diff -Nru systemd-242/debian/changelog systemd-242/debian/changelog
--- systemd-242/debian/changelog	2020-05-09 01:58:53.000000000 +0930
+++ systemd-242/debian/changelog	2020-06-12 11:05:49.000000000 +0930
@@ -1,3 +1,10 @@
+systemd (242-7ubuntu3.10) eoan; urgency=medium
+
+  * fix issues with muliplexed shmat calls and libseccomp 2.4.3 (LP: #1876055)
+    - d/p/lp-1853852-*: add backports based on the patches from LP #1853852
+
+ -- Alex Murray <alex.murray@canonical.com>  Fri, 12 Jun 2020 11:05:49 +0930
+
 systemd (242-7ubuntu3.9) eoan; urgency=medium
 
   * d/p/lp1867375/0001-network-Allow-to-configure-GW-even-UseRoutes-false.patch,
diff -Nru systemd-242/debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch systemd-242/debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch
--- systemd-242/debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch	1970-01-01 09:30:00.000000000 +0930
+++ systemd-242/debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch	2020-06-12 11:05:49.000000000 +0930
@@ -0,0 +1,65 @@
+From bed4668d1daeb640c1d55e79e6a1725c81118e39 Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Wed, 27 Nov 2019 09:52:07 +0100
+Subject: [PATCH] seccomp: fix multiplexed system calls
+
+Since libseccomp 2.4.2 more architectures have shmat handled as multiplexed
+call. Those will fail to be added due to seccomp_rule_add_exact failing
+on them since they'd need to add multiple rules [1].
+See the discussion at https://github.com/seccomp/libseccomp/issues/193
+
+After discussions about the options rejected [2][3] the initial thought of
+a fallback to the non '_exact' version of the seccomp rule adding the next
+option is to handle those now affected (i386, s390, s390x) the same way as
+ppc which ignores and does not block shmat.
+
+[1]: https://github.com/seccomp/libseccomp/issues/193
+[2]: https://github.com/systemd/systemd/pull/14167#issuecomment-559136906
+[3]: https://github.com/systemd/systemd/commit/469830d1
+
+Origin: upstream, https://github.com/systemd/systemd/commit/bed4668d1daeb640c1d55e79e6a1725c81118e39
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1853852
+Last-Update: 2019-12-09
+
+---
+ src/shared/seccomp-util.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -1520,10 +1520,14 @@ int seccomp_memory_deny_write_execute(vo
+ 
+                 switch (arch) {
+ 
++                /* Note that on some architectures shmat() isn't available, and the call is multiplexed through ipc().
++                 * We ignore that here, which means there's still a way to get writable/executable
++                 * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */
++
+                 case SCMP_ARCH_X86:
+                         filter_syscall = SCMP_SYS(mmap2);
+                         block_syscall = SCMP_SYS(mmap);
+-                        shmat_syscall = SCMP_SYS(shmat);
++                        /* shmat multiplexed, see above */
+                         break;
+ 
+                 case SCMP_ARCH_PPC:
+@@ -1531,9 +1535,7 @@ int seccomp_memory_deny_write_execute(vo
+                 case SCMP_ARCH_PPC64LE:
+                         filter_syscall = SCMP_SYS(mmap);
+ 
+-                        /* Note that shmat() isn't available, and the call is multiplexed through ipc().
+-                         * We ignore that here, which means there's still a way to get writable/executable
+-                         * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */
++                        /* shmat multiplexed, see above */
+ 
+                         break;
+ 
+@@ -1591,7 +1593,7 @@ int seccomp_memory_deny_write_execute(vo
+ #endif
+ 
+                 if (shmat_syscall > 0) {
+-                        r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat),
++                        r = add_seccomp_syscall_filter(seccomp, arch, shmat_syscall,
+                                                        1,
+                                                        SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
+                         if (r < 0)
diff -Nru systemd-242/debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch systemd-242/debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch
--- systemd-242/debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch	1970-01-01 09:30:00.000000000 +0930
+++ systemd-242/debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch	2020-06-12 11:05:36.000000000 +0930
@@ -0,0 +1,44 @@
+From 49219b5c2a654ee6639887aa21a78b41da0576f1 Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Wed, 4 Dec 2019 11:44:32 +0100
+Subject: [PATCH] seccomp: mmap test results depend on kernel/libseccomp/glibc
+
+Like with shmat already the actual results of the test
+test_memory_deny_write_execute_mmap depend on kernel/libseccomp/glibc
+of the platform it is running on.
+
+There are known-good platforms, but on the others do not assert success
+(which implies test has actually failed as no seccomp blocking was achieved),
+but instead make the check dependent to the success of the mmap call
+on that platforms.
+
+Finally the assert of the munmap on that valid pointer should return ==0,
+so that is what the check should be for in case of p != MAP_FAILED.
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+
+Origin: upstream, https://github.com/systemd/systemd/commit/49219b5c2a654ee6639887aa21a78b41da0576f1
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1853852
+Last-Update: 2019-12-09
+
+---
+ src/test/test-seccomp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -492,10 +492,11 @@ static void test_memory_deny_write_execu
+ #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
+                 assert_se(p == MAP_FAILED);
+                 assert_se(errno == EPERM);
+-#else /* unknown architectures */
+-                assert_se(p != MAP_FAILED);
+-                assert_se(munmap(p, page_size()) >= 0);
+ #endif
++                /* Depending on kernel, libseccomp, and glibc versions, other architectures
++                 * might fail or not. Let's not assert success. */
++                if (p != MAP_FAILED)
++                        assert_se(munmap(p, page_size()) == 0);
+ 
+                 p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
+                 assert_se(p != MAP_FAILED);
diff -Nru systemd-242/debian/patches/series systemd-242/debian/patches/series
--- systemd-242/debian/patches/series	2020-05-09 01:58:53.000000000 +0930
+++ systemd-242/debian/patches/series	2020-06-12 11:05:28.000000000 +0930
@@ -111,3 +111,5 @@
 lp1873607/0002-core-make-sure-to-restore-the-control-command-id-too.patch
 lp1877271-network-drop-all-checks-of-ipv6_disabled-sysctl.patch
 lp1860926-network-Change-IgnoreCarrierLoss-default-to-value-of.patch
+lp-1853852-seccomp-fix-multiplexed-system-calls.patch
+lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch