Seccomp blocks install of "libc6" in Ubuntu 20.04 "focal" image on armhf (arm32v7)

[thaJeztah]

Opening a tracking issue for this for further investigation. More details can be found in:

• [do not merge] debug seccomp-related issues on armhf (arm32v7) docker/containerd-packaging#151 (which I'm using as a debugging environment for this)
• Focal ARM32 builds are failing due to libc6 package installation dotnet/dotnet-docker#1747
  • https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867675
  • (probably unrelated) https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867431

Summary

Ubuntu 20.04 ("focal") on armhf (arm32) currently has an issue where it looks like seccomp is blocking a syscall that's used when installing libc6:

docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'

...
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
 dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

With seccomp disabled, installing libc6 is succesfull

docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'

output of the above:

focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal

Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 5s (2427 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
  manpages glibc-doc locales
The following NEW packages will be installed:
  gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
  libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 0s (10.7 MB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Selecting previously unselected package libcrypt1:armhf.
Preparing to unpack .../libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb ...
Unpacking libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libc6:armhf (2.31-0ubuntu6) ...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
(Reading database ... 4137 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.31-0ubuntu6_armhf.deb ...
Unpacking libc-bin (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Setting up libc-bin (2.31-0ubuntu6) ...

With seccomp enabled, installation fails:

docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'

output of the above:

focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal

Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 6s (2183 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
  manpages glibc-doc locales
The following NEW packages will be installed:
  gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
  libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 1s (5278 kB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
 dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Information about the environment

docker version

Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        633a0ea
 Built:             Wed Nov 13 07:38:47 2019
 OS/Arch:           linux/arm
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.12
  Git commit:       633a0ea
  Built:            Wed Nov 13 07:32:48 2019
  OS/Arch:          linux/arm
  Experimental:     true
 containerd:
  Version:          1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

docker info

Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.4.127-mainline-rev1
 Operating System: Ubuntu 16.04.5 LTS
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 1.974GiB
 Name: arm32v7-ubuntu-03
 ID: W2ZP:3XMC:TH2A:OMPM:V542:GKAR:S6Q3:YKZC:QQHT:ERP2:LNHR:427E
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Output of `check-config.sh`:

curl -fsSL https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh | bash
info: reading kernel config from /proc/config.gz ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_NF_NAT_IPV4: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
    �[1;30m(cgroup swap accounting is currently enabled)
- CONFIG_MEMCG_KMEM: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled (as module)
    - CONFIG_BRIDGE_VLAN_FILTERING: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled (as module)
      - CONFIG_CRYPTO_GCM: enabled (as module)
      - CONFIG_CRYPTO_SEQIV: enabled (as module)
      - CONFIG_CRYPTO_GHASH: enabled (as module)
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled (as module)
      - CONFIG_XFRM_ALGO: enabled
      - CONFIG_INET_ESP: enabled (as module)
      - CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
  - "ipvlan":
    - CONFIG_IPVLAN: enabled (as module)
  - "macvlan":
    - CONFIG_MACVLAN: enabled (as module)
    - CONFIG_DUMMY: enabled (as module)
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_FTP: enabled (as module)
    - CONFIG_NF_NAT_TFTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: enabled (as module)
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled (as module)
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled (as module)
    - CONFIG_DM_THIN_PROVISIONING: enabled (as module)
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled (as module)
  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

[thaJeztah]

Mentioned by @DeeDeeG on docker/containerd-packaging#151 (comment)

Not sure if this is helpful, but there are things here that sound related. From the changelog for libc6 in Focal:

glibc (2.31-0ubuntu1) focal; urgency=medium

• Merge with current Debian git glibc-2.31.
• debian/patches/git-updates.diff: update from upstream stable branch.
• Ignore test failures for sysvipc/test-sysvmsg, sysvipc/test-sysvsem and
  sysvipc/test-sysvshm on 32bit architectures, failing on the xenial kernel,
  succeeding on the bionic and focal kernels.
• Restore the __glibc_has_include macro, needed until GCC is rebuilt
  to not include this in the fixed-include headers.
• Backport 5828bc4523230685ac29a4a882967913255f5666, making the clone3
  syscall known on arm64, fixing misc/tst-glibcsyscalls.
• Ignore some float tests for the non-default armel multilib variant.
  https://sourceware.org/ml/libc-alpha/2020-03/msg00074.html

-- Matthias Klose <doko [at] ubuntu.com> Fri, 06 Mar 2020 12:06:42 +0100

Particularly the point about changing syscalls on ARM.

