diff --git a/fst/config.go b/fst/config.go
index d7d3145..73809a8 100644
--- a/fst/config.go
+++ b/fst/config.go
@@ -70,6 +70,8 @@ type SandboxConfig struct {
 	Filesystem []*FilesystemConfig `json:"filesystem"`
 	// symlinks created inside the sandbox
 	Link [][2]string `json:"symlink"`
+	// read-only /etc directory
+	Etc string `json:"etc,omitempty"`
 	// automatically set up /etc symlinks
 	AutoEtc bool `json:"auto_etc"`
 	// paths to override by mounting tmpfs over them
@@ -127,7 +129,11 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 	}
 
 	if !s.AutoEtc {
-		conf.Dir("/etc")
+		if s.Etc == "" {
+			conf.Dir("/etc")
+		} else {
+			conf.Bind(s.Etc, "/etc")
+		}
 	}
 
 	for _, c := range s.Filesystem {
@@ -147,7 +153,11 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 	}
 
 	if s.AutoEtc {
-		conf.Bind("/etc", Tmp+"/etc")
+		if s.Etc == "" {
+			conf.Bind("/etc", Tmp+"/etc")
+		} else {
+			conf.Bind(s.Etc, Tmp+"/etc")
+		}
 
 		// link host /etc contents to prevent passwd/group from being overwritten
 		if d, err := os.ReadDir("/etc"); err != nil {
diff --git a/print.go b/print.go
index 25d6675..fb5eb36 100644
--- a/print.go
+++ b/print.go
@@ -70,7 +70,16 @@ func printShow(instance *state.State, config *fst.Config, short bool) {
 			flags = append(flags, "none")
 		}
 		fmt.Fprintf(w, " Flags:\t%s\n", strings.Join(flags, " "))
-		fmt.Fprintf(w, " Overrides:\t%s\n", strings.Join(sandbox.Override, " "))
+
+		etc := sandbox.Etc
+		if etc == "" {
+			etc = "/etc"
+		}
+		fmt.Fprintf(w, " Etc:\t%s\n", etc)
+
+		if len(sandbox.Override) > 0 {
+			fmt.Fprintf(w, " Overrides:\t%s\n", strings.Join(sandbox.Override, " "))
+		}
 
 		// Env           map[string]string   `json:"env"`
 		// Link          [][2]string         `json:"symlink"`