cgroups has a device controller that allows us to control access to device nodes based on their major/minor/type characteristics.  that means, in addition to mounting a subset of /dev nodes, we could further prevent people from running mknod() on a unique path and then using that new node to bypass our set.

this would also help in cases like rsyslog where we can't create a unique /dev because of how /dev/log is managed, so all of /dev is visible.  but we'd be able to deny access to those nodes via cgroups.

we might want to start the work but not deploy it until linux-3.8 cycles out as i think it'd rely (at least for sanity sake) on cgroups namespaces.

current docs:
https://chromium.googlesource.com/chromiumos/third_party/kernel/+/v4.17/Documentation/cgroup-v1/devices.txt