Added handling for calls to open and openat wth write access when rea…

…d-only mode is enforced
sio2project · Feb 11, 2024 · 427fb64 · 427fb64
1 parent 3dbded8
commit 427fb64
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
@@ -188,6 +188,14 @@ void DefaultPolicy::addFileSystemAccessRules(bool readOnly) {
                 "openat",
                 action::ActionAllow(),
                 (filter::SyscallArg(2) & (O_RDWR | O_WRONLY)) == 0));
+        rules_.emplace_back(SeccompRule(
+                "open",
+                action::ActionErrno(EROFS),
+                (filter::SyscallArg(1) & (O_RDONLY | O_PATH)) == 0));
+        rules_.emplace_back(SeccompRule(
+                "openat",
+                action::ActionErrno(EROFS),
+                (filter::SyscallArg(2) & (O_RDONLY | O_PATH)) == 0));
 
         for (const auto& syscall: {
                      "unlink",