seccomp: permit specifying multiple errnos for a syscall

If more than one errno is specified for a syscall in SystemCallFilter=,
use the last one instead of reporting an error. This is especially
useful when used with system call sets:

    SystemCallFilter=@privileged:EPERM @reboot

This will block any system call requiring super-user capabilities with
EPERM, except for attempts to reboot the system, which will immediately
terminate the process. (@reboot is included in @privileged.)

This also effectively fixes #9939, since specifying different errnos for
“the same syscall” (same pseudo syscall number) is no longer an error.

1 files changed, 2 insertions, 4 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 5072ceb2d1..ff3537c5e9 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1061,10 +1061,8 @@ int seccomp_parse_syscall_filter_full(
                                 case -ENOMEM:
                                         return flags & SECCOMP_PARSE_LOG ? log_oom() : -ENOMEM;
                                 case -EEXIST:
-                                        if (flags & SECCOMP_PARSE_LOG)
-                                                log_warning("System call %s already blocked with different errno: %d",
-                                                            name, PTR_TO_INT(hashmap_get(filter, INT_TO_PTR(id + 1))));
-                                        return -EINVAL;
+                                        assert_se(hashmap_update(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num)) == 0);
+                                        break;
                                 default:
                                         return r;
                                 }