steve
c565a7abd1
Allow-list filter @system-service excludes some syscalls Go's runtime + restic's file scanner reach for; init job died immediately with "bad system call (core dumped)". CapabilityBounding already constrains what root can do; the Protect*/Restrict* toggles still cover network / kernel / mount / namespace. Net effect on the threat model is negligible vs the operational cost. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>