System call interception for unprivileged containers

Seccomp notify can also be used in kubernetes containers. Rootless containers are using it to increase network performance in about 7 times, to name one example.

I worked on adding support for this into runc (the low level container runtime used by containerd and docker by default) and blogged about it here, in case someone is interested (with an example seccomp agent that can be used as a building block to build other actions in the agent):

https://kinvolk.io/blog/2022/03/bringing-seccomp-notify-t...

Also, we contributed support for seccomp notify in the OCI runtime-spec, so other runtimes like crun and youki have implemented it too :-)