OK, this is getting complicated. seccomp 2.5.0 and systemd-nspawn both have bugs which when combined cause most/all syscall filters to actually be disabled! See https://github.com/seccomp/libseccomp/issues/273#issuecomment-668458070
So I think your new packages are probably OK, but as they pull in 2.5.1 my system is breaking because the version of systemd-nspawn I'm using (default version from focal) is apparently still old enough not to include openat2() (Yes, reading upthread it seems I knew all of this in August and have managed to forget it over the last few months!) I will backport/patch systemd-nspawn and re-test these packages when time permits.. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
