s/ENOTSUP/EOPNOTSUPP/ linux defines these errors to the same values, but the landlock doc uses `EOPNOTSUPP' consistently. Spotted initially by brynet@ and reminded by Mickaël Salaün, thanks! ok thomas

portable: add support for landlock landlock is a new set of linux APIs that is conceptually similar to unveil(2): the idea is to restrict what a process can do on a specified part of the filesystem. There are some differences in the behaviour: the major one being that the landlock ruleset is inherited across execve(2). This just restricts the libexec helpers by completely revoking ANY filesystem access; after all they are the biggest attack surface. got send/fetch/clone *may* end up spawning ssh(1), so at the moment is not possible to landlock the main process. From Omar Polo.