kas-container: add support for Ubuntu 24.04 hosts

On Ubuntu 24.04 the default apparmor profile restricts unprivileged user
namespaces. This breaks the bitbake execution, as bitbake uses this
mechanism for network and uid isolation, resulting in the following
error message:

 File "/work/isar/bitbake/bin/bitbake-worker", line 268, in child
     bb.utils.disable_network(uid, gid)
   File "/work/isar/bitbake/lib/bb/utils.py", line 1653, in disable_network
     with open("/proc/self/uid_map", "w") as f:
 PermissionError: [Errno 1] Operation not permitted

To fix this for docker, we start the container under the "rootlesskit"
profile, which allows (unprivileged) modifications of the userns
namespace. On podman, no fix is needed as podman is already executed
with a suitable profile. We detect this situation based on apparmor sysfs
entries and by that avoid a tight coupling with distro versions.

Signed-off-by: Felix Moessbauer <[email protected]>

kas-container

@@ -130,6 +130,19 @@ enable_oe_mode() {
 	fi
 }
 
+enable_unpriv_userns_docker() {
+	if [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] &&
+	   [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then
+		if [ -f /etc/apparmor.d/rootlesskit ]; then
+			trace echo 'AppArmor restricts unprivileged userns, using "rootlesskit" profile'
+			KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --security-opt apparmor=rootlesskit"
+		else
+			warning "AppArmor restricts unprivileged userns but no suitable apparmor " \
+			        "profile found. Consider setting apparmor_restrict_unprivileged_userns=0"
+		fi
+	fi
+}
+
 run_clean() {
 	if [ -n "${KAS_ISAR_ARGS}" ]; then
 		# SC2086: Double quote to prevent globbing and word splitting.
@@ -205,6 +218,7 @@ KAS_RUNTIME_ARGS="--log-driver=none --user=root"
 case "${KAS_CONTAINER_ENGINE}" in
 docker)
 	KAS_CONTAINER_COMMAND="docker"
+	enable_unpriv_userns_docker
 	;;
 podman)
 	KAS_CONTAINER_COMMAND="podman"