incusd/apparmor: Support unpriv binfmt_misc

Signed-off-by: Stéphane Graber <[email protected]>
stgraber · Feb 8, 2024 · 53393de · 53393de
1 parent 99e1f55
commit 53393de
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/internal/server/apparmor/instance.go b/internal/server/apparmor/instance.go
@@ -174,6 +174,7 @@ func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (stri
 			"feature_cgroup2":  sysOS.CGInfo.Layout == cgroup.CgroupsUnified || sysOS.CGInfo.Layout == cgroup.CgroupsHybrid,
 			"feature_stacking": sysOS.AppArmorStacking && !sysOS.AppArmorStacked,
 			"feature_unix":     unixSupported,
+			"kernel_binfmt":    util.IsFalseOrEmpty(inst.ExpandedConfig()["security.privileged"]) && sysOS.UnprivBinfmt,
 			"name":             InstanceProfileName(inst),
 			"namespace":        InstanceNamespaceName(inst),
 			"nesting":          util.IsTrue(inst.ExpandedConfig()["security.nesting"]),

diff --git a/internal/server/apparmor/instance_lxc.go b/internal/server/apparmor/instance_lxc.go
@@ -33,7 +33,9 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
 
   # Handle binfmt
   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+{{- if not .kernel_binfmt }}
   deny /proc/sys/fs/binfmt_misc/{,**} rwklx,
+{{- end }}
 
   # Handle cgroupfs
   mount options=(ro,nosuid,nodev,noexec,remount,strictatime) -> /sys/fs/cgroup/,