convert nspawn syscall blacklist into a whitelist (and related stuff) by poettering · Pull Request #6818 · systemd/systemd
Let's beef up nspawn's seccomp logic a bit, and lock things down further.
github.com