fires the v4 ESP-in-UDP trigger against a /tmp sentinel
|
|
* file (never /etc/passwd) and reports whether the marker landed.
|
|
* Used by `--scan --active`. The inner half runs in the bypass userns
|
|
* and reads DIRTYFAIL_PROBE_SENTINEL for the target path. Returns
|
|
* DF_VULNERABLE on marker hit, DF_OK if patched, DF_PRECOND_FAIL on
|
|
* AA-block, DF_TEST_ERROR otherwise. */
|
|
df_result_t dirtyfrag_esp_active_probe(void);
|
|
df_result_t dirtyfrag_esp_active_probe_inner(void);
|
|
|
|
#endif
|