[bagxrvxpepzn]

Sure seccomp has its flaws but it's not unworkable. You could just simply gate execution from running on any newer version of Linux of which you don't have a complete syscall list. Or variations on that theme if you need more flexibility.

[thomashabets2]

Well, you'll still need to build unveil/pledge on top of it, because it's not just "the version of Linux". It's all libraries used, directly and indirectly (incl config-based list of libraries, like in PAM), and what they suddenly decide to change even in a security-only patch.

The list of syscalls any code anywhere in the system calls is not a published contract with any guarantees.

> You could just

… is doing some heavy lifting here. "You could just" all but guarantee that your program will break in a couple of years for all users who do the responsible thing?

Sure, if you're building an appliance with a support contract, where you control everything, then that's doable. Servers/desktops/laptops, not so much.