Filter what syscalls programs are allowed to call without needing root.
The main motivation for this tool was running a program without internet
access. It could've been done with unshare in theory, but using
messed up the program's perception of what the home path was.
Warning: this should not be used as a security tool!
$ git clone https://git.sr.ht/~nullp0tr/filt && cd filt && make
$ filt open close openat socket -- ls -la