"Compatibility level" like debhelper?

[smcv]

Several bwrap options have semantics and defaults that, with hindsight, are perhaps not what we would have wanted.

One way to improve on this might be to borrow an idea from Debian's debhelper, and have an argument to set the "compat level". The default if not specified would be compat level 0.

In newer compat levels, we could change the defaults to make more sense, even in ways that would be a compatibility break, because they won't affect callers that haven't opted in to the new behaviour. For example:

• bwrap --compat 1 --file 23 /foo could create /foo with default permissions 0644 instead of 0666
• bwrap --compat 1 --seccomp 23 --seccomp 42 (see RFE: a way to add more than one seccomp program #453) could be a fatal error, instead of just giving a warning

[smcv]

Another change to defaults that could make sense: in compat level >= 1, if none of --disable-userns, --assert-userns-disabled or a new --allow-userns is explicitly specified, default to --disable-userns. (At the moment the default has to be the equivalent of --allow-userns, for backwards compatibility.)

[smcv]

bwrap --compat 1 could perhaps also exit with status 125 (like env(1) does) when it encounters an internal error, instead of exiting with status 1 like it does now.