An access control engine can enable a host operating system to propagate a private resource of an isolated virtual environment, such as a container, running on the host operating system outside of the isolated virtual environment. The private resource can include, for example, a file system mounted within the isolated virtual environment. The access control engine can receive a command and launch the isolated virtual environment in response to the command. Also, in response to the command, the access control engine can interface with a kernel of the host operating system to configure the isolated virtual environment so that the private resource is accessible outside the isolated virtual environment.