@@ -15,11 +15,11 @@ use crate::common::{SIGSYS, payload, skip_if_no_namespaces};
1515
1616/// Test that CVE-2024-1086 attack vector is blocked.
1717///
18- /// CVE-2024-1086 is a use-after-free in Linux kernel's nf_tables.
19- /// The exploit requires AF_NETLINK socket access to nf_tables subsystem.
18+ /// CVE-2024-1086 is a use-after-free in Linux kernel's ` nf_tables` .
19+ /// The exploit requires ` AF_NETLINK` socket access to ` nf_tables` subsystem.
2020/// Actively exploited in ransomware campaigns (CISA Oct 2025).
2121///
22- /// Reference: https://www.sysdig.com/blog/detecting-cve-2024-1086
22+ /// Reference: < https://www.sysdig.com/blog/detecting-cve-2024-1086>
2323#[ test]
2424#[ ignore]
2525fn test_cve_2024_1086_nftables_blocked ( ) {
@@ -49,11 +49,11 @@ fn test_cve_2024_1086_nftables_blocked() {
4949
5050/// Test that CVE-2022-0185 attack vector is blocked.
5151///
52- /// CVE-2022-0185 is a heap overflow in fsconfig() syscall.
53- /// Requires CAP_SYS_ADMIN in user namespace.
52+ /// CVE-2022-0185 is a heap overflow in ` fsconfig()` syscall.
53+ /// Requires ` CAP_SYS_ADMIN` in user namespace.
5454/// Won $31,337 bounty for escaping Google's kCTF containers.
5555///
56- /// Reference: https://www.willsroot.io/2022/01/cve-2022-0185.html
56+ /// Reference: < https://www.willsroot.io/2022/01/cve-2022-0185.html>
5757#[ test]
5858#[ ignore]
5959fn test_cve_2022_0185_fsconfig_blocked ( ) {
@@ -85,9 +85,9 @@ fn test_cve_2022_0185_fsconfig_blocked() {
8585///
8686/// TIOCSTI ioctl injects characters into terminal input buffer.
8787/// Allows sandbox escape by injecting commands into parent shell.
88- /// Affected bubblewrap, SELinux sandbox, util-linux runuser.
88+ /// Affected bubblewrap, ` SELinux` sandbox, util-linux runuser.
8989///
90- /// Reference: https://github.com/containers/bubblewrap/issues/142
90+ /// Reference: < https://github.com/containers/bubblewrap/issues/142>
9191#[ test]
9292#[ ignore]
9393fn test_cve_2017_5226_tiocsti_blocked ( ) {
@@ -117,11 +117,11 @@ fn test_cve_2017_5226_tiocsti_blocked() {
117117
118118/// Test that CVE-2022-0492 cgroups escape is blocked.
119119///
120- /// CVE-2022-0492 allows container escape via cgroup release_agent.
120+ /// CVE-2022-0492 allows container escape via cgroup ` release_agent` .
121121/// Requires user namespace + mount capability.
122122/// CVSS 7.0 (High).
123123///
124- /// Reference: https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
124+ /// Reference: < https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups> /
125125#[ test]
126126#[ ignore]
127127fn test_cve_2022_0492_cgroups_blocked ( ) {
@@ -151,11 +151,11 @@ fn test_cve_2022_0492_cgroups_blocked() {
151151
152152/// Test that fileless execution is blocked.
153153///
154- /// memfd_create + execveat allows executing code without writing to filesystem.
154+ /// ` memfd_create` + execveat allows executing code without writing to filesystem.
155155/// Used by malware to evade detection.
156156/// Bypasses filesystem-based security controls.
157157///
158- /// Reference: https://www.aquasec.com/blog/intro-to-fileless-malware-in-containers/
158+ /// Reference: < https://www.aquasec.com/blog/intro-to-fileless-malware-in-containers> /
159159#[ test]
160160#[ ignore]
161161fn test_fileless_memfd_blocked ( ) {
@@ -212,7 +212,7 @@ fn test_ioctl_tioclinux_blocked() {
212212/// Test that TIOCSETD ioctl is blocked.
213213///
214214/// TIOCSETD loads TTY line disciplines which have had many vulnerabilities:
215- /// - CVE-2017-2636: n_hdlc double-free
215+ /// - CVE-2017-2636: ` n_hdlc` double-free
216216/// - CVE-2019-11815: slip line discipline race
217217/// - Multiple other line discipline bugs
218218#[ test]
@@ -246,7 +246,7 @@ fn test_ioctl_tiocsetd_blocked() {
246246/// User namespaces are the prerequisite for most kernel exploits:
247247/// - CVE-2024-1086, CVE-2022-0185, CVE-2022-0492, CVE-2021-22555
248248///
249- /// Blocking clone(CLONE_NEWUSER) prevents a large class of kernel exploits.
249+ /// Blocking ` clone(CLONE_NEWUSER)` prevents a large class of kernel exploits.
250250#[ test]
251251#[ ignore]
252252fn test_userns_creation_blocked ( ) {
@@ -280,7 +280,7 @@ fn test_userns_creation_blocked() {
280280/// - Inject code
281281/// - Bypass security controls in traced process
282282///
283- /// CVE-2019-13272: ptrace PTRACE_TRACEME privilege escalation
283+ /// CVE-2019-13272: ptrace ` PTRACE_TRACEME` privilege escalation
284284#[ test]
285285#[ ignore]
286286fn test_ptrace_blocked ( ) {
@@ -313,7 +313,7 @@ fn test_ptrace_blocked() {
313313/// By putting garbage in upper 32 bits, attackers bypass filters while kernel
314314/// processes only the lower 32 bits. Affected Flatpak < 1.0.8.
315315///
316- /// Reference: https://github.com/flatpak/flatpak/security/advisories/GHSA-6qcp-mh39-cp53
316+ /// Reference: < https://github.com/flatpak/flatpak/security/advisories/GHSA-6qcp-mh39-cp53>
317317#[ test]
318318#[ ignore]
319319fn test_cve_2019_10063_ioctl_bypass_blocked ( ) {
0 commit comments