diff --git a/bare/config/runner.jsonnet b/bare/config/runner.jsonnet
index 82dfa19..37ecace 100644
--- a/bare/config/runner.jsonnet
+++ b/bare/config/runner.jsonnet
@@ -2,6 +2,7 @@ local common = import 'common.libsonnet';
 
 {
   buildDirectoryPath: std.extVar('PWD') + '/worker/build',
+  chrootIntoInputRoot: true,
   global: common.globalWithDiagnosticsHttpServer(':9987'),
   grpcServers: [{
     listenPaths: ['worker/runner'],
diff --git a/bare/config/worker.jsonnet b/bare/config/worker.jsonnet
index c06cbd0..7c981d5 100644
--- a/bare/config/worker.jsonnet
+++ b/bare/config/worker.jsonnet
@@ -15,8 +15,16 @@ local common = import 'common.libsonnet';
       cacheReplacementPolicy: 'LEAST_RECENTLY_USED',
     },
     runners: [{
-      # https://github.com/grpc/grpc/blob/master/doc/naming.md
+      // https://github.com/grpc/grpc/blob/master/doc/naming.md
       endpoint: { address: 'unix:worker/runner' },
+      inputRootCharacterDeviceNodes: [
+        'full',
+        'null',
+        'random',
+        'tty',
+        'urandom',
+        'zero',
+      ],
       concurrency: 8,
       platform: {},
       workerId: {
diff --git a/docker-compose/config/runner-ubuntu22-04.jsonnet b/docker-compose/config/runner-ubuntu22-04.jsonnet
index 7f08b6d..69a145c 100644
--- a/docker-compose/config/runner-ubuntu22-04.jsonnet
+++ b/docker-compose/config/runner-ubuntu22-04.jsonnet
@@ -2,6 +2,7 @@ local common = import 'common.libsonnet';
 
 {
   buildDirectoryPath: '/worker/build',
+  chrootIntoInputRoot: true,
   global: common.global,
   grpcServers: [{
     listenPaths: ['/worker/runner'],
diff --git a/docker-compose/config/worker-fuse-ubuntu22-04.jsonnet b/docker-compose/config/worker-fuse-ubuntu22-04.jsonnet
index 9afd1a8..329d257 100644
--- a/docker-compose/config/worker-fuse-ubuntu22-04.jsonnet
+++ b/docker-compose/config/worker-fuse-ubuntu22-04.jsonnet
@@ -67,6 +67,14 @@ local common = import 'common.libsonnet';
       endpoint: { address: 'unix:///worker/runner' },
       concurrency: 8,
       instanceNamePrefix: 'fuse',
+      inputRootCharacterDeviceNodes: [
+        'full',
+        'null',
+        'random',
+        'tty',
+        'urandom',
+        'zero',
+      ],
       platform: {
         properties: [
           { name: 'OSFamily', value: 'linux' },