• Backport 5828bc4523230685ac29a4a882967913255f5666, making the clone3
  syscall known on arm64, fixing misc/tst-glibcsyscalls.

[thaJeztah]

@AkihiroSuda @justincormack @cpuguy83 @tiborvass I could use some help on this to investigate what needs to be changed (does our default profile needs changing? does libsecomp itself needs a change to understand a new syscall? is this a bug in the package?)

[thaJeztah]

Oh, and perhaps @kolyshkin (as you like working on low-level stuff 😂)

[thaJeztah]

If it's indeed related to the clone3 syscall, I see that was added to libseccomp master in seccomp/libseccomp@bf747eb, and backported to the 2.4 release branch in seccomp/libseccomp#179, which is included in libseccomp 2.4.2 and up; https://github.com/seccomp/libseccomp/blob/v2.4.2/include/seccomp-syscalls.h#L251

[thaJeztah]

I guess the default profile may need to have some of the new syscalls (added in seccomp/libseccomp@bf747eb) added to the whitelist

[thaJeztah]

Opened a PR to add the 64-bit time_t syscalls to the seccomp profile: #40739

To be looked at:

These syscalls are also new (and added to libseccomp in seccomp/libseccomp@bf747eb), but need to be looked at separately

• clone3 (equivalent of clone? which was not whitelisted)
• fsconfig
• fsmount
• fsopen
• fspick
• move_mount
• open_tree
• pidfd_open
• pidfd_send_signal

[thaJeztah]

Changing the profile unfortunately didn't solve the problem: the problem looks to be the libseccomp version. When installing libseccomp 2.4.3, the problem does not reproduce.

Unfortunately, that version is not available on Ubuntu versions < 20.03 (https://packages.ubuntu.com/search?keywords=libseccomp2).

So for debugging, I installed the package from the ubuntu 20.03 repository.

What it comes down to;

The container we're running (ubuntu:20.03) makes a syscall that's introduced in Linux 5.x, but docker in this case is running on a 4.x kernel (the host is Ubuntu 16.04). The version of libseccomp installed on the host is not taking kernel 5.x syscalls into account, receives an error, and (likely) in that case blocks the syscall.

Solutions for this would be to;

• ask Ubuntu and Debian package maintainers to provide libseccomp 2.4.3 packages for older (LTS) releases. It's a patch release, so possibly acceptable for them. On the other hand; it's adding "features" for a kernel version that's not used by those versions of Ubuntu / Debian.
• somehow make libseccomp handle "unknown" syscalls, and perhaps allow them (instead of blocking)? (not exactly sure how it's handling these, so I'd have to read up on that); probably that's the same (similar) as changing our "whitelist" to a "blacklist" (which could weaken security)

[DeeDeeG]

To reach out to Ubuntu, one can try the ubuntu-devel-discuss mailing list: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss (must subscribe to the list before sending mail in, or else your opst will sit in a moderation queue for who knows how long...)

I'm not sure where the best point of contact would be for debian... They have this: https://lists.debian.org/debian-devel/ (Seems pretty busy, IMO. But at least most threads get a response.)

Edit to add: The individual debian package maintainers for libseccomp2, and their email addresses, are listed here: https://packages.debian.org/unstable/libseccomp2

[tianon]

Given the goal is to get it into both Debian and Ubuntu's stable releases, I'd suggest starting with the Debian package maintainers. They're probably not going to want to do the minor patch bump in stable unless it's just the minimal patch (and the release team will be the final deciders anyhow, and they're typically pretty strict about wanting patches to be minimal unless you've got a really compelling reason to do otherwise), so I'd suggest creating a patch of the absolute bare minimum (which I guess would be either https://github.com/seccomp/libseccomp/commit/bf747eb21e428c2b3ead6ebcca27951b681963a0.patch or more likely https://github.com/seccomp/libseccomp/commit/be65b26b67099be2b2b4890d736dbd1ad15adf36.patch since that's the exact 2.4-backport comimt) and including in your communication that upstream backported it to 2.4 in v2.4.2 (which is where your patch comes from).

As for contacting the maintainers, you could try emailing libseccomp@tracker.debian.org, but you're likely to have better luck via a proper bug (and I'd suggest using the reportbug tool from an up-to-date Buster system to file that so it can include useful metadata for the maintainers).

Concurrently, I'd suggest contacting the Ubuntu libseccomp maintainers in the same way, although via https://bugs.launchpad.net/ubuntu/+source/libseccomp (I believe reportbug on an Ubuntu system will work there as well, but I don't think it's quite as strongly preferred in Ubuntu, especially since you've got plenty of detail you can provide about the issue and your proposed fix, including a patch).