helper: block more unusual/privileged syscalls

These are toggled by F_EXT and exposed as SyscallPolicy.Compat in the Go interface.

Signed-off-by: Ophestra <cat@gensokyo.uk>

helper/bwrap/seccomp.go

@@ -30,6 +30,7 @@ type (
 )
 
 const (
+	flagExt       syscallOpts = C.F_EXT
 	flagDenyNS    syscallOpts = C.F_DENY_NS
 	flagDenyTTY   syscallOpts = C.F_DENY_TTY
 	flagDenyDevel syscallOpts = C.F_DENY_DEVEL