pub const BLOCKED_SYSCALLS: &[&str];
Syscalls that should be blocked in seccomp-bpf profiles.
Following the field guide: “A tight seccomp profile blocks syscalls that expand kernel attack surface or enable escalation.”