[haberman]

I don't understand why it's not possible to run a Docker image that has the whole development environment, without turning on developer mode.

ChromeOS doesn't want to expose these syscalls to ChromeOS apps? I can understand wanting to sandbox the actual OS environment, but a Docker container should be totally isolated from that?

[Filligree]

Docker is not designed for security, and shouldn't be mistaken for a secure border. It can, with painstaking effort, be made semi-secure for particular audited recipes, but this isn't a FreeBSD jail we're talking about.