“The containers developers have what would seem to be a
relatively straightforward problem: they would like to control
access to devices on a per-container basis. Then containers could
safely be granted access to specific devices without compromising
the overall security of the system–even if a container has a
root-capable process which can create new device files.
Implementing this feature has been a longer journey than these
developers had imagined, though, with the ‘device whitelist’
feature being sent around to different kernel subsystems almost
like one of those famous garbage barges from years past. A final
resting place may have been found, though, and it may signal a
change in how some security decisions are made in the kernel in the
future…”