diff --git a/drivers/docker/config.go b/drivers/docker/config.go
index 33ce1b465..59dcba6f5 100644
--- a/drivers/docker/config.go
+++ b/drivers/docker/config.go
@@ -356,6 +356,28 @@ type DockerDevice struct {
 	CgroupPermissions string `codec:"cgroup_permissions"`
 }
 
+func (d DockerDevice) toDockerDevice() (docker.Device, error) {
+	dd := docker.Device{
+		PathOnHost:        d.HostPath,
+		PathInContainer:   d.ContainerPath,
+		CgroupPermissions: d.CgroupPermissions,
+	}
+
+	if d.HostPath == "" {
+		return dd, fmt.Errorf("host path must be set in configuration for devices")
+	}
+
+	if dd.CgroupPermissions == "" {
+		dd.CgroupPermissions = "rwm"
+	}
+
+	if !validateCgroupPermission(dd.CgroupPermissions) {
+		return dd, fmt.Errorf("invalid cgroup permission string: %q", dd.CgroupPermissions)
+	}
+
+	return dd, nil
+}
+
 type DockerLogging struct {
 	Type   string            `codec:"type"`
 	Config map[string]string `codec:"config"`
diff --git a/drivers/docker/driver.go b/drivers/docker/driver.go
index cfb8ae308..38d13623d 100644
--- a/drivers/docker/driver.go
+++ b/drivers/docker/driver.go
@@ -718,29 +718,12 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 		}
 	}
 
-	if len(driverConfig.Devices) > 0 {
-		var devices []docker.Device
-		for _, device := range driverConfig.Devices {
-			if device.HostPath == "" {
-				return c, fmt.Errorf("host path must be set in configuration for devices")
-			}
-			if device.CgroupPermissions != "" {
-				for _, char := range device.CgroupPermissions {
-					ch := string(char)
-					if ch != "r" && ch != "w" && ch != "m" {
-						return c, fmt.Errorf("invalid cgroup permission string: %q", device.CgroupPermissions)
-					}
-				}
-			} else {
-				device.CgroupPermissions = "rwm"
-			}
-			dev := docker.Device{
-				PathOnHost:        device.HostPath,
-				PathInContainer:   device.ContainerPath,
-				CgroupPermissions: device.CgroupPermissions}
-			devices = append(devices, dev)
+	for _, device := range driverConfig.Devices {
+		dd, err := device.toDockerDevice()
+		if err != nil {
+			return c, err
 		}
-		hostConfig.Devices = devices
+		hostConfig.Devices = append(hostConfig.Devices, dd)
 	}
 
 	// Setup mounts
diff --git a/drivers/docker/utils.go b/drivers/docker/utils.go
index a70e1b8b4..7b482e11a 100644
--- a/drivers/docker/utils.go
+++ b/drivers/docker/utils.go
@@ -188,3 +188,15 @@ func authIsEmpty(auth *docker.AuthConfiguration) bool {
 		auth.Email == "" &&
 		auth.ServerAddress == ""
 }
+
+func validateCgroupPermission(s string) bool {
+	for _, c := range s {
+		switch c {
+		case 'r', 'w', 'm':
+		default:
+			return false
+		}
+	}
+
+	return true
+}