(Premise: Because seccomp is complicated by design it's useful to give people options to debug and experiment.)
Thus, for example, for a program that have built-in list of syscalls to allow, I want to give user option to list syscalls to deny (via SECCOMP_SYSCALL_DENY env). (This could be used, for another example, if we release first version with a very generic filter but want to let user to check their workflow with some syscall being denied.)

This is suddenly a complicated task for current libseccomp. This is because seccomp_rule_add returns -EACCCES if the rule action equals the default action of the filter.

So it would be nice to have ability to add a rule with default action which then prevents adding rule with other actions.