verify-vm: per-module provisioner hook + old-mainline URL fallback

Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup
(build vulnerable sudo from source, drop polkit allow rule, add sudoers
grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile
runs the script as root before build-and-verify if it exists.

Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to
/v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64
subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-'
(new) deb names.

Wires up 4 previously-deferred targets to expect VULNERABLE:
- sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local
- udisks_libblockdev: installs udisks2 + polkit rule for vagrant user
- mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix)
- sudo_runas_neg1: adds (ALL,!root) sudoers grant

tools/verify-vm/targets.yaml

@@ -224,18 +224,18 @@ vmwgfx:
 # ── v0.8.0 additions ──────────────────────────────────────────────
 
 sudo_chwoot:
-  box: ubuntu2204             # 22.04 ships sudo 1.9.9 (pre-feature) — need a 1.9.14+ install
+  box: ubuntu2204             # 22.04 ships sudo 1.9.9 — provisioner builds 1.9.16p1 over it
   kernel_pkg: ""              # this bug is sudo-version-gated, not kernel
   kernel_version: "5.15.0"
-  expect_detect: OK
-  notes: "CVE-2025-32463; sudo --chroot NSS shim. Vulnerable range is sudo [1.9.14, 1.9.17p0]. Ubuntu 22.04 ships sudo 1.9.9 which PREDATES the vulnerable --chroot code path — so detect correctly returns OK. To validate VULNERABLE empirically, provision a vulnerable sudo build into the VM (e.g. apt install -t backports sudo=1.9.16-1 or build from source). Deferred."
+  expect_detect: VULNERABLE
+  notes: "CVE-2025-32463; sudo --chroot NSS shim. Vulnerable range is sudo [1.9.14, 1.9.17p0]. provisioners/sudo_chwoot.sh builds sudo 1.9.16p1 from upstream sources into /usr/local/bin (which precedes /usr/bin in PATH so plain `sudo` resolves to the vulnerable binary)."
 
 udisks_libblockdev:
   box: debian12               # 12 ships udisks2 2.10.x + libblockdev 3.0.x — vulnerable
   kernel_pkg: ""
   kernel_version: "6.1.0"
-  expect_detect: PRECOND_FAIL
-  notes: "CVE-2025-6019; udisks/libblockdev SUID-on-mount. Debian 12's cloud image is server-oriented — udisksd is NOT installed by default. detect correctly returns PRECOND_FAIL ('udisksd not installed; bug unreachable here'). To validate VULNERABLE empirically, install udisks2 + log in as an active-session user (Vagrant SSH session is NOT active per polkit — needs a real console session). Both gates are real and the detect honestly surfaces them; deferred."
+  expect_detect: VULNERABLE
+  notes: "CVE-2025-6019; udisks/libblockdev SUID-on-mount. provisioners/udisks_libblockdev.sh installs udisks2 + libblockdev-utils3 and drops a polkit rule allowing the vagrant user to invoke loop-setup/filesystem-mount — simulating the trust polkit would give a logged-in workstation user (the real-world bug-path). Without that rule, the SSH session is not 'active' per polkit and the D-Bus call short-circuits."
 
 pintheft:
   box: ""                     # RDS is blacklisted on every common Vagrant box's stock kernel
@@ -248,18 +248,19 @@ pintheft:
 # ── v0.9.0 additions (gap fillers 2018 / 2019 / 2020 / 2024) ──────
 
 mutagen_astronomy:
-  box: ubuntu1804             # 4.15.0-213 stock — already > 4.14.71 backport → OK
+  box: ubuntu1804             # stock 4.15.0-213 is post-fix; mainline 4.14.70 is one below the .71 fix
   kernel_pkg: ""
-  kernel_version: "4.15.0"
-  expect_detect: OK
-  notes: "CVE-2018-14634; Qualys Mutagen Astronomy. Ubuntu 18.04 ships 4.15.0-213 which is post-fix. detect correctly returns OK. Verifying the VULNERABLE path empirically needs a 2.6.x / 3.10.x EOL kernel (e.g. RHEL 6 / CentOS 6 / Debian 7); deferred to a custom-box workflow."
+  mainline_version: "4.14.70"
+  kernel_version: "4.14.70"
+  expect_detect: VULNERABLE
+  notes: "CVE-2018-14634; Qualys Mutagen Astronomy. Mainline 4.14.70 sits one stable below the 4.14.71 backport. Old mainline kernels live at /v${KVER}/ directly (no /amd64/ subdir); Vagrantfile's pin-mainline provisioner falls back to the bare path."
 
 sudo_runas_neg1:
   box: ubuntu1804             # ships sudo 1.8.21p2 (vulnerable; pre-1.8.28 fix)
   kernel_pkg: ""
   kernel_version: "4.15.0"
-  expect_detect: PRECOND_FAIL
-  notes: "CVE-2019-14287; sudo Runas -u#-1. Ubuntu 18.04 ships sudo 1.8.21p2 which IS in the vulnerable range — but the default vagrant user has no (ALL,!root) sudoers grant for find_runas_blacklist_grant() to abuse, so detect correctly returns PRECOND_FAIL. To validate VULNERABLE empirically, provision a sudoers entry of the form 'vagrant ALL=(ALL,!root) /bin/vi' before verifying."
+  expect_detect: VULNERABLE
+  notes: "CVE-2019-14287; sudo Runas -u#-1. Ubuntu 18.04 ships sudo 1.8.21p2 (vulnerable). provisioners/sudo_runas_neg1.sh adds 'vagrant ALL=(ALL,!root) NOPASSWD: /bin/vi' to /etc/sudoers.d/ so find_runas_blacklist_grant() has a grant to abuse."
 
 tioscpgrp:
   box: ubuntu2004             # 5.4 stock kernels (5.4.0-26) are below the 5.4.85 backport