detection rules: complete sigma/yara/falco coverage across the corpus

Three parallel research agents drafted 49 detection rules grounded in
each module's source + existing .opsec_notes string + existing .detect_auditd
counterpart. A one-shot tools/inject_rules.py wrote them into the
right files and replaced the .detect_<format> = NULL placeholders.

Coverage matrix (modules with each format / 31 total):
                  before        after
  auditd          30 / 31       30 / 31   (entrybleed skipped by design)
  sigma           19 / 31       31 / 31   (+12 added)
  yara            11 / 31       28 / 31   (+17 added; 3 documented skips)
  falco           11 / 31       30 / 31   (+19 added; entrybleed skipped)

Documented skips (kept as .detect_<format> = NULL with comment):
  - entrybleed: yara + falco + auditd. Pure timing side-channel via
    rdtsc + prefetchnta; no syscalls, no file artifacts, no in-memory
    tags. The source comment already noted this; sigma got a 'unusual
    prefetchnta loop time' rule via perf-counter logic.
  - ptrace_traceme: yara. Pure in-memory race; no on-disk artifacts
    or persistent strings to match. Falco + sigma + auditd cover the
    PTRACE_TRACEME + setuid execve syscall sequence.
  - sudo_samedit: yara. Transient heap race during sudoedit invocation;
    no persistent file artifact. Falco + sigma + auditd cover the
    'sudoedit -s + trailing-backslash argv' pattern.

Rule discipline (post-agent QA):
  - All rules ground claims in actual exploit code paths (the agents
    were instructed to read source + opsec_notes; no fabricated syscalls
    or strings).
  - Two falco rules were narrowed by the agent to fire only when
    proc.pname is skeletonkey itself; rewrote both to fire on any
    non-root caller (otherwise we'd detect only our own binary, not
    real attackers).
  - Sigma rule fields use canonical {type: 'SYSCALL', syscall: 'X'}
    detection blocks consistent with existing rules (nf_tables,
    dirty_pipe, sudo_samedit).
  - YARA rules prefer rare/unique tags (SKELETONKEYU, SKELETONKEY_FWD,
    SKVMWGFX, /tmp/skeletonkey-*.log) over common bytes — minimizes
    false positives.
  - Every rule tagged with attack.privilege_escalation + cve.YYYY.NNNN;
    cgroup_release_agent additionally tagged T1611 (container escape).

skeletonkey.c: --module-info text view now dumps yara + falco rule
bodies too (was auditd + sigma only). All 4 formats visible per module.

Verification:
  - macOS local: clean build, 33 kernel_range tests pass.
  - Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails.
  - --module-info nf_tables / af_unix_gc / etc.: 'detect rules:'
    summary correctly shows all 4 formats and the bodies print.

modules/vmwgfx_cve_2023_2008/skeletonkey_modules.c

@@ -703,6 +703,55 @@ static const char vmwgfx_auditd[] =
     "-a always,exit -F arch=b64 -S ioctl  -F a1=0x4004644b       -k skeletonkey-vmwgfx-unref\n"
     "-a always,exit -F arch=b64 -S msgsnd                         -k skeletonkey-vmwgfx-spray\n";
 
+static const char vmwgfx_sigma[] =
+    "title: Possible CVE-2023-2008 vmwgfx DRM bo size OOB\n"
+    "id: 4d35f6db-skeletonkey-vmwgfx\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects openat(/dev/dri/card*) + DRM_IOCTL_VMW_CREATE_DMABUF\n"
+    "  (0xc010644a) + UNREF (0x4004644b) + msg_msg groom sequence\n"
+    "  characteristic of the vmwgfx kmalloc-512 OOB. Only reachable\n"
+    "  on VMware guests with the vmwgfx driver loaded.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  drm:    {type: 'SYSCALL', syscall: 'openat'}\n"
+    "  ioctl:  {type: 'SYSCALL', syscall: 'ioctl'}\n"
+    "  groom:  {type: 'SYSCALL', syscall: 'msgsnd'}\n"
+    "  condition: drm and ioctl and groom\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2023.2008]\n";
+
+static const char vmwgfx_yara[] =
+    "rule vmwgfx_cve_2023_2008 : cve_2023_2008 kernel_oob_write\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2023-2008\"\n"
+    "        description = \"vmwgfx DRM kmalloc-512 spray tag (SKVMWGFX) and log breadcrumb\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "    strings:\n"
+    "        $tag = \"SKVMWGFX\" ascii\n"
+    "        $log = \"/tmp/skeletonkey-vmwgfx.log\" ascii\n"
+    "    condition:\n"
+    "        any of them\n"
+    "}\n";
+
+static const char vmwgfx_falco[] =
+    "- rule: vmwgfx DRM CREATE_DMABUF + UNREF ioctl by non-root\n"
+    "  desc: |\n"
+    "    Non-root process opens /dev/dri/card* and invokes\n"
+    "    DRM_IOCTL_VMW_CREATE_DMABUF (0xc010644a) + UNREF\n"
+    "    (0x4004644b). Only reachable on VMware guests; the size\n"
+    "    validation gap drives a kmalloc-512 OOB during ttm_bo_kmap.\n"
+    "    CVE-2023-2008.\n"
+    "  condition: >\n"
+    "    evt.type = ioctl and fd.name startswith /dev/dri/card and\n"
+    "    not user.uid = 0\n"
+    "  output: >\n"
+    "    vmwgfx DRM ioctl by non-root\n"
+    "    (user=%user.name pid=%proc.pid dev=%fd.name)\n"
+    "  priority: HIGH\n"
+    "  tags: [device, mitre_privilege_escalation, T1068, cve.2023.2008]\n";
+
 const struct skeletonkey_module vmwgfx_module = {
     .name           = "vmwgfx",
     .cve            = "CVE-2023-2008",
@@ -718,9 +767,9 @@ const struct skeletonkey_module vmwgfx_module = {
     .mitigate       = NULL,    /* mitigation: rmmod vmwgfx (loses graphics) */
     .cleanup        = vmwgfx_cleanup,
     .detect_auditd  = vmwgfx_auditd,
-    .detect_sigma   = NULL,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_sigma   = vmwgfx_sigma,
+    .detect_yara    = vmwgfx_yara,
+    .detect_falco   = vmwgfx_falco,
     .opsec_notes    = "Opens /dev/dri/card* (vmwgfx DRM - only reachable on VMware guests); DRM_IOCTL_VMW_CREATE_DMABUF with size=4096+16 lands in the kmalloc-512 page-count bucket but the byte-length overruns during kunmap_atomic copy in ttm_bo_kmap; mmap + write recognizable pattern across page boundary; UNREF commits the OOB into adjacent kmalloc-512. msg_msg spray tagged 'SKVMWGFX'. Writes /tmp/skeletonkey-vmwgfx.log (slab counts pre/post, trigger success). Audit-visible via openat(/dev/dri/card*), ioctl(0xc010644a CREATE / 0x4004644b UNREF), msgsnd spray. No network. Cleanup callback unlinks /tmp log; --full-chain re-seeds spray with kaddr-tagged payloads and the modprobe_path finisher arbitrates via 3s sentinel.",
 };