- core/kernel_range.{c,h}: branch-aware patched-version comparison.
Every future module needs 'is the host kernel in the affected
range?'; centralized here. Models stable-branch backports
(e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
VULNERABLE while a 5.15.50 host reports OK.
- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
- iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
parses /proc/version and compares against the four known patched
branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
hints in human-readable scan mode.
- exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
implemented' message; landing the actual exploit needs Phase 1.5
extraction of passwd/su helpers into core/.
- detect/auditd.rules: splice() syscall + passwd/shadow file watches
- detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers
- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
the copy_fail_family registration.
- Makefile gains the dirty_pipe family as a separate object set.
Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
leviathan
1552a3bfcb