[SECURITY] No custom seccomp profile — relies on container runtime defaults

[h-network]

Problem Statement

NemoClaw does not define or apply a custom seccomp profile. The sandbox relies on whatever the container runtime (Docker/containerd) provides by default.

Impact

The default Docker seccomp profile allows ~300 of ~450 available syscalls. Many are unnecessary for agent workloads and present attack surface:

• mount / umount — filesystem manipulation
• ptrace — process debugging/injection
• clone with CLONE_NEWUSER — user namespace creation
• keyctl — kernel keyring access

Proposed Design

Define a restrictive seccomp profile that only allows syscalls needed for agent operations:

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64"],
  "syscalls": [
    {"names": ["read", "write", "open", "close", "stat", "fstat", ...], "action": "SCMP_ACT_ALLOW"},
  ]
}

Apply via Docker: --security-opt seccomp=nemoclaw-seccomp.json

References

• CIS Docker Benchmark 5.21: "Do not disable default seccomp profile"
• Docker documentation: Custom seccomp profiles

Alternatives Considered

No response

Category

enhancement: feature

Checklist

• I searched existing issues and this is not a duplicate
• This is a design proposal, not a "please build this" request

[wscurran]

✨ Thanks for submitting this issue with a detailed explanation, it addresses a security concern that could present an attack surface, which could improve the security of NemoClaw.

---

Possibly related open PRs:
#819 feat: add Podman as supported container runtime for macOS and Linux,
#123 security: harden gateway auth defaults and restrict auto-pair,
#871 security: enforce process limit to prevent fork bombs in sandbox