On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote:

This documents a way to safely use new security-related system calls
while preserving compatibility with container runtimes that require
insecure emulation (because they filter the system call by default).
Admittedly, it is somewhat hackish, but it can be implemented by
userspace today, for existing system calls such as faccessat2,
without kernel or container runtime changes.

I think this is completely insane.  Tell the OCI folks to fix their
completely broken specification instead.