core: do not filter out write() if required in the very late stage

Before 12001b1bf0, write() is required for if Type=exec. However, with the previous commit, now write() is also used for sending handoff timestamp. Let's allow write() if necessary. Fixes a regression caused by 12001b1bf0. Fixes #33299.
2024-09-30 05:15:19 +00:00 · 2024-06-25 05:10:04 +09:00 · 2024-06-25 05:10:04 +09:00 · 84b79215cc
parent 5161422bb5
commit 84b79215cc
1 changed files with 7 additions and 0 deletions
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -1439,6 +1439,13 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p, b
                        return r;
        }

+        /* Sending over exec_fd or handoff_timestamp_fd requires write() syscall. */
+        if (p->exec_fd >= 0 || p->handoff_timestamp_fd >= 0) {
+                r = seccomp_filter_set_add_by_name(c->syscall_filter, c->syscall_allow_list, "write");
+                if (r < 0)
+                        return r;
+        }
+
        return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
 }