systemd version the issue has been seen with

From 96bedbe nspawn: replace syscall blacklist with a whitelist

... v239 v238 v237 v236 v235.

Unexpected behaviour you saw

Function swapcontext is out of system call filter whitelist of nspawn. Anyone of {get,set,make,swap}context is not available on PowerPC 32-bit (i.e. PPC32) container by default.

Use case: Fibers of Ruby is not available in PPC32 container.
https://bugs.ruby-lang.org/issues/14883

Steps to reproduce the problem

Part. 1

nspawn a PPC32 container, run Ruby code:

fib = Enumerator.new do |y|
  y << "FOO"
  y << "BAR"
end
puts fib.next

It should print "FOO", but it segmentation fault.

Part. 2

#include <ucontext.h>
#include <errno.h>
int main() {
    ucontext_t c;
    if (getcontext(&c) < 0)
        return errno;
    return 0;
}

It should return 0, but it returned 1 (EPERM).

Notes

A fiber uses getcontext() function to get the current context, to construct a new context, and uses makecontext() to switch context, so we have a nice lightweight userspace "thread" (or coroutine, fiber etc.).

The underlying call of getcontext() depends on architectures.

I checked source code from glibc (/sysdeps/unix/sysv/linux):

aarch64: rt_sigprocmask
sparc64: trap 0x6e
sparc32: rt_sigprocmask
sh3: sigprocmask
sh4: sigprocmask
i386: sigprocmask
arm: sigprocmask
powerpc64: sigprocmask
powerpc32: swapcontext
alpha: osf_sigprocmask
s390-32: rt_sigprocmask
s390-64: rt_sigprocmask
nios2: rt_sigprocmask
ia64: rt_sigprocmask
hppa: sigprocmask
x86_64: rt_sigprocmask
m680x0: sigprocmask

We already have {,rt_}sigprocmask in whitelist now (@signal), but there is no swapcontext.

The syscall swapcontext() is a kind of mixture of {get,set,make,swap}context. Semantically it may be not suitable for @signal, we can put it in here: