diff --git a/README.md b/README.md
index 0ccf2845..6ff9e450 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,12 @@ user named `daemon` defined within that file-system.
             "source": "sysfs",
             "destination": "/sys",
             "options": "nosuid,noexec,nodev"
+        },
+        {
+            "type": "cgroup",
+            "source": "cgroup",
+            "destination": "/sys/fs/cgroup",
+            "options": "nosuid,noexec,nodev,relatime,ro"
         }
     ],
     "linux": {
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 33b9122f..6a42ba77 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -184,7 +184,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 				Device:      "bind",
 				Source:      filepath.Join(mm.Mountpoint, dir),
 				Destination: filepath.Join(m.Destination, strings.Join(mm.Subsystems, ",")),
-				Flags:       syscall.MS_BIND | syscall.MS_REC | syscall.MS_RDONLY,
+				Flags:       syscall.MS_BIND | syscall.MS_REC | m.Flags,
 			})
 		}
 		tmpfs := &configs.Mount{
diff --git a/spec.go b/spec.go
index 2bdf8ac7..180db2a0 100644
--- a/spec.go
+++ b/spec.go
@@ -83,6 +83,12 @@ var specCommand = cli.Command{
 						Destination: "/sys",
 						Options:     "nosuid,noexec,nodev",
 					},
+					{
+						Type:        "cgroup",
+						Source:      "cgroup",
+						Destination: "/sys/fs/cgroup",
+						Options:     "nosuid,noexec,nodev,relatime,ro",
+					},
 				},
 			},
 			Linux: specs.Linux{