Trying to build a minimal runtime profile for a Go binary in NanoClaw. The default seccomp is too permissive for my case. My custom filter blocks everything except `read`, `write`, `exit`, `nanosleep`, `futex`, `mmap`, `munmap`, `brk`, `rt_sigreturn`.

But the process fails with `permission denied` (EPERM) on `mmap`. If I allow `mmap` unconditionally, it works. The issue seems to be with the `args` for `mmap` filtering.

Here's the failing rule:

```c
struct scmp_arg_cond arg_cond[] = {
{ 2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE },
{ 3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS }
};
```

Is the bitmask comparison wrong for seccomp-bpf? Should I be using `SCMP_CMP_MASKED_EQ`? The man pages are unclear on handling multiple flag bits.