Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers

Actually, I recommend not looking at 2.5.0 or master until https://github.com/seccomp/libseccomp/issues/273 is fixed! Definitely a security issue.

I was planning on doing an SRU to backport b3206ad5645dceda89538ea8acc984078ab697ab for openat2 etc anyway so assigning this to me.

Any progress on this? I've just run into it again, and due to my appalling memory have spent two hours debugging and now discovered my own bug report again :/

I have packages for 2.5.1 in the ubuntu-security-proposed PPA at https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa if you would like to give them a try I would appreciate any feedback etc.

Hmm, I tested with libseccomp2_2.5.1-0ubuntu0.20.04.1_test4_amd64.deb from the PPA and it doesn't seem to fix the openat2 problem - just realised I should have added I'm now using focal not bionic for my container host.. will try to investigate why once I'm back on my desktop machine.

Attached is a trivial test case, needs to be run in a container by a container manager that uses seccomp for syscall filtering (e.g. nspawn.)

It should either silently succeed or print "openat2: Function not implemented" ; if seccomp combined with the container manager (e.g. nspawn) blocks the openat2 call, it will instead print "openat2: Operation not permitted."

OK, this is getting complicated. seccomp 2.5.0 and systemd-nspawn both have bugs which when combined cause most/all syscall filters to actually be disabled! See https://github.com/seccomp/libseccomp/issues/273#issuecomment-668458070

So I think your new packages are probably OK, but as they pull in 2.5.1 my system is breaking because the version of systemd-nspawn I'm using (default version from focal) is apparently still old enough not to include openat2() (Yes, reading upthread it seems I knew all of this in August and have managed to forget it over the last few months!)

I will backport/patch systemd-nspawn and re-test these packages when time permits..

Ah, looks like I don't need to do anything for focal's systemd-nspawn other than add openat2 to SyscallFilters= in the .nspawn file. With that, and the seccomp from the PPA, everything seems OK - thank you!

Updating libseccomp to 2.5.1 breaks the systemd unit tests on ppc64el since the behaviour around filtering of the multiplexed socket() system call changes - as such a fix for systemd in https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 is also required.

Status changed to 'Confirmed' because the bug affects multiple users.

Adjusted title to make it clear that this is also a full backport of 2.5.1 to the stable series. Please make sure to do some additional general regression testing!

Hello Steve, or anyone else affected,

Accepted libseccomp into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.5.1-1ubuntu1~20.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Steve, or anyone else affected,

Accepted libseccomp into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.5.1-1ubuntu1~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I see systemd has a 'fix' for this bug in the focal upload so adding the systemd task to the bug as well. Should we assume the systemd parts are already there for hirsute and groovy? I'd like someone to check.

Hello Steve, or anyone else affected,

Accepted systemd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Steve, or anyone else affected,

Accepted libseccomp into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.5.1-1ubuntu1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Steve, or anyone else affected,

Accepted systemd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.46 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Steve, or anyone else affected,

Accepted libseccomp into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.5.1-1ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I don't see a fix for systemd's LP: #1918696 in the systemd xenial SRU in the queue - is xenial unaffected by the ppc64el test issues? Also, SRUs for focal and groovy had some additional systemd changes besides libseccomp to get things working - are those also not needed in xenial?

I'd like someone to make sure that's the case.

All autopkgtests for the newly accepted libseccomp (2.5.1-1ubuntu1~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

containerd/1.3.3-0ubuntu1~18.04.4 (s390x)
lxc/3.0.3-0ubuntu1~18.04.1 (i386)
flatpak/1.0.9-0ubuntu0.2 (amd64)
systemd/237-3ubuntu10.45 (ppc64el)
chrony/3.2-4ubuntu4.5 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

The fix for systemd's LP: #1918696 is not in the systemd xenial SRU since, as noted in that bug, systemd in xenial doesn't include upstream commit 469830d1426a91e0897c321fdc8ee428f0a750c1 which reworked the code to switch from seccomp_rule_add to seccomp_rule_add_exact. In this case systemd could handle lack of arch support itself, instead of allowing the 'not exact' seccomp syscall to just ignore the call due to lack of arch support.

Tested for libseccomp as follows:

cat <<EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF
cat <<EOF | sudo tee /etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF
sudo apt update
sudo apt install seccomp/$(lsb_release -cs)-proposed libseccomp2/$(lsb_release -cs)-proposed
[ $(scmp_sys_resolver openat2) = 437 ] && echo passed || echo FAIL

Passed for each xenial, bionic, focal and groovy.

I have also done extensive regression testing of this libseccomp update via both the various autopkgtests of dependant packages and through the QRT test script https://git.launchpad.net/qa-regression-testing/tree/scripts/test-libseccomp.py which exercises various packages and their use of libseccomp under this update.

Regarding the failing autopkgtests from bionic reported in comment #28:

 - the containerd and chrony ones on s390x are transient failures due to networking issues in the test infrastructure so should hopefully pass on a re-run.

