"The containers developers have what would seem to be a
relatively straightforward problem: they would like to control
access to devices on a per-container basis. Then containers could
safely be granted access to specific devices without compromising
the overall security of the system--even if a container has a
root-capable process which can create new device files.
Implementing this feature has been a longer journey than these
developers had imagined, though, with the 'device whitelist'
feature being sent around to different kernel subsystems almost
like one of those famous garbage barges from years past. A final
resting place may have been found, though, and it may signal a
change in how some security decisions are made in the kernel in the
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.