Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range

- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.

core/kernel_range.h

@@ -0,0 +1,59 @@
+/*
+ * IAMROOT — kernel version range matching
+ *
+ * Every CVE module needs to answer "is the host kernel in the affected
+ * range?". This file centralizes that.
+ *
+ * The kernel version space is a tree of stable branches: 5.10.x,
+ * 5.15.x, 5.16.x, ..., 6.6.x, 6.12.x, etc. A CVE is typically fixed
+ * in mainline at some version, then backported into one or more
+ * stable branches at branch-specific minor versions. A host with
+ * 5.15.50 is patched if the fix was backported to 5.15.42, but a
+ * host with 5.15.10 is still vulnerable.
+ *
+ * We model this with a list of "patched-from" entries per CVE: each
+ * entry says "on branch X.Y, the fix is in versions >= X.Y.Z". The
+ * host is patched if its branch matches one of these entries AND its
+ * patch version is at or above the threshold.
+ */
+
+#ifndef IAMROOT_KERNEL_RANGE_H
+#define IAMROOT_KERNEL_RANGE_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+struct kernel_version {
+    int major;
+    int minor;
+    int patch;
+    /* Original /proc/version-style release string (e.g. "6.12.88-generic")
+     * — for reporting; the comparison logic uses the parsed numerics. */
+    const char *release;
+};
+
+/* Per-branch "patched-from" entry. To say "fix is in mainline 5.17",
+ * use {5, 17, 0}. To say "fix backported to 5.15.25", use {5, 15, 25}. */
+struct kernel_patched_from {
+    int major;
+    int minor;
+    int patch;
+};
+
+struct kernel_range {
+    /* List of branches that have the fix backported. If the host's
+     * (major, minor) matches a branch AND host.patch >= branch.patch,
+     * the host is patched. */
+    const struct kernel_patched_from *patched_from;
+    size_t n_patched_from;
+};
+
+/* Parse uname(2)->release / /proc/version into a kernel_version.
+ * Returns true on success. Stores nothing in `out` on failure. */
+bool kernel_version_current(struct kernel_version *out);
+
+/* Returns true if a host running `v` is PATCHED according to `r`. */
+bool kernel_range_is_patched(const struct kernel_range *r,
+                             const struct kernel_version *v);
+
+#endif /* IAMROOT_KERNEL_RANGE_H */