seccomp: improve error reporting

Only report OOM if that was actually the error of the operation,
explicitly report the possible error that a syscall was already blocked
with a different errno and translate that into a more sensible errno
(EEXIST only makes sense in connection to the hashmap), and pass through
all other potential errors unmodified. Part of #9939.

1 files changed, 11 insertions, 1 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index ade3c656af..5072ceb2d1 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1057,7 +1057,17 @@ int seccomp_parse_syscall_filter_full(
                 if (!(flags & SECCOMP_PARSE_INVERT) == !!(flags & SECCOMP_PARSE_WHITELIST)) {
                         r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
                         if (r < 0)
-                                return flags & SECCOMP_PARSE_LOG ? log_oom() : -ENOMEM;
+                                switch (r) {
+                                case -ENOMEM:
+                                        return flags & SECCOMP_PARSE_LOG ? log_oom() : -ENOMEM;
+                                case -EEXIST:
+                                        if (flags & SECCOMP_PARSE_LOG)
+                                                log_warning("System call %s already blocked with different errno: %d",
+                                                            name, PTR_TO_INT(hashmap_get(filter, INT_TO_PTR(id + 1))));
+                                        return -EINVAL;
+                                default:
+                                        return r;
+                                }
                 } else
                         (void) hashmap_remove(filter, INT_TO_PTR(id + 1));
         }