Define custom seccomp filters for container services
This would decrease the attack surface for rogue container processes.
Instead of manually checking for needed syscalls, the OCI seccomp runtime hook could be used to create a list of these syscalls. The hook uses eBPF which needs root privileges. So for rootless containers these would need to be created beforehand in a rootfull way.
Ref.: RH-Article "Improving Linux container security with seccomp