Is there any mitigation for ROP gadget chaining in order to make a
syscall to open a shell within dom0? Can seccomp-strict be loaded into
the dom0 kernel?
syscall filtering using seccomp-strict C library might be a mitigation to this
vulnerability.