core: do not filter out write() if required in the very late stage

Before 12001b1bf067339db089d52e08fd0b4c6a9945df, write() is required for
if Type=exec. However, with the previous commit, now write() is also used
for sending handoff timestamp. Let's allow write() if necessary.

Fixes a regression caused by 12001b1bf067339db089d52e08fd0b4c6a9945df.
Fixes #33299.

(cherry picked from commit 84b79215ccc5abd6ee50ffd9df34dbbe2d29d625)

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 8b4a1564a940a1d27a53e4d7f989adf76957a83a..53a9bb31f275e8eaf34d9e254153f1bb21df5ee1 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -1439,6 +1439,13 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p, b
                         return r;
         }
 
+        /* Sending over exec_fd or handoff_timestamp_fd requires write() syscall. */
+        if (p->exec_fd >= 0 || p->handoff_timestamp_fd >= 0) {
+                r = seccomp_filter_set_add_by_name(c->syscall_filter, c->syscall_allow_list, "write");
+                if (r < 0)
+                        return r;
+        }
+
         return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
 }