diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
new file mode 100644
index 0000000000..382fca6cdb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
@@ -0,0 +1,90 @@
+From 9a71b1122c6e49dd9227f82b2f53837c7ea13019 Mon Sep 17 00:00:00 2001
+From: Jay Faulkner <jay@jvf.cc>
+Date: Fri, 20 Feb 2015 21:59:47 +0000
+Subject: nspawn: Map all seccomp filters to capabilities
+
+This change makes it so all seccomp filters are mapped
+to the appropriate capability and are only added if that
+capability was not requested when running the container.
+
+This unbreaks the remaining use cases broken by the
+addition of seccomp filters without respecting requested
+capabilities.
+
+Co-Authored-By: Clif Houck <me@clifhouck.com>
+
+[zj: - adapt to our coding style, make struct anonymous]
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 8ce5fbe..8833704 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -2567,19 +2567,19 @@ static int setup_ipvlan(pid_t pid) {
+ static int setup_seccomp(void) {
+ 
+ #ifdef HAVE_SECCOMP
+-        static const int blacklist[] = {
+-                SCMP_SYS(kexec_load),
+-                SCMP_SYS(open_by_handle_at),
+-                SCMP_SYS(iopl),
+-                SCMP_SYS(ioperm),
+-                SCMP_SYS(swapon),
+-                SCMP_SYS(swapoff),
+-        };
+-
+-        static const int kmod_blacklist[] = {
+-                SCMP_SYS(init_module),
+-                SCMP_SYS(finit_module),
+-                SCMP_SYS(delete_module),
++        static const struct {
++                uint64_t capability;
++                int syscall_num;
++        } blacklist[] = {
++                { CAP_SYS_RAWIO,  SCMP_SYS(iopl)},
++                { CAP_SYS_RAWIO,  SCMP_SYS(ioperm)},
++                { CAP_SYS_BOOT,   SCMP_SYS(kexec_load)},
++                { CAP_SYS_ADMIN,  SCMP_SYS(swapon)},
++                { CAP_SYS_ADMIN,  SCMP_SYS(swapoff)},
++                { CAP_SYS_ADMIN,  SCMP_SYS(open_by_handle_at)},
++                { CAP_SYS_MODULE, SCMP_SYS(init_module)},
++                { CAP_SYS_MODULE, SCMP_SYS(finit_module)},
++                { CAP_SYS_MODULE, SCMP_SYS(delete_module)},
+         };
+ 
+         scmp_filter_ctx seccomp;
+@@ -2597,7 +2597,10 @@ static int setup_seccomp(void) {
+         }
+ 
+         for (i = 0; i < ELEMENTSOF(blacklist); i++) {
+-                r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
++                if (arg_retain & (1ULL << blacklist[i].capability))
++                        continue;
++
++                r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i].syscall_num, 0);
+                 if (r == -EFAULT)
+                         continue; /* unknown syscall */
+                 if (r < 0) {
+@@ -2606,19 +2609,6 @@ static int setup_seccomp(void) {
+                 }
+         }
+ 
+-        /* If the CAP_SYS_MODULE capability is not requested then
+-         * we'll block the kmod syscalls too */
+-        if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
+-                for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
+-                        r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
+-                        if (r == -EFAULT)
+-                                continue; /* unknown syscall */
+-                        if (r < 0) {
+-                                log_error_errno(r, "Failed to block syscall: %m");
+-                                goto finish;
+-                        }
+-                }
+-        }
+ 
+         /*
+            Audit is broken in containers, much of the userspace audit
+-- 
+cgit v0.10.2
+
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r7.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r6.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r7.ebuild
index a4cf04c465..f41890c3ba 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r6.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-218-r7.ebuild
@@ -190,6 +190,9 @@ fi
 	epatch "${FILESDIR}"/218-0004-timesyncd-enable-timesyncd-in-virtual-machines.patch
 	epatch "${FILESDIR}"/218-0005-network-add-UseNTP-DHCP-option.patch
 
+	# Fix for coreos/bugs #293
+	epatch "${FILESDIR}"/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
+
 	autotools-utils_src_prepare
 }
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r2.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r2.ebuild
index c7fa9d38e4..a981d7d5c8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-219-r2.ebuild
@@ -186,6 +186,8 @@ fi
 	# Allow timesyncd in VMs, make DHCP provided NTP servers optional
 	epatch "${FILESDIR}"/219-0001-timesyncd-enable-timesyncd-in-virtual-machines.patch
 	epatch "${FILESDIR}"/219-0002-network-add-UseNTP-DHCP-option.patch
+	# Fix for coreos/bugs #293
+	epatch "${FILESDIR}"/219-0003-nspawn-map-all-seccomp-filters-to-capabilities.patch
 
 	autotools-utils_src_prepare
 }