core/host: shared host fingerprint refactor

Adds core/host.{h,c} — a single struct skeletonkey_host populated once
at startup and handed to every module callback via ctx->host. Replaces
the per-detect uname / /etc/os-release / sysctl / userns-fork-probe
calls scattered across the corpus with O(1) cached lookups, and gives
the dispatcher one consistent view of the host.

What's in the fingerprint:

- Identity: kernel_version (parsed from uname.release), arch (machine),
  nodename, distro_id / distro_version_id / distro_pretty (parsed once
  from /etc/os-release).
- Process state: euid, real_uid (defeats userns illusion via
  /proc/self/uid_map), egid, username, is_root, is_ssh_session.
- Platform family: is_linux, is_debian_family, is_rpm_family,
  is_arch_family, is_suse_family (file-existence checks once).
- Capability gates (Linux): unprivileged_userns_allowed (live
  fork+unshare probe), apparmor_restrict_userns,
  unprivileged_bpf_disabled, kpti_enabled, kernel_lockdown_active,
  selinux_enforcing, yama_ptrace_restricted.
- System services: has_systemd, has_dbus_system.

Wiring:

- core/module.h forward-declares struct skeletonkey_host and adds the
  pointer to skeletonkey_ctx. Modules opt-in by including
  ../../core/host.h.
- core/host.c is fully POD (no heap pointers) — uses a single file-
  static instance, returns a stable pointer on every call. Lazily
  populated on first skeletonkey_host_get().
- skeletonkey.c calls skeletonkey_host_get() at main() entry, stores
  in ctx.host before any register_*() runs.
- cmd_auto's bespoke distro-fingerprint code (was an inline
  read_os_release helper) is replaced with skeletonkey_host_print_banner(),
  which emits a two-line banner of identity + capability gates.

Migrations:

- dirtydecrypt: kernel_version_current() -> ctx->host->kernel.
- fragnesia: removed local fg_userns_allowed() fork-probe in favour of
  ctx->host->unprivileged_userns_allowed (no per-scan fork). Also
  pulls kernel from ctx->host. The PRECOND_FAIL message now notes
  whether AppArmor restriction is on.
- pack2theroot: access('/etc/debian_version') -> ctx->host->is_debian_family;
  also short-circuits when ctx->host->has_dbus_system is false (saves
  the GLib g_bus_get_sync attempt on systems without system D-Bus).
- overlayfs: replaced the inline is_ubuntu() /etc/os-release parser
  with ctx->host->distro_id comparison. Local helper preserved for
  symmetry / standalone builds.

Documentation: docs/ARCHITECTURE.md gains a 'Host fingerprint'
section describing the struct, the opt-in include pattern, and
example detect() usage. ROADMAP --auto accuracy log notes the
landing and flags remaining modules as an incremental follow-up.

Build verification:

- macOS (local): make clean && make -> Mach-O x86_64, 31 modules,
  banner prints with distro=?/? (no /etc/os-release).
- Linux (docker gcc:latest + libglib2.0-dev): make clean && make ->
  ELF 64-bit, 31 modules. Banner prints with kernel + distro=debian/13
  + 7 capability gates. dirtydecrypt correctly says 'predates the
  rxgk code added in 7.0'; fragnesia PRECOND_FAILs with
  '(host fingerprint)' annotation; pack2theroot PRECOND_FAILs on
  no-DBus; overlayfs reports 'not Ubuntu (distro=debian)'.

modules/fragnesia_cve_2026_46300/skeletonkey_modules.c

@@ -53,6 +53,7 @@
 /* _GNU_SOURCE / _FILE_OFFSET_BITS are passed via -D in the top-level
  * Makefile; do not redefine here (warning: redefined). */
 #include "../../core/kernel_range.h"
+#include "../../core/host.h"
 #include <arpa/inet.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -837,19 +838,10 @@ static void fg_evict(const char *path)
 	if (dc >= 0) { if (write(dc, "3\n", 2) < 0) {} close(dc); }
 }
 
-/* --- precondition check: unprivileged user namespaces --- */
-
-static bool fg_userns_allowed(void)
-{
-	pid_t pid = fork();
-	if (pid < 0)
-		return false;
-	if (pid == 0)
-		_exit(unshare(CLONE_NEWUSER) == 0 ? 0 : 1);
-	int st;
-	waitpid(pid, &st, 0);
-	return WIFEXITED(st) && WEXITSTATUS(st) == 0;
-}
+/* The unprivileged-userns precondition is now read from the shared
+ * host fingerprint (ctx->host->unprivileged_userns_allowed), which
+ * probes once at startup via core/host.c. The previous per-detect
+ * fork-probe helper was removed. */
 
 /* ---- detect ------------------------------------------------------- */
 
@@ -927,18 +919,24 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 {
 	fg_verbose = !ctx->json;
 
-	struct kernel_version v;
-	if (!kernel_version_current(&v)) {
+	/* Pull kernel version and userns availability from the shared
+	 * host fingerprint — populated once at startup, no per-detect
+	 * fork or re-parse. */
+	const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
+	if (!v || v->major == 0) {
 		if (!ctx->json)
-			fprintf(stderr, "[!] fragnesia: could not parse kernel version\n");
+			fprintf(stderr, "[!] fragnesia: host fingerprint missing kernel "
+				"version — bailing\n");
 		return SKELETONKEY_TEST_ERROR;
 	}
 
-	if (!fg_userns_allowed()) {
+	if (!ctx->host->unprivileged_userns_allowed) {
 		if (!ctx->json)
 			fprintf(stderr, "[i] fragnesia: unprivileged user "
-				"namespaces are disabled — XFRM gate closed "
-				"here (CAP_NET_ADMIN unreachable)\n");
+				"namespaces are disabled (host fingerprint) — "
+				"XFRM gate closed here (CAP_NET_ADMIN unreachable)%s\n",
+				ctx->host->apparmor_restrict_userns ?
+					"; AppArmor restriction is on" : "");
 		return SKELETONKEY_PRECOND_FAIL;
 	}
 
@@ -950,7 +948,7 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 		return SKELETONKEY_PRECOND_FAIL;
 	}
 
-	bool patched_by_version = kernel_range_is_patched(&fragnesia_range, &v);
+	bool patched_by_version = kernel_range_is_patched(&fragnesia_range, v);
 
 	if (ctx->active_probe) {
 		if (!ctx->json)
@@ -961,7 +959,7 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 			if (!ctx->json)
 				fprintf(stderr, "[!] fragnesia: ACTIVE PROBE "
 					"CONFIRMED — ESP-in-TCP coalesce corrupts "
-					"the page cache (kernel %s)\n", v.release);
+					"the page cache (kernel %s)\n", v->release);
 			return SKELETONKEY_VULNERABLE;
 		}
 		if (p == 0) {
@@ -982,14 +980,14 @@ static skeletonkey_result_t fg_detect(const struct skeletonkey_ctx *ctx)
 		if (!ctx->json)
 			fprintf(stderr, "[+] fragnesia: kernel %s is patched "
 				"(7.0.9+; version-only check — use --active to "
-				"confirm)\n", v.release);
+				"confirm)\n", v->release);
 		return SKELETONKEY_OK;
 	}
 	if (!ctx->json)
 		fprintf(stderr, "[!] fragnesia: kernel %s appears VULNERABLE "
 			"(no backport entry for this branch; version-only)\n"
 			"    Confirm empirically: skeletonkey --scan --active\n",
-			v.release);
+			v->release);
 	return SKELETONKEY_VULNERABLE;
 }