diff --git a/pkg/libcontainer/cgroups/systemd/apply_systemd.go b/pkg/libcontainer/cgroups/systemd/apply_systemd.go
index 52940f6fae..4d6b68b2cd 100644
--- a/pkg/libcontainer/cgroups/systemd/apply_systemd.go
+++ b/pkg/libcontainer/cgroups/systemd/apply_systemd.go
@@ -174,13 +174,22 @@ func Apply(c *cgroups.Cgroup, pid int) (cgroups.ActiveCgroup, error) {
 
 		path := filepath.Join(mountpoint, cgroup)
 
-		// /dev/pts/*
-		if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte("c 136:* rwm"), 0700); err != nil {
-			return nil, err
+		allow := []string{
+			// allow mknod for any device
+			"c *:* m",
+			"b *:* m",
+
+			// /dev/pts/ - pts namespaces are "coming soon"
+			"c 136:* rwm",
+
+			// tuntap
+			"c 10:200 rwm",
 		}
-		// tuntap
-		if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte("c 10:200 rwm"), 0700); err != nil {
-			return nil, err
+
+		for _, val := range allow {
+			if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte(val), 0700); err != nil {
+				return nil, err
+			}
 		}
 	}