docs: update seccomp documentation with OCI example

Replace outdated TODO comment with accurate information about runc's seccomp support.
Add OCI seccomp example.

Signed-off-by: Osama Abdelkader <[email protected]>

Author: osamakader

libcontainer/SPEC.md

@@ -367,7 +367,49 @@ profile <profile_name> flags=(attach_disconnected,mediate_deleted) {
 }
 ```
 
-*TODO: seccomp work is being done to find a good default config*
+Seccomp filtering is supported, users can provide their own seccomp profile
+
+Seccomp can be used to filter the syscalls a container can use. The filter used is quite expressive. For example, a filter can allow only a syscall when used with a specific parameter is allowed, change the errno returned or even forward it to a user-space agent to act on it.
+
+Example OCI seccomp profile:
+
+```json
+{
+  "defaultAction": "SCMP_ACT_ERRNO",
+  "architectures": [
+    "SCMP_ARCH_X86_64",
+    "SCMP_ARCH_X86",
+    "SCMP_ARCH_X32"
+  ],
+  "syscalls": [
+    {
+      "names": [
+        "accept",
+        "accept4",
+        "access",
+        "bind",
+        "brk",
+        "chdir",
+        "chmod",
+        "chown",
+        "close",
+        "connect",
+        "execve",
+        "exit",
+        "exit_group",
+        "fork",
+        "getpid",
+        "getppid",
+        "listen",
+        "open",
+        "read",
+        "write"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    }
+  ]
+}
+```
 
 ### Runtime and Init Process