Voluntary syscall filtering — how seccomp works, how it complements KACS, the Peios-specific PR_SET_NO_NEW_PRIVS semantics, and audit knobs for filter operations.