+* nspawn: if /var/log/journal/<container machine id> exists in both
+ the container and the host mount one to the other so that the
+ containers logs are stored and visible on the host.
+
+* syscall filter: add knowledge about compat syscalls
+
+* syscall filter: don't enforce no new privs?