Currently, if we need to hook, say, ioctl request 42, all ioctl requests are trapped to user space, because we use seccomp's add_rule method, like add_rule(ioctl).

We can do better. If we use seccomp's add_rule_conditional method instead, like add_rule_conditional(ioctl, arg2 == 42), only ioctl request 42 is trapped to user space, because comparison check is done in kernel space. This may improve performance.

Note on using libseccomp: if we want to trap ioctl request 42, but allow ioctl otherwise, we can't do add_rule_conditional(Trap, ioctl, arg2 == 42) then add_rule(Allow, ioctl). The later must be add_rule_conditional(Allow, ioctl, arg2 != 42) instead.

This is documented in seccomp_rule_add(3):

All of the filter rules supplied by the calling application are combined into a union, with additional logic to eliminate redundant syscall filters. For example, if a rule is added which allows a given syscall with a specific set of argument values and later a rule is added which allows the same syscall regardless the argument values then the first, more specific rule, is effectively dropped from the filter by the second more generic rule.