Added handling for calls to open and openat wth write access when read-only mode is enforced

mikimasn · mikimasn · commit 427fb640e597 · 2024-02-11T23:26:55.000+01:00
diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
@@ -188,6 +188,14 @@ void DefaultPolicy::addFileSystemAccessRules(bool readOnly) {
                 "openat",
                 action::ActionAllow(),
                 (filter::SyscallArg(2) & (O_RDWR | O_WRONLY)) == 0));
+        rules_.emplace_back(SeccompRule(
+                "open",
+                action::ActionErrno(EROFS),
+                (filter::SyscallArg(1) & (O_RDONLY | O_PATH)) == 0));
+        rules_.emplace_back(SeccompRule(
+                "openat",
+                action::ActionErrno(EROFS),
+                (filter::SyscallArg(2) & (O_RDONLY | O_PATH)) == 0));
 
         for (const auto& syscall: {
                      "unlink",
