use lxc and controlled privileged mode!

[mmrezaie]

This might look silly but what about running this container in lxc mode and just let it to have access to some specific devices so that it can chrome can run with sandbox but restricted from touching anything else!

Like this example that I am using to have cuda inside docker:
docker run -ti --lxc-conf='lxc.cgroup.devices.allow = c 195:* rwm' cuda

Its not privileged, but have access to devices that I want.

[jlund]

I don't know which devices Chrome currently uses. It also feels like an approach that could be somewhat brittle, but it is an interesting idea.