diff --git a/fst/sandbox.go b/fst/sandbox.go
index 0cc3790..194fcb7 100644
--- a/fst/sandbox.go
+++ b/fst/sandbox.go
@@ -138,7 +138,7 @@ func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Par
 	if !s.Device {
 		container.Dev("/dev").Mqueue("/dev/mqueue")
 	} else {
-		container.Bind("/dev", "/dev", sandbox.BindDevice)
+		container.Bind("/dev", "/dev", sandbox.BindWritable|sandbox.BindDevice)
 	}
 
 	/* retrieve paths and hide them if they're made available in the sandbox;
diff --git a/test/sandbox/case/device.nix b/test/sandbox/case/device.nix
index 28b714f..a49ac68 100644
--- a/test/sandbox/case/device.nix
+++ b/test/sandbox/case/device.nix
@@ -171,9 +171,9 @@
       (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
       (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
       (ent "/" "/.fortify" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
-      (ent "/" "/dev" "ro,nosuid" "devtmpfs" "devtmpfs" ignore)
-      (ent "/" "/dev/pts" "ro,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
-      (ent "/" "/dev/shm" "ro,nosuid,nodev" "tmpfs" "tmpfs" ignore)
+      (ent "/" "/dev" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
+      (ent "/" "/dev/pts" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
+      (ent "/" "/dev/shm" "rw,nosuid,nodev" "tmpfs" "tmpfs" ignore)
       (ent "/" ignore ignore ignore ignore ignore) # order not deterministic
       (ent "/" ignore ignore ignore ignore ignore)
       (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")