Looks like seccomp supports user-space notifications which you can intercept the system call and return a response without the toctou attacks. But will need to patch golang-seccomp and make sure people have the newer seccomp lib installed.