There's also SECCOMP_RET_USER_NOTIF, which is typically used by container runtimes for their sandboxing.

SECCOMP_RET_USER_NOTIF seems to involve sending a struct over an fd on each syscall. Do they really use it? Performance ought to suffer.

Also gVisor (aka runsc) is a container runtime as well. And it doesn't gatekeep syscalls but chooses to re-implement them in userland.

	▲	xuhu 2 hours ago \| parent [-]
		SECCOMP_RET_USER_NOTIF appears to switch between the tracee and tracer processes for each syscall. Using SECCOMP_RET_TRAP to trigger a SIGSYS for every syscall in IO intensive apps introduces 5% overhead (and avoids a separate tracer). I wonder if there's any mechanism that works for intercepting static ELF's like Go programs and such.