So that we don't have to bake the jail binaries and the base kernel images every time when we update the policies.
The configuration format should be easily writable and understandable, so JSON/YAML/TOML would be good choices. We need to figure out which is most accessible from the golang ecosystem.

Keywords for prior knowledges required:

• seccomp filter, Linux system call argument format in the amd64 architecture
• Go language
• Docker

To make it configurable, we should implement:

• Reading the list of systemcall filters, resource limits, whitelisted filesystem operation paths, and preserved environment keys from the config file.
• Keep the differences only in per-policy configs and shared parts in the "default" config. (e.g., additionally allowed or blocked syscalls should go into per-policy configs.)
  • Note: Traced syscalls are currently shared across all policies.
• Prevent the child process from accessing the configuration files.

All done, closing. Now we need to write individual policy files for each kernel.
Updates to this functionality will be handled in separate issues.