Seccomp filters: permission denied

Security features fall apart on corner cases all the time. I think this sort of security item might work if it came first and most of the kernel API/ABI's after it.. mainly because you can find the corner cases as you add code. Doing it the opposite way means you don't know about them until they come in and have to build long/weird "oh case of X we need to do Y except on Tuesdays."