Issue

libseccomp in both CentOS 9 & 10 is "old" and missing the knowledge of recent syscalls. When using docker or podman to run non-privileged containers, seccomp is actually filtering these syscalls which might be used by more recent OS containers, like for example fchmodat2 used by the glibc in RHEL 10 or Fedora. We should let syscalls actually implemented by the kernel be used instead of using the glibc fallback code in these cases. Thus I propose we upgrade libseccomp to the latest version 2.5.x (I doubt you will want to go for 2.6.0 for now).

Release Notes

No. of Comments

Resolution

Unresolved