It's not going to be simple I'm afraid, at least for the original problem! "scmp_sys_resolver close_range" will quickly test whether current seccomp has support for close_range (prints "-1" if not supported, "436" otherwise - at least on x86_64.) Ubuntu seccomp maintainers have been pretty happy SRUing this sort of thing before - it's a running problem, and the changes are trivial.
Outline of a reproducer for my original problem would be something like: 1. download and unpack https://partner-images.canonical.com/core/focal/current/ubuntu-focal-core-cloudimg-amd64-root.tar.gz 2. cd to the rootfs directory and start a container with "systemd-nspawn" 3. Add podman/buildah PPA: . /etc/os-release echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list curl -L "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key"; | sudo apt-key add - sudo apt-get update sudo apt-get -y upgrade 4. apt-get -y install buildah 5. create scratch container and copy in busybox ctr=$(buildah from scratch) buildah copy $ctr /bin/busybox 6. check EOF handling echo foo | buildah run $ctr /busybox cat Without the patch, this should fail to return to the prompt, as the missing syscall seems to interfere with buildah's ability to to process EOF; with the patch it should return to the prompt. In the event of failure there should also be messages logged about "close_range" being unsupported. Above is untested - I'll double-check it and flesh it out when time/health permits, but hopefully it has some utility. There are probably simpler test cases involving docker, but that's not my area... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1944436 Title: Please backport support for "close_range" syscall To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
