I did come up with:
docker run -i -t --cap-add=SYS_ADMIN debian /bin/bash
Is there another way to give less capabilities other then "SYS_ADMIN" which also adds a lot of other caps?
for more info see http://linux.die.net/man/7/capabilities
Linux VServer solved this situation by adding another flag - VXC_SECURE_MOUNT see http://linux-vserver.org/Capabilities_and_Flags