Adds h_kernel_5_14_userns_ok fingerprint (vulnerable kernel +
userns allowed) and uses it to assert the VULNERABLE branch is
reached on the 5 netfilter-class modules whose detect()
short-circuits there once both gates are satisfied:
- nf_tables (CVE-2024-1086) -> VULNERABLE
- cls_route4 (CVE-2022-2588) -> VULNERABLE
- nft_set_uaf (CVE-2023-32233) -> VULNERABLE
- nft_fwd_dup (CVE-2022-25636) -> VULNERABLE
- nft_payload (CVE-2023-0179) -> VULNERABLE
Combined with the earlier sudo_samedit and pwnkit
vulnerable-version tests, this gives us positive-verdict coverage
on 7 modules (was 2). The detect() logic that decides VULNERABLE
when conditions match is now exercised, not just the precondition
short-circuits.
39 -> 44 cases, all pass on Linux.
leviathan
a9c8f7d8c6