diff --git a/container/capability.go b/container/capability.go
index 7c36ce9..fda2fb2 100644
--- a/container/capability.go
+++ b/container/capability.go
@@ -12,8 +12,9 @@ const (
 	PR_CAP_AMBIENT_RAISE     = 0x2
 	PR_CAP_AMBIENT_CLEAR_ALL = 0x4
 
-	CAP_SYS_ADMIN = 0x15
-	CAP_SETPCAP   = 0x8
+	CAP_SYS_ADMIN    = 0x15
+	CAP_SETPCAP      = 0x8
+	CAP_DAC_OVERRIDE = 0x1
 )
 
 type (
diff --git a/container/container.go b/container/container.go
index 5a7858f..a0e1c2d 100644
--- a/container/container.go
+++ b/container/container.go
@@ -146,7 +146,7 @@ func (p *Container) Start() error {
 			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
 
 		// remain privileged for setup
-		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP},
+		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP, CAP_DAC_OVERRIDE},
 
 		UseCgroupFD: p.Cgroup != nil,
 	}