moby: Seccomp blocks install of "libc6" in Ubuntu 20.04 "focal" image on armhf (arm32v7)
Opening a tracking issue for this for further investigation. More details can be found in:
- https://github.com/docker/containerd-packaging/pull/151 (which I’m using as a debugging environment for this)
- https://github.com/dotnet/dotnet-docker/issues/1747
Summary
Ubuntu 20.04 (“focal”) on armhf (arm32) currently has an issue where it looks like seccomp is blocking a syscall that’s used when installing libc6:
docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'
...
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
With seccomp disabled, installing libc6 is succesfull
docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'
output of the above:
focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal
Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 5s (2427 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
manpages glibc-doc locales
The following NEW packages will be installed:
gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 0s (10.7 MB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Selecting previously unselected package libcrypt1:armhf.
Preparing to unpack .../libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb ...
Unpacking libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libc6:armhf (2.31-0ubuntu6) ...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
(Reading database ... 4137 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.31-0ubuntu6_armhf.deb ...
Unpacking libc-bin (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Setting up libc-bin (2.31-0ubuntu6) ...
With seccomp enabled, installation fails:
docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'
output of the above:
focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal
Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 6s (2183 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
manpages glibc-doc locales
The following NEW packages will be installed:
gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 1s (5278 kB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
Information about the environment
docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:38:47 2019
OS/Arch: linux/arm
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:32:48 2019
OS/Arch: linux/arm
Experimental: true
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.127-mainline-rev1
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 1.974GiB
Name: arm32v7-ubuntu-03
ID: W2ZP:3XMC:TH2A:OMPM:V542:GKAR:S6Q3:YKZC:QQHT:ERP2:LNHR:427E
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Output of `check-config.sh`:
curl -fsSL https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh | bash
info: reading kernel config from /proc/config.gz ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_NF_NAT_IPV4: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled
Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
[1;30m(cgroup swap accounting is currently enabled)
- CONFIG_MEMCG_KMEM: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
- "overlay":
- CONFIG_VXLAN: enabled (as module)
- CONFIG_BRIDGE_VLAN_FILTERING: enabled
Optional (for encrypted networks):
- CONFIG_CRYPTO: enabled
- CONFIG_CRYPTO_AEAD: enabled (as module)
- CONFIG_CRYPTO_GCM: enabled (as module)
- CONFIG_CRYPTO_SEQIV: enabled (as module)
- CONFIG_CRYPTO_GHASH: enabled (as module)
- CONFIG_XFRM: enabled
- CONFIG_XFRM_USER: enabled (as module)
- CONFIG_XFRM_ALGO: enabled
- CONFIG_INET_ESP: enabled (as module)
- CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
- "ipvlan":
- CONFIG_IPVLAN: enabled (as module)
- "macvlan":
- CONFIG_MACVLAN: enabled (as module)
- CONFIG_DUMMY: enabled (as module)
- "ftp,tftp client in container":
- CONFIG_NF_NAT_FTP: enabled (as module)
- CONFIG_NF_CONNTRACK_FTP: enabled (as module)
- CONFIG_NF_NAT_TFTP: enabled (as module)
- CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
- "aufs":
- CONFIG_AUFS_FS: enabled (as module)
- "btrfs":
- CONFIG_BTRFS_FS: enabled (as module)
- CONFIG_BTRFS_FS_POSIX_ACL: enabled
- "devicemapper":
- CONFIG_BLK_DEV_DM: enabled (as module)
- CONFIG_DM_THIN_PROVISIONING: enabled (as module)
- "overlay":
- CONFIG_OVERLAY_FS: enabled (as module)
- "zfs":
- /dev/zfs: missing
- zfs command: missing
- zpool command: missing
Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 19
- Comments: 36 (11 by maintainers)
Links to this issue
Commits related to this issue
- Switch back to Ubuntu Eoan Focal tries to use a new system call that Ubuntu's version of libseccomp doesn't quite support on my build host https://github.com/moby/moby/issues/40734. — committed to cl-docker-images/sbcl by daewok 4 years ago
- Use ubuntu:18.04 as build-base. ubuntu:20.04 comes with a very modern libseccomp2 which makes some syscalls on ordinary rpi4 base images fail in docker. ref: https://github.com/moby/moby/issues/40734... — committed to thz/knxd by thz 4 years ago
- Rollback to ubuntu 18.04 to avoid seccomp issue on armhf. https://github.com/moby/moby/issues/40734 — committed to tingtingths/docker-v2ray by tingtingths 4 years ago
- fix(minecraft-server): use ubuntu 18.04 as base image Previously, ubuntu 20.04 was used as base image but the libsecomp package installed make problems. This commit use ubuntu:18.04 base image inste... — committed to diodonfrost/docker-pi by diodonfrost 3 years ago
- switch python image to buster to avoid seccomp issue https://github.com/moby/moby/issues/40734 https://github.com/docker-library/python/issues/634 — committed to asssaf/thonny-docker by deleted user a year ago
For anyone else coming here and trying to figure out how to add
seccomp-profileindaemon.json- I couldn’t find that in the Raspbian buster install of docker - nor could I find docs on setting this up anywhere. I ended up just adding--seccomp-profile=/path/to/default.jsonin/etc/systemd/system/multi-user.target.wants/docker.servicein theExecStartline, as the first arg to/usr/bin/dockerd. You’ll need to also run:Enjoy!
