> Why do we keep having to fix these crashes one by one over such a long period of time?
In this case I think this is a consequence of the allow-list nature of the seccomp filters - as glibc changes to implement various functions via different primitive system calls / or the kernel changes to add new system calls and glibc starts to make sure of these, the seccomp filter needs to be updated to take this into account.
> Why do we keep having to fix these crashes one by one over such a long period of time?
In this case I think this is a consequence of the allow-list nature of the seccomp filters - as glibc changes to implement various functions via different primitive system calls / or the kernel changes to add new system calls and glibc starts to make sure of these, the seccomp filter needs to be updated to take this into account.