My preference would be not to have to require all task-isolation usersThat sounds like a great use case for the new libtaskisolation that
>to also figure out all the complexities of creating BPF programs, so
>my intention is to have task isolation automatically generate a BPF
>program (just allowing prctl/exit/exit_group and failing everything
>else with SIGSYS). To support having it work this way, I open up
>the seccomp stuff a little so that kernel clients can effectively
>push/pop a BPF program into seccomp:
someone is surely writing:)