System call interception for unprivileged containers

has anyone actually tried to implement these things in the kernel? seems to me like nobody's even going to be trying, like it's been pre-decided we're just running down this path of "offload everything contentious to userspace, to make it even more contentious in the future, as to how to solve these new problems we created by doing that meanwhile"... at vpsFree.cz, we run our own kernel patches, which modify sysinfo() acording to cgroups, allow mknod, etc. in production, it's the best way to do it - otherwise you'll keep running into these nesting issues, etc. - yes, yes, we can argue about how exactly these things should be implemented, but as we can see, the original approach of leaving the hard things for later in the hope it'll make everything much more universal, doesn't work so well (see the whole cgroups v1 debacle as whole)

srsly what's so hard about it - other than a few developers' attitude towards such changes...

I think this all comes down to people being ok with calling this half-baked thing we have in kernel "containers". Privileged or not, it still has a long way to go to be called that, IMHO.