seccomp controller 的 syscall 学习功能是通过 eBPF实现的，通过 eBPF 可以获取工作节点每个进程产生的系统调用，进而获取到指定 pod 对应的系统调用。 通过 eBPF 的方式，将集群中每个容器产生的 syscall 调用进行收集，生成 syscall 白名单。

This technical paper titled “Jenny: Securing Syscalls for PKU-based Memory Isolation Systems” was presented by researchers at Graz University of Technology (Austria) at the USENIX Security Symposium ...

There's an effort under way to reduce and ultimately remove all system call invocations from within kernel space. Dominik Brodowski was leading this effort, and he posted some patches to remove a lot ...