Is there ways to load seccomp filter after exec.Start() and before the command starts

Question

I'm writing a simple sandbox using Go code as a module, and I need load seccomp rules to limit the system call for the command.

I use os/exec to run the command but I can't find anyway to load the filter before the command really starts.

I found Docker uses a call to fork, it needs to add code in the program's main, but if the sandbox is a module, I don't think this is a good way.

In C we can use seccomp like:

int main() {
    int pid = fork();
    if (pid > 0) {
        children();
    } else if (pid == 0) {
        struct rusage usage{};
        int status;
        if (wait4(pid, &status, WSTOPPED, &usage) == -1) {
           kill(pid, SIGKILL);
        }
    }
}

void children() {
    /* load seccomp filter */
    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL & SCMP_ACT_LOG);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);
    seccomp_load(ctx);

    execvp("bash", {"bash"});
}

In Go, I don't have any idea how to do it.

English is not my first language.