From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 24 Jun 2024 20:10:04 +0000 (+0900)
Subject: core: do not filter out write() if required in the very late stage
X-Git-Tag: v257-rc1~1053^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84b79215ccc5abd6ee50ffd9df34dbbe2d29d625;p=thirdparty%2Fsystemd.git

core: do not filter out write() if required in the very late stage

Before 12001b1bf067339db089d52e08fd0b4c6a9945df, write() is required for
if Type=exec. However, with the previous commit, now write() is also used
for sending handoff timestamp. Let's allow write() if necessary.

Fixes a regression caused by 12001b1bf067339db089d52e08fd0b4c6a9945df.
Fixes #33299.
---

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 78a05f873e2..3f713e731fd 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -1439,6 +1439,13 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p, b
                         return r;
         }
 
+        /* Sending over exec_fd or handoff_timestamp_fd requires write() syscall. */
+        if (p->exec_fd >= 0 || p->handoff_timestamp_fd >= 0) {
+                r = seccomp_filter_set_add_by_name(c->syscall_filter, c->syscall_allow_list, "write");
+                if (r < 0)
+                        return r;
+        }
+
         return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
 }