3e0fab4d2e
/dev is mounted on a tmpfs inside of a container. Processes inside of containers some times need to create devices nodes, or to setup a socket that listens on /dev/log Allowing these containers to run with the --readonly flag makes sense. Making a tmpfs readonly does not add any security to the container, since there is plenty of places where the container can write tmpfs content. I have no idea why /dev was excluded. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Upstream-commit: 5f3bd2473ee2a1b9f37ba0130e934133d0e01f89 Component: engine