Comment 5 for bug 1944436

It's not going to be simple I'm afraid, at least for the original problem! "scmp_sys_resolver close_range" will quickly test whether current seccomp has support for close_range (prints "-1" if not supported, "436" otherwise - at least on x86_64.) Ubuntu seccomp maintainers have been pretty happy SRUing this sort of thing before - it's a running problem, and the changes are trivial.

Outline of a reproducer for my original problem would be something like:

1. download and unpack https://cloud-images.ubuntu.com/releases/focal/release/ubuntu-18.04-server-cloudimg-amd64-root.tar.xz
2. cd to the rootfs directory and start a container:
rm etc/resolv.conf && cat /run/systemd/resolve/resolv.conf >etc/resolv.conf
systemd-nspawn --system-call-filter=@keyring\ close_range
3. Add podman/buildah PPA:
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_18.04/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_18.04/Release.key" | sudo apt-key add -
sudo apt-get update
4. apt-get -y install buildah
5. add a new user and switch
adduser test --gecos "" --disabled-password
sudo -u test -Hs
cd ~
6. create scratch container and copy in busybox
ctr=$(buildah from scratch)
buildah copy $ctr /bin/busybox
7. check EOF handling
echo foo | buildah run $ctr /busybox cat

Without the patch, this should fail to return to the prompt, as the missing syscall seems to interfere with buildah's ability to to process EOF; with the patch it should return to the prompt.
In the event of failure there should also be messages logged about "close_range" being unsupported.