* **build-filter** * build BPF binary-search tree * **build-table** * build transformation table * **seitan-loader** * load BPF blob * attach filter * call blocking syscall * on return, start binary * **seitan** * load transformation table blob * listen to netlink proc connector * look for seitan-loader, once found: * get seccomp notifier via pidfd_getfd() * listen to it, new syscall: * look up in transformation table * load args from memory * execute transformation, unblock, or block * return, optionally injecting context