If I understood correctly, it looks like in order to make evdev to run on the container and allow access to devices on /dev/*, the container must be set as privileged which means, the host will map all the devices on the container.
Although it works, it is far from ideal security-wise if you consider the least privilege idea.
So, is there a way to map only the devices I want on a particular container and start evdev only with them?
Hi @galvesribeiro, I think for the USB device specifically you probably will need to use a privileged container, since most usb devices can enumerate to a different number. One way to make sure the usb devices have a fixed name is to set a hostOS udev rule to map it to a specific name. Have a look at this blog post https://www.balena.io/blog/balena-fin-gps-tracker-project/ (specifically the section titled " Custom udev rules" which maps the modem (usb-serial) device to /dev/NMEA.gps and then that device gets mapped into the container using the --device compose directive.