Hi Al, Might it make sense to specify these lookup restrictions when opening the directory (O_ROOT?) instead of specifying it for each lookup with AT_* (or supporting both)? This might make it more useful when passing directory fds between processes that do not use seccomp (where AT_BENEATH could be enforced).
For my sandboxing use case, I'd be happy with either solution, though. Is there anything I can do to help move this forward? Best regards, Jürg
