Currently docker run --runtime=kata --privileged is insecure because --privileged let OCI runtime mount host devices.
Recently containerd/CRI got a new config option privileged_without_host_devices which disables mounting host devices for containers with securityContext.privileged.
containerd/cri#1225
Probably we can port over this to Moby as --privileged --security-opt privileged-without-host-devices. The daemon probably should return an error if --security-opt privileged-without-host-devices is specified but --privileged is not specified.
Currently
docker run --runtime=kata --privilegedis insecure because--privilegedlet OCI runtime mount host devices.Recently containerd/CRI got a new config option
privileged_without_host_deviceswhich disables mounting host devices for containers withsecurityContext.privileged.containerd/cri#1225
Probably we can port over this to Moby as
--privileged --security-opt privileged-without-host-devices. The daemon probably should return an error if--security-opt privileged-without-host-devicesis specified but--privilegedis not specified.