When running a normal, unprivileged Docker container, it seems that SECCOMP_MODE_STRICT cannot be applied, returning EINVAL. SECCOMP_MODE_FILTER works correctly, and using --privileged or --security-opt 'seccomp=unconfined' allows MODE_STRICT to work. This question was asked before (Is it possible to use SECCOMP_SET_MODE_STRICT inside an unprivileged docker container?) but no real answer was given.
I see one workaround of instead using a BPF filter to perform the same function, but I would prefer to use a flag/capability to allow this instead.
