Use unix_mode crate to check file modes in binfmt registration

Cargo.lock

@@ -2545,6 +2545,12 @@ dependencies = [
  "regex",
 ]
 
+[[package]]
+name = "unix_mode"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35abed4630bb800f02451a7428205d1f37b8e125001471bfab259beee6a587ed"
+
 [[package]]
 name = "vec_map"
 version = "0.8.2"
@@ -2819,6 +2825,7 @@ dependencies = [
  "log",
  "structopt",
  "tempfile",
+ "unix_mode",
  "wasmer",
  "wasmer-cache",
  "wasmer-compiler",

lib/cli/Cargo.toml

@@ -55,6 +55,9 @@ fern = { version = "0.6", features = ["colored"], optional = true }
 log = { version = "0.4", optional = true }
 tempfile = "3"
 
+[target.'cfg(target_os = "linux")'.dependencies]
+unix_mode = "0.1.3"
+
 [features]
 # Don't add the compiler features in default, please add them on the Makefile
 # since we might want to autoconfigure them depending on the availability on the host.

lib/cli/src/commands/binfmt.rs

@@ -43,8 +43,9 @@ fn seccheck(path: &Path) -> Result<()> {
     }
     let m = std::fs::metadata(path)
         .with_context(|| format!("Can't check permissions of {}", path.to_string_lossy()))?;
+    use unix_mode::*;
     anyhow::ensure!(
-        m.mode() & 0o2 == 0 || m.mode() & 0o1000 != 0,
+        !is_allowed(Accessor::Other, Access::Write, m.mode()) || is_sticky(m.mode()),
         "{} is world writeable and not sticky",
         path.to_string_lossy()
     );