verify-vm: per-module provisioner hook + old-mainline URL fallback

Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup
(build vulnerable sudo from source, drop polkit allow rule, add sudoers
grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile
runs the script as root before build-and-verify if it exists.

Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to
/v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64
subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-'
(new) deb names.

Wires up 4 previously-deferred targets to expect VULNERABLE:
- sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local
- udisks_libblockdev: installs udisks2 + polkit rule for vagrant user
- mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix)
- sudo_runas_neg1: adds (ALL,!root) sudoers grant

tools/verify-vm/provisioners/sudo_runas_neg1.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# CVE-2019-14287 needs a (ALL,!root) grant for find_runas_blacklist_grant()
+# to fire. Ubuntu 18.04 ships sudo 1.8.21p2 (in the vulnerable range) but
+# Vagrant's default sudoers doesn't include the grant. Add it.
+set -e
+
+cat >/etc/sudoers.d/99-skk-runas-neg1 <<'EOF'
+vagrant ALL=(ALL,!root) NOPASSWD: /bin/vi
+EOF
+chmod 0440 /etc/sudoers.d/99-skk-runas-neg1
+
+echo "[+] sudoers grant installed:"
+grep . /etc/sudoers.d/99-skk-runas-neg1
+echo
+echo "[+] sudo -ln -U vagrant tail:"
+sudo -ln -U vagrant 2>&1 | tail -10 || true