LXC generates and loads the seccomp-bpf filter in the host/container which spawn the new container. In other words, userspace N is responsible for generating and loading the seccomp-bpf filter which restricts userspace N + 1. Assume 64bit kernel and 32bit userspace running a 64bit container. In this case the 32-bit x86 userspace is used to create a seccomp-bpf filter for a 64-bit userspace. Unless one explicitly adds the 64-bit ABI to the libseccomp filter, or adjusts the default behavior for "BAD_ARCH", *all* 64-bit x86 syscalls will be blocked. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Suggested-by: Paul Moore <paul@paul-moore.com>