From 57ace30e93e0bc13dc81c102fd7d9117679d214e Mon Sep 17 00:00:00 2001
From: Artem Metla <ametla@google.com>
Date: Thu, 19 Dec 2024 18:10:06 +0100
Subject: [PATCH] kernelCTF: server: update to latest version

---
 kernelctf/server/qemu.sh       | 18 ++++++++++++++++--
 kernelctf/server/releases.yaml | 16 ++++++++++++++++
 kernelctf/server/server.py     | 25 ++++++++++++++++++++++---
 3 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/kernelctf/server/qemu.sh b/kernelctf/server/qemu.sh
index 56897798..440049c9 100755
--- a/kernelctf/server/qemu.sh
+++ b/kernelctf/server/qemu.sh
@@ -1,9 +1,13 @@
 #!/bin/bash
-if [ $# -ne 3 ]; then echo "Usage: $0 <release_path> <flag_fn> <init>"; exit 1; fi
+if [ $# -ne 4 ] && [ $# -ne 3 ]; then
+  echo "Usage: $0 <release_path> <flag_fn> <init> [<capabilities>]"
+  exit 1
+fi
 
 RELEASE_PATH=$1
 FLAG_FN=$2
 INIT=$3
+CAPABILITIES=$4
 RELEASE=$(basename "$RELEASE_PATH")
 
 HARDENING=""
@@ -11,6 +15,16 @@ if [[ "$RELEASE" == "mitigation-v3"* ]]; then
   HARDENING="sysctl.kernel.dmesg_restrict=1 sysctl.kernel.kptr_restrict=2 sysctl.kernel.unprivileged_bpf_disabled=2 sysctl.net.core.bpf_jit_harden=1 sysctl.kernel.yama.ptrace_scope=1";
 fi
 
+IO_URING="sysctl.kernel.io_uring_disabled=2"
+
+if [[ -n "$CAPABILITIES" ]]; then
+  for element in $(echo "$CAPABILITIES" | tr ',' '\n'); do
+    if [[ "$element" == "io_uring"* ]]; then
+      IO_URING=""
+    fi
+  done
+fi
+
 exec qemu-system-x86_64 -m 3.5G -nographic -no-reboot \
   -monitor none \
   -enable-kvm -cpu host -smp cores=2 \
@@ -19,4 +33,4 @@ exec qemu-system-x86_64 -m 3.5G -nographic -no-reboot \
   -nic user,model=virtio-net-pci \
   -drive file=rootfs_v3.img,if=virtio,cache=none,aio=native,format=raw,discard=on,readonly \
   -drive file=$FLAG_FN,if=virtio,format=raw,readonly \
-  -append "console=ttyS0 root=/dev/vda1 rootfstype=ext4 rootflags=discard ro $HARDENING init=$INIT hostname=$RELEASE"
+  -append "console=ttyS0 root=/dev/vda1 rootfstype=ext4 rootflags=discard ro $HARDENING $IO_URING init=$INIT hostname=$RELEASE"
diff --git a/kernelctf/server/releases.yaml b/kernelctf/server/releases.yaml
index f1eb171c..2c7a69b8 100644
--- a/kernelctf/server/releases.yaml
+++ b/kernelctf/server/releases.yaml
@@ -1,3 +1,19 @@
+lts-6.6.66:
+  release-date: 2024-12-27T12:00:00Z
+cos-105-17412.495.73:
+  release-date: 2024-12-27T12:00:00Z
+cos-109-17800.372.71:
+  release-date: 2024-12-27T12:00:00Z
+
+lts-6.6.64:
+  release-date: 2024-12-13T12:00:00Z
+cos-105-17412.495.62:
+  release-date: 2024-12-13T12:00:00Z
+cos-109-17800.372.64:
+  release-date: 2024-12-13T12:00:00Z
+mitigation-v4-6.6:
+  release-date: 2024-12-13T12:00:00Z
+
 lts-6.6.62:
   release-date: 2024-11-29T12:00:00Z
 cos-105-17412.495.37:
diff --git a/kernelctf/server/server.py b/kernelctf/server/server.py
index ad281685..409b2023 100755
--- a/kernelctf/server/server.py
+++ b/kernelctf/server/server.py
@@ -15,6 +15,7 @@
 RELEASES_YAML = 'releases.yaml'
 SLOTS_JSON = 'slots.json'
 DEPRECATED_TARGETS = ["cos-97"]
+ALLOWED_CAPABILITIES = ["io_uring"]
 
 sys.path.append('/usr/local/lib/python3.9/dist-packages')
 from httplib2 import Http
@@ -49,7 +50,7 @@ def get_releases():
             del releases[release_id]
             continue
 
-        m = re.match(r'(?P<target>lts|mitigation(-v3|-v3b)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
+        m = re.match(r'(?P<target>lts|mitigation(-v3|-v3b|-v4)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
         if m is None:
             warning(f'release {release_id} does not match regex')
             del releases[release_id]
@@ -176,6 +177,21 @@ def main():
                 elif release['status'] == 'latest':
                     flagPrefix = ''
 
+                capabilities_done = False
+                while not capabilities_done:
+                    print("Enter capabilities needed (comma-separated, or leave empty)")
+                    print(f"options: {ALLOWED_CAPABILITIES}")
+                    capabilities = input(": ").strip()
+                    capabilities_done = True
+
+                    capabilities = [capability.strip() for capability in capabilities.split(",")] if capabilities else []
+                    capabilities = list(set(capabilities))
+
+                    for capability in capabilities:
+                        if capability not in ALLOWED_CAPABILITIES:
+                            print(f"{capability} not in the available capabilities.")
+                            capabilities_done = False
+
                 if not (root or (isDevel and input('Skip pow? (y/n) ') == 'y')):
                     import pow
                     if not pow.ask(7337):
@@ -186,12 +202,15 @@ def main():
                 with tempfile.TemporaryDirectory() as temp_dir:
                     flag_fn = f'{temp_dir}/flag'
                     with open(flag_fn, 'wt') as f:
-                        flag_content = f'{flagPrefix}v1:{release_id}:{int(time.time())}'
+                        if len(capabilities) == 0:
+                            flag_content = f'{flagPrefix}v1:{release_id}:{int(time.time())}'
+                        else:
+                            flag_content = f'{flagPrefix}v2:{release_id}:{",".join(capabilities)}:{int(time.time())}'
                         signature = hmac.new(server_secrets.flag_key.encode('utf-8'), flag_content.encode('utf-8'), hashlib.sha1).hexdigest()
                         flag = f'kernelCTF{{{flag_content}:{signature}}}'
                         f.write(flag + '\n')
 
-                    subprocess.check_call(['./qemu.sh', f'{release_dir}/{release_id}', flag_fn, '/bin/bash' if root else '/home/user/run.sh'])
+                    subprocess.check_call(['./qemu.sh', f'{release_dir}/{release_id}', flag_fn, '/bin/bash' if root else '/home/user/run.sh', ",".join(capabilities)])
             else:
                 print('Invalid action. Expected one of the followings: run, info, back')
                 print()