Kubevirt Seccomp Profile Generation

Seccomp is a security facility from the Linux Kernel that prevents processes from executing unauthorised syscalls. By limiting the number of permitted syscalls, seccomp is being utilised in conjunction with Kubernetes to reduce the attack surface of the containers. KubeVirt already supports custom Seccomp profiles, but that is based on the default seccomp profile that cri-o uses. This static approach leaves room for the profile to block necessary syscalls or allow unnecessary syscalls, hence compromising the security. This project focuses on automating the process of generating a seccomp profile for the VirtLauncher pod.