 - I can't reproduce the flatpak/amd64 failure locally so I assume this may pass on a re-run as well - this was run locally via:

autopkgtest --apt-pocket proposed=src:libseccomp --apt-upgrade flatpak -- qemu /home/amurray/images/autopkgtest-bionic-amd64.img

 - the systemd/ppc64el failure is addressed by LP: #1918696

 - lxc/i386 is a flaky test timeout - this failure has been observed in past runs of this as well as can be seen in the following:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/i386/l/lxc/20210120_133932_9027d@/log.gz
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/i386/l/lxc/20210113_162315_b38c3@/log.gz
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/i386/l/lxc/20210111_172145_15dd5@/log.gz

  so with any luck this test should also pass on a re-run too

All autopkgtests for the newly accepted libseccomp (2.5.1-1ubuntu1~16.04.1) for xenial have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/229-4ubuntu21.29 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/xenial/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

The systemd/229-4ubuntu21.29 (i386) test looks very flaky - this seems to fail more often than not looking at https://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386 - and the tests which failed for the libseccomp 2.5.1-1ubuntu1~16.04.1 run (boot-and-services and boot-smoke) also failed for a recent linux-meta/4.4.0.206.212 linux/4.4.0-206.238 run too - https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/i386/s/systemd/20210317_135037_af8e7@/log.gz - but then passed on the next linux-meta upload. So this look like a false positive in this case.

All autopkgtests for the newly accepted libseccomp (2.5.1-1ubuntu1~20.04.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io/19.03.8-0ubuntu1.20.04.2 (arm64)
systemd/245.4-4ubuntu3.5 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

For the focal autopkgtest failures above:

docker.io/19.03.8-0ubuntu1.20.04.2 (arm64)
systemd/245.4-4ubuntu3.5 (ppc64el)

The docker.io/arm64 failed due to network issues in the test infrastructure:

+ lxc launch ubuntu-daily:focal/arm64 docker -c security.nesting=true
Creating docker
Error: Failed instance creation: Get "https://cloud-images.ubuntu.com/daily/streams/v1/index.json": Unable to connect to: cloud-images.ubuntu.com:443

So should hopefully be fine if retriggered.

And again the systemd/ppc64el failure is already known and covered by https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696

All autopkgtests for the newly accepted systemd (237-3ubuntu10.46) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-hwe-5.4/5.4.0-71.79~18.04.1 (i386)
polkit-qt-1/unknown (i386)
openssh/1:7.6p1-4ubuntu0.3 (ppc64el, arm64, s390x, i386, amd64, armhf)
systemd/237-3ubuntu10.46 (amd64)
linux-hwe-5.0/5.0.0-65.71 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted libseccomp (2.5.1-1ubuntu1~20.10.1) for groovy have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/246.6-1ubuntu1.2 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/groovy/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted systemd (245.4-4ubuntu3.6) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

multipath-tools/0.8.3-1ubuntu2 (s390x)
munin/2.0.56-1ubuntu1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I don't see a reply to sil2100's question in comment #22:

"I see systemd has a 'fix' for this bug in the focal upload so adding the systemd task to the bug as well. Should we assume the systemd parts are already there for hirsute and groovy? I'd like someone to check."

Is the systemd part already fixed in Groovy?

Thanks!

Actually the Groovy question seems to be answered by the upload of systemd for bug 1918696.

This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~20.10.1

---------------
libseccomp (2.5.1-1ubuntu1~20.10.1) groovy; urgency=medium

  * Updated to new upstream 2.5.1 version for updated syscalls support
    (LP: #1891810)
   - Removed the following patches that are now included in the new version:
     + d/p/cython3.patch
     + d/p/riscv64_support.patch
     + d/p/fix-aarch64-syscalls.patch
     + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch
     + d/p/db-add-shadow-transactions.patch
   - Deleted the patch to add a local copy of architecture specific header
     files from linux-libc-dev/focal as this is not needed anymore
     + d/p/add-5.4-local-syscall-headers.patch
   - debian/control: Added gperf to Build-Depends as this is now required
     by upstream
   - debian/libseccomp2.symbols: Added new symbols
  * Add system call headers for powerpc required for backport to xenial
    - d/p/add-5.8-powerpc-syscall-headers.patch

 -- Alex Murray <email address hidden> Mon, 01 Mar 2021 13:50:23 +1030

The verification of the Stable Release Update for libseccomp has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package systemd - 245.4-4ubuntu3.6

