kernelCTF: server: update to latest version

kernelctf/server/qemu.sh

@@ -1,16 +1,30 @@
 #!/bin/bash
-if [ $# -ne 3 ]; then echo "Usage: $0 <release_path> <flag_fn> <init>"; exit 1; fi
+if [ $# -ne 4 ] && [ $# -ne 3 ]; then
+  echo "Usage: $0 <release_path> <flag_fn> <init> [<capabilities>]"
+  exit 1
+fi
 
 RELEASE_PATH=$1
 FLAG_FN=$2
 INIT=$3
+CAPABILITIES=$4
 RELEASE=$(basename "$RELEASE_PATH")
 
 HARDENING=""
 if [[ "$RELEASE" == "mitigation-v3"* ]]; then
   HARDENING="sysctl.kernel.dmesg_restrict=1 sysctl.kernel.kptr_restrict=2 sysctl.kernel.unprivileged_bpf_disabled=2 sysctl.net.core.bpf_jit_harden=1 sysctl.kernel.yama.ptrace_scope=1";
 fi
 
+IO_URING="sysctl.kernel.io_uring_disabled=2"
+
+if [[ -n "$CAPABILITIES" ]]; then
+  for element in $(echo "$CAPABILITIES" | tr ',' '\n'); do
+    if [[ "$element" == "io_uring"* ]]; then
+      IO_URING=""
+    fi
+  done
+fi
+
 exec qemu-system-x86_64 -m 3.5G -nographic -no-reboot \
   -monitor none \
   -enable-kvm -cpu host -smp cores=2 \
@@ -19,4 +33,4 @@ exec qemu-system-x86_64 -m 3.5G -nographic -no-reboot \
   -nic user,model=virtio-net-pci \
   -drive file=rootfs_v3.img,if=virtio,cache=none,aio=native,format=raw,discard=on,readonly \
   -drive file=$FLAG_FN,if=virtio,format=raw,readonly \
-  -append "console=ttyS0 root=/dev/vda1 rootfstype=ext4 rootflags=discard ro $HARDENING init=$INIT hostname=$RELEASE"
+  -append "console=ttyS0 root=/dev/vda1 rootfstype=ext4 rootflags=discard ro $HARDENING $IO_URING init=$INIT hostname=$RELEASE"

kernelctf/server/releases.yaml

@@ -1,3 +1,19 @@
+lts-6.6.66:
+  release-date: 2024-12-27T12:00:00Z
+cos-105-17412.495.73:
+  release-date: 2024-12-27T12:00:00Z
+cos-109-17800.372.71:
+  release-date: 2024-12-27T12:00:00Z
+
+lts-6.6.64:
+  release-date: 2024-12-13T12:00:00Z
+cos-105-17412.495.62:
+  release-date: 2024-12-13T12:00:00Z
+cos-109-17800.372.64:
+  release-date: 2024-12-13T12:00:00Z
+mitigation-v4-6.6:
+  release-date: 2024-12-13T12:00:00Z
+
 lts-6.6.62:
   release-date: 2024-11-29T12:00:00Z
 cos-105-17412.495.37:

kernelctf/server/server.py

@@ -15,6 +15,7 @@
 RELEASES_YAML = 'releases.yaml'
 SLOTS_JSON = 'slots.json'
 DEPRECATED_TARGETS = ["cos-97"]
+ALLOWED_CAPABILITIES = ["io_uring"]
 
 sys.path.append('/usr/local/lib/python3.9/dist-packages')
 from httplib2 import Http
@@ -49,7 +50,7 @@ def get_releases():
             del releases[release_id]
             continue
 
-        m = re.match(r'(?P<target>lts|mitigation(-v3|-v3b)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
+        m = re.match(r'(?P<target>lts|mitigation(-v3|-v3b|-v4)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
         if m is None:
             warning(f'release {release_id} does not match regex')
             del releases[release_id]
@@ -176,6 +177,21 @@ def main():
                 elif release['status'] == 'latest':
                     flagPrefix = ''
 
+                capabilities_done = False
+                while not capabilities_done:
+                    print("Enter capabilities needed (comma-separated, or leave empty)")
+                    print(f"options: {ALLOWED_CAPABILITIES}")
+                    capabilities = input(": ").strip()
+                    capabilities_done = True
+
+                    capabilities = [capability.strip() for capability in capabilities.split(",")] if capabilities else []
+                    capabilities = list(set(capabilities))
+
+                    for capability in capabilities:
+                        if capability not in ALLOWED_CAPABILITIES:
+                            print(f"{capability} not in the available capabilities.")
+                            capabilities_done = False
+
                 if not (root or (isDevel and input('Skip pow? (y/n) ') == 'y')):
                     import pow
                     if not pow.ask(7337):
@@ -186,12 +202,15 @@ def main():
                 with tempfile.TemporaryDirectory() as temp_dir:
                     flag_fn = f'{temp_dir}/flag'
                     with open(flag_fn, 'wt') as f:
-                        flag_content = f'{flagPrefix}v1:{release_id}:{int(time.time())}'
+                        if len(capabilities) == 0:
+                            flag_content = f'{flagPrefix}v1:{release_id}:{int(time.time())}'
+                        else:
+                            flag_content = f'{flagPrefix}v2:{release_id}:{",".join(capabilities)}:{int(time.time())}'
                         signature = hmac.new(server_secrets.flag_key.encode('utf-8'), flag_content.encode('utf-8'), hashlib.sha1).hexdigest()
                         flag = f'kernelCTF{{{flag_content}:{signature}}}'
                         f.write(flag + '\n')
 
-                    subprocess.check_call(['./qemu.sh', f'{release_dir}/{release_id}', flag_fn, '/bin/bash' if root else '/home/user/run.sh'])
+                    subprocess.check_call(['./qemu.sh', f'{release_dir}/{release_id}', flag_fn, '/bin/bash' if root else '/home/user/run.sh', ",".join(capabilities)])
             else:
                 print('Invalid action. Expected one of the followings: run, info, back')
                 print()