diff --git a/internal/pkg/exec.go b/internal/pkg/exec.go
index bb0c7ba..7b1d7f3 100644
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -365,6 +365,10 @@ func scanVerbose(
 	}
 }
 
+// SeccompPresets is the [seccomp] presets used by exec artifacts.
+const SeccompPresets = std.PresetStrict &
+	^(std.PresetDenyNS | std.PresetDenyDevel)
+
 // cure is like Cure but allows optional host net namespace. This is used for
 // the [KnownChecksum] variant where networking is allowed.
 func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
@@ -388,8 +392,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 
 	z := container.New(ctx, f.GetMessage())
 	z.WaitDelay = execWaitDelay
-	z.SeccompPresets |= std.PresetStrict &
-		^(std.PresetDenyNS | std.PresetDenyDevel)
+	z.SeccompPresets = SeccompPresets
 	z.SeccompFlags |= seccomp.AllowMultiarch
 	z.ParentPerm = 0700
 	z.HostNet = hostNet