sseccomp
seccomp manual 里面说到楽在早期版本, seccomp 可以通过 ptrace 绕过 poc
Before kernel 4.8, the seccomp check will not be run again after the tracer is notified. (This means that, on older kernels, seccomp-based sandboxes must not allow use of ptrace(2)—even of other sandboxed processes—without extreme care; ptracers can use this mechanism to escape from the seccomp sandbox.)
Note that a tracer process will not be notified if another filter returns an action value with a precedence greater than SEC‐COMP_RET_TRACE.