kernels provided this feature since forever. selinux, trustedbsd, you name it, provided this. seccomp on linux is just a "in code, per process" version, while selinux, or earlier things like RSBAC or LIDS provide more flexibility (but apparently, nobody understood how to use any of this in the past :)