core: do not filter out write() if required in the very late stage

Before 12001b1bf067339db089d52e08fd0b4c6a9945df, write() is required for
if Type=exec. However, with the previous commit, now write() is also used
for sending handoff timestamp. Let's allow write() if necessary.

Fixes a regression caused by 12001b1bf067339db089d52e08fd0b4c6a9945df.
Fixes #33299.

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 78a05f873e2126584170ca1af2aecf287844eebc..3f713e731fd1343f34d737343aef542ff7b87516 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -1439,6 +1439,13 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p, b
                         return r;
         }
 
+        /* Sending over exec_fd or handoff_timestamp_fd requires write() syscall. */
+        if (p->exec_fd >= 0 || p->handoff_timestamp_fd >= 0) {
+                r = seccomp_filter_set_add_by_name(c->syscall_filter, c->syscall_allow_list, "write");
+                if (r < 0)
+                        return r;
+        }
+
         return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
 }