Run clamd as the limited user clamav.

clamd/Dockerfile

@@ -8,13 +8,14 @@ RUN apt-get update && \
         procps \
     && \
     freshclam --verbose --stdout && \
+    install -d -m 755 -o clamav -g clamav /run/clamav && \
     rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
 COPY --chown=root:root clamd.conf /etc/clamav/
 RUN clamconf -n
-COPY --chown=root:root entrypoint /entrypoint
-COPY --chown=root:root clamd-ping clamd-update /usr/local/bin/
+COPY --chown=root:root clamd-ping /usr/local/bin/
+COPY --chown=root:root clamd-update /usr/local/bin/
+USER clamav
+WORKDIR /var/lib/clamav
 EXPOSE 3310
-VOLUME /run/clamav
-ENTRYPOINT [ "/entrypoint" ]
 CMD [ "clamd" ]
 HEALTHCHECK CMD clamd-ping

clamd/entrypoint

-#!/bin/sh
-set -eux
-
-install -d -m 755 -o clamav -g clamav /run/clamav
-
-eval exec "$@"