you can now disable opertions with cBPF, like you would be able to with seccomp for normal syscalls.