It's not going to be simple I'm afraid, at least for the original problem! "scmp_sys_resolver close_range" will quickly test whether current seccomp has support for close_range (prints "-1" if not supported, "436" otherwise - at least on x86_64.) Ubuntu seccomp maintainers have been pretty happy SRUing this sort of thing before - it's a running problem, and the changes are trivial.
Outline of a reproducer for my original problem would be something like: 1. download and unpack https://partner-images.canonical.com/core/focal/current/ubuntu-focal-core-cloudimg-amd64-root.tar.gz 2. cd to the rootfs directory and start a container with "systemd-nspawn" 3. Add podman/buildah PPA: . /etc/os-release echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list curl -L "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key"; | sudo apt-key add - sudo apt-get update sudo apt-get -y upgrade 4. apt-get -y install buildah 5. create scratch container and copy in busybox ctr=$(buildah from scratch) buildah copy $ctr /bin/busybox 6. check EOF handling echo foo | buildah run $ctr /busybox cat Without the patch, this should fail to return to the prompt, as the missing syscall seems to interfere with buildah's ability to to process EOF; with the patch it should return to the prompt. In the event of failure there should also be messages logged about "close_range" being unsupported. Above is untested - I'll double-check it and flesh it out when time/health permits, but hopefully it has some utility. There are probably simpler test cases involving docker, but that's not my area... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1944436 Title: Please backport support for "close_range" syscall Status in libseccomp package in Ubuntu: New Bug description: Please backport support for the "close_range" syscall .. may be as simple as cherrypicking https://github.com/seccomp/libseccomp/commit/01e5750e7c84bb14e5a5410c924bed519209db06 from upstream. I've hit problems running buildah in a systemd-nspawn container, but this will probably affect people trying to run modern code in other container systems as well, e.g. docker. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libseccomp2 2.5.1-1ubuntu1~20.04.1 ProcVersionSignature: Ubuntu 5.4.0-84.94-generic 5.4.133 Uname: Linux 5.4.0-84-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: Xpra Date: Tue Sep 21 15:10:54 2021 InstallationDate: Installed on 2017-01-08 (1717 days ago) InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: libseccomp UpgradeStatus: Upgraded to focal on 2021-09-02 (19 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
