bad seccomp defaults; difficulties of dropping privileges; "Bad system call"

[onlyjob]

I've experienced unexpected difficulties in what I thought would be straightforward containerisation with rkt: inside container daemon was just dying instead of starting.

After a while I've figured that it could not drop privileges and indeed reproducing with /sbin/runuser -u www-data -- whoami returned Bad system call.

It took me a long while to find counter-intuitive workaround in #3820 (comment):

--seccomp=mode=retain,@rkt/default-whitelist,errno=EPERM

which fixed the problem and reproducer /sbin/runuser -u www-data -- whoami now correctly responds with www-data.
I would have never be able to guess (or find) what is necessary to "fix" the problem in man pages or documentation.

I think we have a prominent case of incredibly restrictive defaults.
Let's improve it please.

Environment

rkt Version: 1.30.0
appc Version: 0.8.11
Go Version: go1.10.3
Go OS/Arch: linux/amd64
Features: -TPM +SDJOURNAL
--
Linux 4.9.0-7-amd64 x86_64
--
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
--
systemd 239
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid

What did you do?

--exec /sbin/runuser -- -u www-data whoami

What did you expect to see?

www-data

What did you see instead?

Bad system call