diff --git a/rootfs_linux.go b/rootfs_linux.go
index bbc59d19..e63a394f 100644
--- a/rootfs_linux.go
+++ b/rootfs_linux.go
@@ -212,6 +212,9 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 // top of /proc or /sys.
 // dest is required to be an abs path and have any symlinks resolved before calling this function.
 func checkMountDestination(rootfs, dest string) error {
+	if filepath.Clean(rootfs) == filepath.Clean(dest) {
+		return fmt.Errorf("mounting into / is prohibited")
+	}
 	invalidDestinations := []string{
 		"/proc",
 		"/sys",
@@ -232,6 +235,9 @@ func dirIsChild(root, dir string) bool {
 		rootParts = strings.Split(filepath.Clean(root), string(filepath.Separator))
 		dirParts  = strings.Split(filepath.Clean(dir), string(filepath.Separator))
 	)
+	if len(dirParts) < len(rootParts) {
+		return false
+	}
 	for i, p := range rootParts {
 		if p != dirParts[i] {
 			return false
diff --git a/rootfs_linux_test.go b/rootfs_linux_test.go
index d3e0cf36..54df065c 100644
--- a/rootfs_linux_test.go
+++ b/rootfs_linux_test.go
@@ -27,3 +27,11 @@ func TestCheckMountDestFalsePositive(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestCheckMountRoot(t *testing.T) {
+	dest := "/rootfs"
+	err := checkMountDestination("/rootfs", dest)
+	if err == nil {
+		t.Fatal(err)
+	}
+}