Ah, looks like I don't need to do anything for focal's systemd-nspawn other than add openat2 to SyscallFilters= in the .nspawn file. With that, and the seccomp from the PPA, everything seems OK - thank you!
Ah, looks like I don't need to do anything for focal's systemd-nspawn other than add openat2 to SyscallFilters= in the .nspawn file. With that, and the seccomp from the PPA, everything seems OK - thank you!