Comment 53 for bug 1916485

------- Comment From <email address hidden> 2021-04-22 07:23 EDT-------
Hi,
I've also run some tests on s390x:

On Ubuntu 18.04 (bionic) with libseccomp2 2.5.1-1ubuntu1~18.04.1 and linux 4.15.0.142.129:
In a systemd-nspawn hirsute container:
bash -c "test -x /bin/bash"
returns 1 and strace shows:
faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
and seccomp-tools dump showed that the seccomp-filter allows faccessat2(=0x1b7) syscall!

After upgrading to 4.15.0-143-generic #147+hf1916485v20210421b1 from your PPA, the command works fine:
faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented)
faccessat(AT_FDCWD, "/bin/bash", X_OK) = 0

In a "docker run -it ubuntu:hirsute /bin/bash" container (runc-1.0.0~rc93-0ubuntu1~18.04.1), the command also works fine and the seccomp-filter applied by docker also allows faccessat2.

On Ubuntu 20.10 (groovy) with libseccomp2 2.5.1-1ubuntu1~20.10.1 and linux 5.8.0.51.56, both the tests in systemd-nspawn and in docker container are working fine and the dump of the seccomp-filter shows that faccessat2 is allowed.
(On the same system before updating libseccomp2 to the mentioned version, libseccomp2 2.4.3-1ubuntu4 was used. There the dump of the seccomp-filter showed that the faccessat2 syscall was not allowed and thus the test command failed.)

Thanks.