diff -Nru systemd-237/debian/changelog systemd-237/debian/changelog
--- systemd-237/debian/changelog	2020-05-03 08:30:25.000000000 -0300
+++ systemd-237/debian/changelog	2020-07-28 14:41:16.000000000 -0300
@@ -1,3 +1,13 @@
+systemd (237-3ubuntu10.42) bionic; urgency=medium
+
+  * Almost "no-change rebuild" for udev-udeb to pick up libkmod2-udeb.
+    Fixes d-i FTBFS due to udev-udeb depending on libkmod2
+    instead of libkmod2-udeb. (LP: #1889297)
+  * d/p/lp1886197-seccomp-more-comprehensive-protection-against-libsec.patch:
+    - Fix FTBFS on arm64 due to libseccomp changes (LP: #1886197)
+
+ -- Mauricio Faria de Oliveira <mfo@canonical.com>  Tue, 28 Jul 2020 14:41:16 -0300
+
 systemd (237-3ubuntu10.41) bionic; urgency=medium
 
   [ Dan Streetman ]
diff -Nru systemd-237/debian/patches/lp1886197-seccomp-more-comprehensive-protection-against-libsec.patch systemd-237/debian/patches/lp1886197-seccomp-more-comprehensive-protection-against-libsec.patch
--- systemd-237/debian/patches/lp1886197-seccomp-more-comprehensive-protection-against-libsec.patch	1969-12-31 21:00:00.000000000 -0300
+++ systemd-237/debian/patches/lp1886197-seccomp-more-comprehensive-protection-against-libsec.patch	2020-07-28 14:41:16.000000000 -0300
@@ -0,0 +1,132 @@
+From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 14 Nov 2019 17:51:30 +0100
+Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's
+ __NR_xyz namespace invasion
+Bug: https://github.com/systemd/systemd/issues/14031
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1886197
+Origin: upstream, https://github.com/systemd/systemd/commit/4df8fe8415eaf4abd5b93c3447452547c6ea9e5f
+
+A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the
+same conditioning for all cases of our __NR_xyz use.
+
+Fixes: #14031
+---
+ src/basic/missing_syscall.h | 10 +++++-----
+ src/test/test-seccomp.c     | 19 ++++++++++---------
+ 2 files changed, 15 insertions(+), 14 deletions(-)
+
+--- a/src/basic/missing_syscall.h
++++ b/src/basic/missing_syscall.h
+@@ -244,7 +244,7 @@ static inline int renameat2(int oldfd, c
+ 
+ #if !HAVE_KCMP
+ static inline int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
+-#  ifdef __NR_kcmp
++#  if defined __NR_kcmp && __NR_kcmp > 0
+         return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
+ #  else
+         errno = ENOSYS;
+@@ -257,7 +257,7 @@ static inline int kcmp(pid_t pid1, pid_t
+ 
+ #if !HAVE_KEYCTL
+ static inline long keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4,unsigned long arg5) {
+-#  ifdef __NR_keyctl
++#  if defined __NR_keyctl && __NR_keyctl > 0
+         return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
+ #  else
+         errno = ENOSYS;
+@@ -266,7 +266,7 @@ static inline long keyctl(int cmd, unsig
+ }
+ 
+ static inline key_serial_t add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
+-#  ifdef __NR_add_key
++#  if defined __NR_add_key && __NR_add_key > 0
+         return syscall(__NR_add_key, type, description, payload, plen, ringid);
+ #  else
+         errno = ENOSYS;
+@@ -275,7 +275,7 @@ static inline key_serial_t add_key(const
+ }
+ 
+ static inline key_serial_t request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
+-#  ifdef __NR_request_key
++#  if defined __NR_request_key && __NR_request_key > 0
+         return syscall(__NR_request_key, type, description, callout_info, destringid);
+ #  else
+         errno = ENOSYS;
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -44,7 +44,8 @@
+ #include "util.h"
+ #include "virt.h"
+ 
+-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
++/* __NR_socket may be invalid due to libseccomp */
++#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
+ /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
+  * and we can't restrict it hence via seccomp. */
+ #  define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
+@@ -248,14 +249,14 @@ static void test_protect_sysctl(void) {
+         assert_se(pid >= 0);
+ 
+         if (pid == 0) {
+-#if __NR__sysctl > 0
++#if defined __NR__sysctl && __NR__sysctl > 0
+                 assert_se(syscall(__NR__sysctl, NULL) < 0);
+                 assert_se(errno == EFAULT);
+ #endif
+ 
+                 assert_se(seccomp_protect_sysctl() >= 0);
+ 
+-#if __NR__sysctl > 0
++#if defined __NR__sysctl && __NR__sysctl > 0
+                 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
+                 assert_se(errno == EPERM);
+ #endif
+@@ -533,7 +534,7 @@ static void test_load_syscall_filter_set
+                 assert_se(poll(NULL, 0, 0) == 0);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
++#if defined __NR_access && __NR_access > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
+@@ -549,7 +550,7 @@ static void test_load_syscall_filter_set
+                 s = hashmap_free(s);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
++#if defined __NR_access && __NR_access > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
+@@ -565,7 +566,7 @@ static void test_load_syscall_filter_set
+                 s = hashmap_free(s);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
++#if defined __NR_poll && __NR_poll > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
+@@ -582,7 +583,7 @@ static void test_load_syscall_filter_set
+                 s = hashmap_free(s);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
++#if defined __NR_poll && __NR_poll > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+@@ -684,8 +685,8 @@ static int real_open(const char *path, i
+          * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
+          * other architectures, let's just fall back to the glibc call. */
+ 
+-#ifdef SYS_open
+-        return (int) syscall(SYS_open, path, flags, mode);
++#if defined __NR_open && __NR_open > 0
++        return (int) syscall(__NR_open, path, flags, mode);
+ #else
+         return open(path, flags, mode);
+ #endif
diff -Nru systemd-237/debian/patches/series systemd-237/debian/patches/series
--- systemd-237/debian/patches/series	2020-05-03 08:30:25.000000000 -0300
+++ systemd-237/debian/patches/series	2020-07-28 14:41:16.000000000 -0300
@@ -213,3 +213,4 @@
 lp1529152/0004-bash-completion-systemctl-re-implement-__filter_unit.patch
 lp1529152/0005-strip-value-from-property-names.patch
 lp1877159-networkd-fix-attribute-length-for-wireguard-10380.patch
+lp1886197-seccomp-more-comprehensive-protection-against-libsec.patch