Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range

- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.

core/kernel_range.c

@@ -0,0 +1,71 @@
+/*
+ * IAMROOT — kernel_range implementation
+ */
+
+#include "kernel_range.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/utsname.h>
+
+static char g_release_buf[128];
+
+bool kernel_version_current(struct kernel_version *out)
+{
+    if (out == NULL) return false;
+
+    struct utsname u;
+    if (uname(&u) < 0) return false;
+
+    /* Stash release string for callers that want to print it. We hold
+     * a single static buffer; not threadsafe but iamroot is single-
+     * threaded today. */
+    snprintf(g_release_buf, sizeof(g_release_buf), "%s", u.release);
+    out->release = g_release_buf;
+
+    out->major = 0; out->minor = 0; out->patch = 0;
+    if (sscanf(u.release, "%d.%d.%d", &out->major, &out->minor, &out->patch) < 2)
+        return false;
+    return true;
+}
+
+bool kernel_range_is_patched(const struct kernel_range *r,
+                             const struct kernel_version *v)
+{
+    if (r == NULL || v == NULL) return false;
+
+    /* If the host's (major, minor) matches an entry AND its patch
+     * level is at or above the entry's patch, host is patched. */
+    for (size_t i = 0; i < r->n_patched_from; i++) {
+        const struct kernel_patched_from *pf = &r->patched_from[i];
+        if (v->major == pf->major && v->minor == pf->minor) {
+            return v->patch >= pf->patch;
+        }
+    }
+
+    /* If the host's (major, minor) is GREATER than every entry's
+     * (major, minor), it's on a newer branch that has the fix
+     * inherited from mainline — patched. */
+    for (size_t i = 0; i < r->n_patched_from; i++) {
+        const struct kernel_patched_from *pf = &r->patched_from[i];
+        /* host strictly newer than this entry's branch */
+        if (v->major > pf->major ||
+            (v->major == pf->major && v->minor > pf->minor)) {
+            /* keep checking — we want to be patched on ALL applicable
+             * branches; if any entry is on the host's branch, that's
+             * handled above. If we get here for every entry, host
+             * is on a branch strictly newer than each — meaning the
+             * mainline fix flowed in. */
+            continue;
+        } else {
+            /* host is on a branch strictly older than this entry —
+             * not patched via this entry, and no exact-branch match
+             * applied above either → vulnerable. */
+            return false;
+        }
+    }
+    /* All entries are on branches at or below the host's — host has
+     * the fix inherited via mainline progression. */
+    return true;
+}

core/kernel_range.h

@@ -0,0 +1,59 @@
+/*
+ * IAMROOT — kernel version range matching
+ *
+ * Every CVE module needs to answer "is the host kernel in the affected
+ * range?". This file centralizes that.
+ *
+ * The kernel version space is a tree of stable branches: 5.10.x,
+ * 5.15.x, 5.16.x, ..., 6.6.x, 6.12.x, etc. A CVE is typically fixed
+ * in mainline at some version, then backported into one or more
+ * stable branches at branch-specific minor versions. A host with
+ * 5.15.50 is patched if the fix was backported to 5.15.42, but a
+ * host with 5.15.10 is still vulnerable.
+ *
+ * We model this with a list of "patched-from" entries per CVE: each
+ * entry says "on branch X.Y, the fix is in versions >= X.Y.Z". The
+ * host is patched if its branch matches one of these entries AND its
+ * patch version is at or above the threshold.
+ */
+
+#ifndef IAMROOT_KERNEL_RANGE_H
+#define IAMROOT_KERNEL_RANGE_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+struct kernel_version {
+    int major;
+    int minor;
+    int patch;
+    /* Original /proc/version-style release string (e.g. "6.12.88-generic")
+     * — for reporting; the comparison logic uses the parsed numerics. */
+    const char *release;
+};
+
+/* Per-branch "patched-from" entry. To say "fix is in mainline 5.17",
+ * use {5, 17, 0}. To say "fix backported to 5.15.25", use {5, 15, 25}. */
+struct kernel_patched_from {
+    int major;
+    int minor;
+    int patch;
+};
+
+struct kernel_range {
+    /* List of branches that have the fix backported. If the host's
+     * (major, minor) matches a branch AND host.patch >= branch.patch,
+     * the host is patched. */
+    const struct kernel_patched_from *patched_from;
+    size_t n_patched_from;
+};
+
+/* Parse uname(2)->release / /proc/version into a kernel_version.
+ * Returns true on success. Stores nothing in `out` on failure. */
+bool kernel_version_current(struct kernel_version *out);
+
+/* Returns true if a host running `v` is PATCHED according to `r`. */
+bool kernel_range_is_patched(const struct kernel_range *r,
+                             const struct kernel_version *v);
+
+#endif /* IAMROOT_KERNEL_RANGE_H */

core/registry.h

@@ -21,5 +21,6 @@ const struct iamroot_module *iamroot_module_find(const char *name);
 /* Each module family declares one of these in its public header. The
  * top-level iamroot main() calls them in order at startup. */
 void iamroot_register_copy_fail_family(void);
+void iamroot_register_dirty_pipe(void);
 
 #endif /* IAMROOT_REGISTRY_H */