The capability isn't really good to be checked, binfmt_misc isn't part of the usual caps that you'd get e.g. with getpcaps.
One would think that checking for the MP might be better:
root@Keschdeichel:~# mount | grep binfmt_misc
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=26,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=16329)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
Or the service /lib/systemd/system/binfmt-support.service which e.g. in a LXD container will not run.
● binfmt-support.service - Enable support for additional executable binary formats
Loaded: loaded (/lib/systemd/system/binfmt-support.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2019-09-09 08:37:20 UTC; 9ms ago
Docs: man:update-binfmts(8)
Process: 551 ExecStart=/usr/sbin/update-binfmts --enable (code=exited, status=2)
Main PID: 551 (code=exited, status=2)
Sep 09 08:37:20 e systemd[1]: Starting Enable support for additional executable binary formats...
Sep 09 08:37:20 e update-binfmts[551]: update-binfmts: warning: unable to open /proc/sys/fs/binfmt_misc/status for writing: Permission denied
Sep 09 08:37:20 e update-binfmts[551]: update-binfmts: warning: unable to open /proc/sys/fs/binfmt_misc/status for writing: Permission denied
Sep 09 08:37:20 e update-binfmts[551]: update-binfmts: warning: unable to open /proc/sys/fs/binfmt_misc/register for writing: Permission denied
And that is the same for the registering of the formats.
This is only mapped into the container and non-writable (usually).
If I remove the container safety exit I get the same:
$ sudo -E /var/lib/dpkg/info/qemu-user-static.postinst configure
...
update-binfmts: warning: unable to open /proc/sys/fs/binfmt_misc/status for writing: Permission denied
update-binfmts: warning: unable to open /proc/sys/fs/binfmt_misc/register for writing: Permission denied
update-binfmts: warning: unable to enable binary format qemu-hppa
update-binfmts: exiting due to previous errors
But unfortunately qemu-user-static only recommends binfmt-support (as strictly you can use qemu-user-static without binfmt). But to register anything this would need to be available.
The script already has a check if the binary `update-binfmts` exists (as it is only a recommends).
I'm beginning to lean towards `systemctl is-active binfmt-support.service` being the best check.
If it is installed and failed, then the following registrations will fail as well and should not be tried.
While at the same time a container MIGHT be set up with plenty of permissions (privileged, special mapping of the host binfmt as writable). That isn't recommended but could be done.
The check to the active service would catch all of those - fix the bug in WSL (and probably other container formats), while at the same time enable the feature for those who set up privileged-containers just for that.
The capability isn't really good to be checked, binfmt_misc isn't part of the usual caps that you'd get e.g. with getpcaps.
One would think that checking for the MP might be better: el:~# mount | grep binfmt_misc fs/binfmt_ misc type autofs (rw,relatime, fd=26,pgrp= 1,timeout= 0,minproto= 5,maxproto= 5,direct, pipe_ino= 16329) fs/binfmt_ misc type binfmt_misc (rw,relatime)
root@Keschdeich
systemd-1 on /proc/sys/
binfmt_misc on /proc/sys/
Or the service /lib/systemd/ system/ binfmt- support. service which e.g. in a LXD container will not run. support. service - Enable support for additional executable binary formats system/ binfmt- support. service; enabled; vendor preset: enabled) binfmts( 8) /usr/sbin/ update- binfmts --enable (code=exited, status=2)
● binfmt-
Loaded: loaded (/lib/systemd/
Active: failed (Result: exit-code) since Mon 2019-09-09 08:37:20 UTC; 9ms ago
Docs: man:update-
Process: 551 ExecStart=
Main PID: 551 (code=exited, status=2)
Sep 09 08:37:20 e systemd[1]: Starting Enable support for additional executable binary formats... binfmts[ 551]: update-binfmts: warning: unable to open /proc/sys/ fs/binfmt_ misc/status for writing: Permission denied binfmts[ 551]: update-binfmts: warning: unable to open /proc/sys/ fs/binfmt_ misc/status for writing: Permission denied binfmts[ 551]: update-binfmts: warning: unable to open /proc/sys/ fs/binfmt_ misc/register for writing: Permission denied
Sep 09 08:37:20 e update-
Sep 09 08:37:20 e update-
Sep 09 08:37:20 e update-
And that is the same for the registering of the formats.
This is only mapped into the container and non-writable (usually).
If I remove the container safety exit I get the same: dpkg/info/ qemu-user- static. postinst configure fs/binfmt_ misc/status for writing: Permission denied fs/binfmt_ misc/register for writing: Permission denied
$ sudo -E /var/lib/
...
update-binfmts: warning: unable to open /proc/sys/
update-binfmts: warning: unable to open /proc/sys/
update-binfmts: warning: unable to enable binary format qemu-hppa
update-binfmts: exiting due to previous errors
But unfortunately qemu-user-static only recommends binfmt-support (as strictly you can use qemu-user-static without binfmt). But to register anything this would need to be available.
The script already has a check if the binary `update-binfmts` exists (as it is only a recommends).
I'm beginning to lean towards `systemctl is-active binfmt- support. service` being the best check.
If it is installed and failed, then the following registrations will fail as well and should not be tried.
While at the same time a container MIGHT be set up with plenty of permissions (privileged, special mapping of the host binfmt as writable). That isn't recommended but could be done. containers just for that.
The check to the active service would catch all of those - fix the bug in WSL (and probably other container formats), while at the same time enable the feature for those who set up privileged-