Oh wow.  This is the first I've heard of seccomp(2), but it looks amazingly elegant.

http://man7.org/linux/man-pages/man2/seccomp.2.html

In particular SECCOMP_SET_MODE_STRICT looks like it would be very easy to use (and pretty easy for any Unix-like kernel to implement) and would be great for things like packet parsers that just read stdin and write stdout.