seccomp: only abort on syscall name resolution failures (#3701)

seccomp_syscall_resolve_name() can return a mix of positive and negative
(pseudo-) syscall numbers, while errors are signaled via __NR_SCMP_ERROR.
This commit lets the syscall filter parser only abort on real parsing
failures, letting libseccomp handle pseudo-syscall number on its own
and allowing proper multiplexed syscalls filtering.

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 61b333b..782e420 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2429,7 +2429,7 @@ static int syscall_filter_parse_one(
                 int id;
 
                 id = seccomp_syscall_resolve_name(t);
-                if (id < 0)  {
+                if (id == __NR_SCMP_ERROR)  {
                         if (warn)
                                 log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse system call, ignoring: %s", t);
                         return 0;