Running the example above the EFAULT is being generated in userspace. Looking at libseccomp it seems we have a literal copy of the systemcall table mapping call strings to local numbers. For 32bit the new system calls are not filled in so they will fail. Esentially libseccomp and the kernel headers are out of sync, so systemd thinks it can use real mitigation on socket() but libseccomp does not think 32bit supports it.
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1526358 Title: adding seccomp rule for socket() fails on i386 since kernel 4.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1526358/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs