Workaround libseccomp bug & fix error handling

libseccomp has a bug where -EDOM is returned when seccomp_rule_add is
called for pseudo system calls (i.e. < -99). This was triggered by
adding the send() system call on my x86_64 machine. The bug seems to
have been recently (May 7th, 2013) reported and fixed on libseccomp
upstream but it will take a while to find its way to a release and
distributions.

Additionally, there was a bug on how libseccomp calls were error
handled: libseccomp functions don't actually set errno, but set errno
values in their return value instead. This resulted in the
seccomp_rule_add call above to print "could not add send to seccomp
filter: Success".

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

src/worker-privs.c

@@ -26,7 +26,7 @@
 
 int disable_system_calls(struct worker_st *ws)
 {
-	int ret, e;
+	int ret;
 	scmp_filter_ctx ctx;
 	
 	ctx = seccomp_init(SCMP_ACT_KILL);
@@ -37,9 +37,9 @@ int disable_system_calls(struct worker_st *ws)
 
 #define ADD_SYSCALL(name) \
 	ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(name), 0); \
-	if (ret < 0) { \
-		e = errno; \
-		oclog(ws, LOG_WARNING, "could not add " #name " to seccomp filter: %s", strerror(e)); \
+	/* libseccomp returns EDOM for pseudo-syscalls due to a bug */ \
+	if (ret < 0 && ret != -EDOM) { \
+		oclog(ws, LOG_WARNING, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \
 		ret = -1; \
 		goto fail; \
 	}