diff --git a/config-linux.md b/config-linux.md
index 178361f34..9b289230e 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -118,6 +118,7 @@ Each entry has the following structure:
     More info in [mknod(1)][mknod.1].
 * **`path`** *(string, REQUIRED)* - full path to device inside container.
     If a [file][] already exists at `path` that does not match the requested device, the runtime MUST generate an error.
+    The path MAY be anywhere in the container filesystem, notably outside of `/dev`.
 * **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device.
 * **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device.
     You can also control access to devices [with cgroups](#configLinuxDeviceAllowedlist).
@@ -126,6 +127,12 @@ Each entry has the following structure:
 
 The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices.
 
+Containers MAY NOT access any device node that is not explicitly referenced in
+the **`devices`** array. Rationale: runtimes based on virtual machines need to
+be able to adjust the node devices, and accessing device nodes that were not
+adjusted could have undefined behaviour.
+
+
 ### Example
 
 ```json