Kernel space: authoritative hooks for containerization

Working out the security consequences of containerization can be tricky: what if a user inside a container needs access to one hardware device, but isn’t trusted to administer other hardware?