this came up in https://chromium-review.googlesource.com/1310174:
- socket(AF_UNIX) is OK for syslog
- socket(AF_INET) is probed by gRPC libs and there isn't a way to disable it easily
so ideally we'd have a filter like:
socket: arg0 == AF_UNIX
socket: arg0 == AF_INET; return EINVAL
minijail currently disallows more than one filter per syscall:
minijail0: libminijail[185716]: duplicate label: '41_success'
minijail0: libminijail[185716]: failed to compile seccomp filter BPF program in 'foo.policy'