From 391b81cd03f0829e8a5c45b0eaefad4ef41f1285 Mon Sep 17 00:00:00 2001
From: Luca Bruno <lucab@debian.org>
Date: Tue, 12 Jul 2016 11:55:26 +0200
Subject: seccomp: only abort on syscall name resolution failures (#3701)

seccomp_syscall_resolve_name() can return a mix of positive and negative
(pseudo-) syscall numbers, while errors are signaled via __NR_SCMP_ERROR.
This commit lets the syscall filter parser only abort on real parsing
failures, letting libseccomp handle pseudo-syscall number on its own
and allowing proper multiplexed syscalls filtering.
---
 src/core/load-fragment.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 61b333b506..782e420e4c 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2429,7 +2429,7 @@ static int syscall_filter_parse_one(
                 int id;
 
                 id = seccomp_syscall_resolve_name(t);
-                if (id < 0)  {
+                if (id == __NR_SCMP_ERROR)  {
                         if (warn)
                                 log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse system call, ignoring: %s", t);
                         return 0;
-- 
cgit v1.2.3-54-g00ecf