Added handling for calls to open and openat with write access when read-only mode is enforced

Author: mikimasn

Diff for: src/seccomp/policy/DefaultPolicy.cc

@@ -188,6 +188,16 @@ void DefaultPolicy::addFileSystemAccessRules(bool readOnly) {
                 "openat",
                 action::ActionAllow(),
                 (filter::SyscallArg(2) & (O_RDWR | O_WRONLY)) == 0));
+        for (const auto& mode: {O_RDWR, O_WRONLY}) {
+            rules_.emplace_back(SeccompRule(
+                    "open",
+                    action::ActionErrno(EROFS),
+                    (filter::SyscallArg(1) & mode) == mode));
+            rules_.emplace_back(SeccompRule(
+                    "openat",
+                    action::ActionErrno(EROFS),
+                    (filter::SyscallArg(2) & mode) == mode));
+        }
 
         for (const auto& syscall: {
                      "unlink",