For ptrace intercept mode, do not do a policy check for the initial command.

We can skip the policy check for the execve(2) of the initial command
since it has already been check.  Otherwise, we would log the command
twice.  When using fexecve(2) due to a digest check, there should
be no need to skip the initial command since it will be executed
via execveat(2) not execve(2).  However, on older kernels without
execveat(2), glibc will emulate fexecve(2) using /proc which will
result in the extra log entry.

src/exec_intercept.c

@@ -72,8 +72,19 @@ intercept_setup(int fd, struct sudo_event_base *evbase,
     closure->listen_sock = -1;
 
     if (ISSET(details->flags, CD_USE_PTRACE)) {
-	/* We can perform a policy check immediately using ptrace(2).  */
+	/*
+	 * We can perform a policy check immediately using ptrace(2)
+	 * but should ignore the execve(2) of the initial command
+	 * (and sesh for SELinux RBAC).
+	 *
+	 * If using fexecve(2) and the system doesn't support execveat(2),
+	 * we may end up checking the initial command anyway.
+	 */
 	closure->state = RECV_POLICY_CHECK;
+	if (!ISSET(details->flags, CD_FEXECVE))
+	    closure->initial_command++;
+	if (ISSET(details->flags, CD_RBAC_ENABLED))
+	    closure->initial_command++;
     } else {
 	/*
 	 * Not using ptrace(2), use LD_PRELOAD (or its equivalent).  If