---------------
systemd (245.4-4ubuntu3.6) focal; urgency=medium

  * debian/patches/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch:
    Add support for faccessat2 (LP: #1916485)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=affb2c6507dccfeed02820a2267639648e2a2260
  * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch:
    Stop attempting to restrict address families on ppc archs
    (LP: #1918696)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=daff4b6604362fcb5d305682216d5ca15a4c5738
  * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch:
    Add openat2() syscall to seccomp filter list
    (LP: #1891810)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=69c8a684e2513b2f6530e5a5cf15c83abfb7bc74
  * d/p/lp1915887-Downgrade-a-couple-of-warnings-to-debug.patch:
    Downgrade some log messages so they stop spamming logs
    (LP: #1915887)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3c2c4731b90ed430ca1790270e69cd125643b94b
  * d/p/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch:
    Use src name, not dst name, of symlinked unit files (LP: #1887744)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=03770601097cfdc09adeadf5593083da69345409

 -- Dan Streetman <email address hidden> Wed, 17 Mar 2021 17:36:08 -0400

openat2 was added upstream in commit 8270e3d8ed3 which is included in v246 so this is fixed already in g and later, marking as fix released

marking invalid for systemd in x, as the seccomp support there is completely different

This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~20.04.1

---------------
libseccomp (2.5.1-1ubuntu1~20.04.1) focal; urgency=medium

  * Updated to new upstream 2.5.1 version for updated syscalls support
    (LP: #1891810)
   - Removed the following patches that are now included in the new version:
     + d/p/cython3.patch
     + d/p/riscv64_support.patch
     + d/p/fix-aarch64-syscalls.patch
     + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch
     + d/p/db-add-shadow-transactions.patch
   - Deleted the patch to add a local copy of architecture specific header
     files from linux-libc-dev/focal as this is not needed anymore
     + d/p/add-5.4-local-syscall-headers.patch
   - debian/control: Added gperf to Build-Depends as this is now required
     by upstream
   - debian/libseccomp2.symbols: Added new symbols
  * Add system call headers for powerpc required for backport to xenial
    - d/p/add-5.8-powerpc-syscall-headers.patch

 -- Alex Murray <email address hidden> Mon, 01 Mar 2021 13:47:46 +1030

For bionic there's a few ADT regressions for libseccomp - I re-ran them, let's see if they pass now.

libseccomp on bionic looks good from what I can see on https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#libseccomp - can this please migrate now?

similarly for xenial there is only one failure for libseccomp autopkgtests which is systemd/i386 - https://people.canonical.com/~ubuntu-archive/proposed-migration/xenial/update_excuses.html#libseccomp - and this looks reasonably flaky in recent history https://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386 - I discussed this back in comment 33 https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/comments/33 above - so would it be possible to promote this as well even with this failure? thanks :)

This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~18.04.1

---------------
libseccomp (2.5.1-1ubuntu1~18.04.1) bionic; urgency=medium

  * Updated to new upstream 2.5.1 version for updated syscalls support
    (LP: #1891810)
   - Removed the following patches that are now included in the new version:
     + d/p/fix-aarch64-syscalls.patch
     + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch
     + d/p/db-add-shadow-transactions.patch
   - Deleted the patch to add a local copy of architecture specific header
     files from linux-libc-dev/focal as this is not needed anymore
     + d/p/add-5.4-local-syscall-headers.patch
   - debian/control: Added gperf to Build-Depends as this is now required
     by upstream
   - debian/libseccomp2.symbols: Added new symbols
  * Add system call headers for powerpc required for backport to xenial
    - d/p/add-5.8-powerpc-syscall-headers.patch

 -- Alex Murray <email address hidden> Mon, 01 Mar 2021 13:49:23 +1030

This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~16.04.1

---------------
libseccomp (2.5.1-1ubuntu1~16.04.1) xenial; urgency=medium

  * Updated to new upstream 2.5.1 version for updated syscalls support
    (LP: #1891810)
   - Removed the following patches that are now included in the new version:
     + d/p/fix-aarch64-syscalls.patch
     + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch
     + d/p/db-add-shadow-transactions.patch
   - Deleted the patch to add a local copy of architecture specific header
     files from linux-libc-dev/focal as this is not needed anymore
     + d/p/add-5.4-local-syscall-headers.patch
   - debian/control: Added gperf to Build-Depends as this is now required
     by upstream
   - debian/libseccomp2.symbols: Added new symbols
  * Add system call headers for powerpc required for backport to xenial
    - d/p/add-5.8-powerpc-syscall-headers.patch

 -- Alex Murray <email address hidden> Mon, 01 Mar 2021 13:50:00 +1030

This bug was fixed in the package systemd - 237-3ubuntu10.46

---------------
systemd (237-3ubuntu10.46) bionic; urgency=medium

  * d/p/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch:
    Add support for faccessat2 (LP: #1916485)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b5f11a9baecf0cefb503632e938d473234172128
  * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch:
    Stop attempting to restrict address families on ppc archs
    (LP: #1918696)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4569a047ece8b1b300ef63e49b5aea8aba35c500
  * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch:
    Add openat2() syscall to seccomp filter list
    (LP: #1891810)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2ddfbfa79af4f22b7adf946c4299433fd74a4f17

 -- Dan Streetman <email address hidden> Wed, 17 Mar 2021 17:38:05 -0400