Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range

- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.

modules/dirty_pipe_cve_2022_0847/detect/auditd.rules

@@ -0,0 +1,26 @@
+# Dirty Pipe (CVE-2022-0847) — auditd detection rules
+#
+# Detects the Dirty Pipe primitive pattern: a process splice()s a file
+# into a pipe, then write()s to that pipe. The kernel bug allows the
+# write to land in the page cache of the original file.
+#
+# False-positive surface: legitimate splice-then-write is rare in
+# userspace; most uses of splice are file-to-file (e.g. cp via sendfile).
+# Tuning may be needed in environments using nginx/HAProxy/etc.
+#
+# Drop these into /etc/audit/rules.d/ and reload auditd.
+
+# Watch /etc/passwd, /etc/shadow, /etc/sudoers, /etc/sudoers.d/* for
+# any modification by non-root — the Dirty Pipe payload typically
+# overwrites these to gain root.
+-w /etc/passwd      -p wa -k iamroot-dirty-pipe
+-w /etc/shadow      -p wa -k iamroot-dirty-pipe
+-w /etc/sudoers     -p wa -k iamroot-dirty-pipe
+-w /etc/sudoers.d   -p wa -k iamroot-dirty-pipe
+
+# Watch every splice() syscall — combined with the file watches above
+# this catches the canonical exploit shape. (High volume on servers
+# using nginx/HAProxy; consider scoping with -F gid!=33 -F gid!=99 to
+# exclude web servers.)
+-a always,exit -F arch=b64 -S splice -k iamroot-dirty-pipe-splice
+-a always,exit -F arch=b32 -S splice -k iamroot-dirty-pipe-splice

modules/dirty_pipe_cve_2022_0847/detect/sigma.yml

@@ -0,0 +1,40 @@
+title: Possible Dirty Pipe exploitation (CVE-2022-0847)
+id: f6b13c08-iamroot-dirty-pipe
+status: experimental
+description: |
+  Detects file modifications to /etc/passwd, /etc/shadow, /etc/sudoers,
+  or /etc/sudoers.d/* by a non-root process. The Dirty Pipe primitive
+  is a page-cache write — the on-disk file is unchanged but the running
+  kernel sees the modified contents. This sigma rule complements the
+  auditd rules in detect/auditd.rules.
+references:
+  - https://dirtypipe.cm4all.com/
+  - https://nvd.nist.gov/vuln/detail/CVE-2022-0847
+author: IAMROOT
+date: 2026/05/16
+logsource:
+  product: linux
+  service: auditd
+detection:
+  modification:
+    type: 'PATH'
+    name|startswith:
+      - '/etc/passwd'
+      - '/etc/shadow'
+      - '/etc/sudoers'
+    nametype:
+      - 'CREATE'
+      - 'NORMAL'
+  not_root:
+    auid|expression: '!= 0'
+  condition: modification and not_root
+falsepositives:
+  - Legitimate package upgrades (`apt`, `dnf`, `dpkg`) — these run as
+    root so auid=0 excludes them
+  - Manual edits via `vipw`, `passwd`, etc. — these also run as
+    setuid-root so auid≠0 is uncommon for the actual file write
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1068
+  - cve.2022.0847