Hello.
The task is to run only one program in the container - the Firefox browser.
The emphasis is on safety.
Does it make sense from a security point of view to filter system calls through seccomp if I have blocked all capabilities except the one I need.
In this case, Firefox requires the “CAP_SYS_CHROOT” capabilities for sandbox to work in Firefox.

    --cap-drop=CAP_DAC_OVERRIDE \
    --cap-drop=CAP_DAC_READ_SEARCH \
    --cap-drop=CAP_FOWNER \
    --cap-drop=CAP_FSETID \
    --cap-drop=CAP_KILL \
    --cap-drop=CAP_SETGID \
    --cap-drop=CAP_SETUID \
    --cap-drop=CAP_SETPCAP \
    --cap-drop=CAP_LINUX_IMMUTABLE \
    --cap-drop=CAP_NET_BIND_SERVICE \
    --cap-drop=CAP_NET_BROADCAST \
    --cap-drop=CAP_NET_ADMIN \
    --cap-drop=CAP_NET_RAW \
    --cap-drop=CAP_IPC_LOCK \
    --cap-drop=CAP_IPC_OWNER \
    --cap-drop=CAP_SYS_MODULE \
    --cap-drop=CAP_SYS_RAWIO \
    --cap-drop=CAP_SYS_PTRACE \
    --cap-drop=CAP_SYS_PACCT \
    --cap-drop=CAP_SYS_ADMIN \
    --cap-drop=CAP_SYS_BOOT \
    --cap-drop=CAP_SYS_NICE \
    --cap-drop=CAP_SYS_RESOURCE \
    --cap-drop=CAP_SYS_TIME \
    --cap-drop=CAP_SYS_TTY_CONFIG \
    --cap-drop=CAP_MKNOD \
    --cap-drop=CAP_LEASE \
    --cap-drop=CAP_AUDIT_WRITE \
    --cap-drop=CAP_AUDIT_CONTROL \
    --cap-drop=CAP_SETFCAP \
    --cap-drop=CAP_MAC_OVERRIDE \
    --cap-drop=CAP_MAC_ADMIN \
    --cap-drop=CAP_SYSLOG \
    --cap-drop=CAP_WAKE_ALARM \
    --cap-drop=CAP_BLOCK_SUSPEND \
    --cap-drop=CAP_AUDIT_READ \
    --cap-drop=CAP_PERFMON \
    --cap-drop=CAP_BPF \
    --cap-drop=CAP_CHECKPOINT_RESTORE \
    --security-opt=no-new-privileges \

It all depends on your goal. Are you looking for maximum possible security, then configuring apparmor/selinux and seccomp seems like the right thing to do, especially if the container is running in privileged more. Though if it’s just about not being grossly negligent, then you’re setting seem fine to me.

One thing to note though: Wouldn’t it make more sense to use --cap-drop=ALL --cap-add CAP_SYS_CHROOT --security-opt=no-new-privileges instead of listing them individually?

I tried --cap-drop=ALL --cap-add CAP_SYS_CHROOT --security-opt=no-new-privileges.
In this case, the file saving window stops working.
If you press CTRL+S, the browser crashes.
The problem is reproducible on Firefox 151.
The problem does not reproduce on Firefox-esr 145.

Yes, the container runs in rootless mode.
Yesterday I read that a lot of vulnerabilities are exploited even without capabilities, through system calls that are available in user space.
It turns out that yes, we need to filter system calls.
I have to use a whitelist.

You mean a blacklist, since you specifically drop the ones you want to forbid.

If you really want to whitelist, create containers with your cap-args and mine using an alpine image and capsh to see the actual capabilities:

docker run -ti --rm <cap argument> alpine sh -c 'apk add libcap; capsh --print'

Please share links to the sources.

whitelist - for filtering system calls.
capabilities I have already filtered.

chatgpt told me.

Never accept statements without source links. When you ask for sources, you can often get “You are right. I should not have guessed without actually confirming it” messages.

While it is not impossible, I only heard about issues that relied on enabled capabilities like SETUID. I heard other claims as well, but not with source links to confirm.

If you google for “llm biased based on the prompt” you get a couple of good blog posts about how Language Models are susceptible to becoming biased based on the phrasing and tone of the input prompt.