    By default, we had supported `--mount-bind /dev /dev` to get
    access to devices.  But in many cases, build systems and the
    like will want to avoid exposing host physical devices.
    For example, if I'm building something locally, I don't want the
    makefile etc. to be able to access `/dev/dri`.
