AddRule: fix to handle EACCES

In case a rule with the action that equals to the default one was added,
libseccomp used to return EPERM, and libseccomp-golang converted it into
a more user-friendly "requested action matches default action of
filter" error.

From various bug reports I have noticed this is no longer a case.

The cause is libseccomp commit 83989be02 (appeared in v2.5.0), which
changes EPERM to EACCES.

Since we still support libseccomp < 2.5.0, check for either EPERM or
EACCES. Add a TODO item to remove the former.

Add a test case, which fails like this before the fix:

> seccomp_test.go:580: expected error to contain "matches default action", got "permission denied"

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

seccomp_internal.go

@@ -416,7 +416,9 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b
 		switch e := errRc(retCode); e {
 		case syscall.EFAULT:
 			return fmt.Errorf("unrecognized syscall %#x", int32(call))
-		case syscall.EPERM:
+		// libseccomp >= v2.5.0 returns EACCES, older versions return EPERM.
+		// TODO: remove EPERM once libseccomp < v2.5.0 is not supported.
+		case syscall.EPERM, syscall.EACCES:
 			return errDefAction
 		case syscall.EINVAL:
 			return fmt.Errorf("two checks on same syscall argument")

seccomp_test.go

@@ -559,6 +559,25 @@ func TestMergeFilters(t *testing.T) {
 	}
 }
 
+func TestAddRuleErrors(t *testing.T) {
+	execInSubprocess(t, subprocessAddRuleErrors)
+}
+
+func subprocessAddRuleErrors(t *testing.T) {
+	filter, err := NewFilter(ActAllow)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+	defer filter.Release()
+
+	err = filter.AddRule(ScmpSyscall(0x1), ActAllow)
+	if err == nil {
+		t.Error("expected error, got nil")
+	} else if err != errDefAction {
+		t.Errorf("expected error %v, got %v", errDefAction, err)
+	}
+}
+
 func TestRuleAddAndLoad(t *testing.T) {
 	execInSubprocess(t, subprocessRuleAddAndLoad)
 }