Container restriction to home directory of host

General Discussions
1

I wanted to setup a container who can access only a specified folder in home directory. I don’t want to give the container access to rest of my host machine filesystem. I tired various method of creating docker create command but failed.

Can someone tell me in follwing what i needed to do to isolate host FS from container.

I tired following:

docker create \
--hostname "archy.localhost.localdomain" \
--name "archy" \
--privileged \
--security-opt label=disable \
--user root:root \
--ipc host \
--network host \
--pid host \
--label "manager=distrobox" \
--env "SHELL=/bin/bash" \
--env "HOME=/home/opensusefan/Desktop/container" \
--volume /:/run/host:rslave \
--volume /dev:/dev:rslave \
--volume /sys:/sys:rslave \
--volume /tmp:/tmp:rslave \
--volume "/usr/bin/distrobox-init":/usr/bin/entrypoint:ro \
--volume "/usr/bin/distrobox-export":/usr/bin/distrobox-export:ro \
--volume "/usr/bin/distrobox-host-exec":/usr/bin/distrobox-host-exec:ro \
--volume "/home/":"/home/":ro \
--volume "/home/opensusefan":"/home/opensusefan":ro \
--volume "/home/opensusefan/":"/home/opensusefan/":ro \
--volume "/home/opensusefan/Desktop/":"/home/opensusefan/Desktop/":ro \
--env "HOME=/home/opensusefan/Desktop/container" \
--env "DISTROBOX_HOST_HOME=/home/opensusefan/Desktop/container" \
--volume "/home/opensusefan/Desktop/container:/home/opensusefan/Desktop/container" \
--volume /run/user/1000:/run/user/1000:rslave \
--volume /etc/hosts:/etc/hosts:ro \
--volume /etc/resolv.conf:/etc/resolv.conf:ro  \
--entrypoint /usr/bin/entrypoint \
archlinux:latest \
--verbose \
--name "opensusefan" \
--user 1000 \
--group 459 \
--home "/home/opensusefan/Desktop/container" \
--init "0" \
--nvidia "0" \
--pre-init-hooks "" \
--additional-packages "" \
-- '' \
2

By default, a container is not able to see anything from the host filesystem.

Though, you do everything to get rid of the isolation a container offers, which is a serious problem as it allows breaking out of the controller, kill host processes, change the network configuration and who knows what. On top of that you specifically mount host paths into the container, which of course make the container see those folders inside the container.

WARNING: if the application inside this very weak isolated container is accessible from the internet, and is exploitable, nothing is able to stop the attacker to take over the host. Please make sure you understand what you do and why you do it.