core: parse '@default' seccomp group permissively

We are about to add system calls (rseq()) not available on old
libseccomp/old kernels, and hence we need to be permissive when parsing
our definitions.

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 2f62c7acb538081f4d0edfd00bb41cba957a3dac..58833dfc7c979d4a0e99f7eca99c8081fbeba41f 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2695,7 +2695,9 @@ int config_parse_syscall_filter(
                         c->syscall_whitelist = true;
 
                         /* Accept default syscalls if we are on a whitelist */
-                        r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST);
+                        r = seccomp_parse_syscall_filter(
+                                        "@default", -1, c->syscall_filter,
+                                        SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST);
                         if (r < 0)
                                 return r;
                 }