The release notes for Alpine Linux 3.13 mention a simple workaround which hasn’t got much attention, which has the advantage of working with the stock
docker.ioandlibseccomp2packages from Raspbian Buster:(NB: You can also set
seccomp-profileindaemon.jsonif you are launching Docker with systemd)This workaround does not disable seccomp, but I’m a bit wary about it potentially having security implications since it’s non-trivial. It appears to have been made by Alex Xu who has various contributions to Alpine.
@thaJeztah Actually, I can reproduce this on a host running Ubuntu Focal (20.04) building an Ubuntu Focal docker image with up to date libsseccomp2 (2.4.3-1) on ARMHF.
Now, let’s try and build the following Dockerfile…
Indeed, during the
apt-get installwe see the utime error:It’s not easy to work around because unfortunately
--security-optis not supported for builds in the current stable docker daemon.Installing libseccomp from debian sid (2.4.3-1) solves my issue on raspbian buster.
Changing the profile unfortunately didn’t solve the problem: the problem looks to be the libseccomp version. When installing libseccomp 2.4.3, the problem does not reproduce.
Unfortunately, that version is not available on Ubuntu versions < 20.03 (https://packages.ubuntu.com/search?keywords=libseccomp2).
So for debugging, I installed the package from the ubuntu 20.03 repository.
What it comes down to;
The container we’re running (ubuntu:20.03) makes a syscall that’s introduced in Linux 5.x, but docker in this case is running on a 4.x kernel (the host is Ubuntu 16.04). The version of libseccomp installed on the host is not taking kernel 5.x syscalls into account, receives an error, and (likely) in that case blocks the syscall.
Solutions for this would be to;
@iav running with
--privilegedis not a solution; the reason it works with--privilegedis that it disables all (or at least most) security measures that containers provide (among which, disablingseccomp).@thelamer thanks! I think the problem occurred when running a
ubuntu:20.04container on an older version of ubuntu (16.04), which has a 4.x kernel, so the issue in that case was that the container is making syscalls that the host didn’t understand (or at least libseccomp on the host)@iav Unfortunately, I can’t - I’m building using a new Dockerfile and ubuntu:focal as my base image. I’m using
docker build/buildx. IIRC--privilegedisn’t supported with docker build or buildx.Any suggestion for a short-term workaround running Docker on a Mac host would be greatly appreciated. Note the current Docker Desktop version 3.0.0 for Mac doesn’t support
--privilegedorseccomp. This leaves me completely unable to use Docker with Ubuntu 20 based images.In case anyone’s interested, there’s been some discussion about various ways of handling these issues correctly long-term, see systemd/systemd#16739, seccomp/libseccomp#286, system-devel thread. Basically we need to distinguish new syscalls somehow and return ENOSYS for them. It’s possible doing this will also allow securely changing large allowlists into shorter denylists, which should be a win for everyone performance-wise…
@mthalman That’s interesting. I installed that libseccomp package on debian buster (odroid xu4, armbian) and the issue was resolved (install libc in a focal based docker image). I even repeated with reverting back to buster’s libseccomp 2.3.3-4, and it breaks; reinstall ubuntu’s 2.4.3-1ubuntu3.16.04.2, and it works again.
I’ve tried this on our build machines that are running Xenial which have the updated libseccomp package installed (2.4.3-1ubuntu3.16.04.2) and the issue does not appear to be fixed.
Given the goal is to get it into both Debian and Ubuntu’s stable releases, I’d suggest starting with the Debian package maintainers. They’re probably not going to want to do the minor patch bump in stable unless it’s just the minimal patch (and the release team will be the final deciders anyhow, and they’re typically pretty strict about wanting patches to be minimal unless you’ve got a really compelling reason to do otherwise), so I’d suggest creating a patch of the absolute bare minimum (which I guess would be either https://github.com/seccomp/libseccomp/commit/bf747eb21e428c2b3ead6ebcca27951b681963a0.patch or more likely https://github.com/seccomp/libseccomp/commit/be65b26b67099be2b2b4890d736dbd1ad15adf36.patch since that’s the exact 2.4-backport comimt) and including in your communication that upstream backported it to 2.4 in v2.4.2 (which is where your patch comes from).
As for contacting the maintainers, you could try emailing
libseccomp@tracker.debian.org, but you’re likely to have better luck via a proper bug (and I’d suggest using thereportbugtool from an up-to-date Buster system to file that so it can include useful metadata for the maintainers).Concurrently, I’d suggest contacting the Ubuntu
libseccompmaintainers in the same way, although via https://bugs.launchpad.net/ubuntu/+source/libseccomp (I believereportbugon an Ubuntu system will work there as well, but I don’t think it’s quite as strongly preferred in Ubuntu, especially since you’ve got plenty of detail you can provide about the issue and your proposed fix, including a patch).If it’s indeed related to the
clone3syscall, I see that was added to libseccomp master in https://github.com/seccomp/libseccomp/commit/bf747eb21e428c2b3ead6ebcca27951b681963a0, and backported to the 2.4 release branch in https://github.com/seccomp/libseccomp/pull/179, which is included in libseccomp 2.4.2 and up; https://github.com/seccomp/libseccomp/blob/v2.4.2/include/seccomp-syscalls.h#L251