Tianon is right, runc silently discards syscalls it doesn't know about: https://github.com/opencontainers/runc/blob/ecd55a4135e0a26de884ce436442914f945b1e76/libcontainer/seccomp/seccomp_linux.go#L168-L173
This affects other syscalls, like preadv2: https://github.com/opencontainers/runtime-spec/issues/972 Failing to whitelist a syscall than the kernel does support is safe, but failing to *blacklist* a syscall could be more problematic. But failing to whitelist could also impact functionality/performance compared to a non-containerized application. I couldn't find if anything is backported in "2.3.1-2.1ubuntu4", but the upstream "2.3.1" limits us to syscalls up to Linux 4.5-rc4. Summoning Christian to help in bumping the priority of this issue. ** Bug watch added: github.com/opencontainers/runtime-spec/issues #972 https://github.com/opencontainers/runtime-spec/issues/972 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: New Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp