[pbar]

A process making a system call to the kernel functions the same way regardless of whether it is in a container or not. How exactly does the security model differ at all?

[nwmcsween]

Because 99.9% of software doesn't make use of direct syscalls, instead it uses wrappers or standard functions that wrap various other syscalls that can and will change over time. Meaning $app_container v0.1 can and probably will have a different seccomp filter than $app_container v0.2

[pbar]

This is the same case regardless of being in a container or not, $app v0.1 and $app v0.2 will have different filters

[nwmcsween]

Of course will but docker, et al attach filters to containers vs attaching it to a specific binary that is much easier (although still broken).