systemd-nspawn disables system calls in an apparently random fashion. See bug 1770154. This leads to needless package build failures and makes it unsuitable for use in mock. Please switch to chroot mode by default to avoid these issues.
To be sure - it is sufficient to disable it only for fedora-rawhide-i386 config. Right?
No, the pidfd_open filter affects everyone. See bug 1774417 comment 2. I'll ask around for a simple sandbox replacement which still gives us the obvious benefit of namespaces (such as TCP/UDP port isolation), without all the hassle.
A lot of people put a lot of effort to learn Mock to use systemd-nspawn. I am not a big fan of turning everything off. I think this should be fixed in systemd-nspawn instead of Mock.
It should be already fixed (in updates-testing for F31 and rawhide). Latest systemd update and libseccomp are needed. It happened that the a bunch of syscalls were added to the kernel, and nobody happened to hit them until now. As soon as the issue was reported, it was fixed. The fix is generally very simple, just adding a line to a table.
Thank you @zbyszek. I think we can close this BZ then.