diff --git a/src/tini.c b/src/tini.c
index 1908870..a8d79fa 100644
--- a/src/tini.c
+++ b/src/tini.c
@@ -13,6 +13,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdbool.h>
+#include <sched.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -25,6 +26,10 @@
 #include "tiniConfig.h"
 #include "tiniLicense.h"
 
+#ifndef CLONE_NEWCGROUP
+#define CLONE_NEWCGROUP		0x02000000	/* New cgroup namespace */
+#endif
+
 #define S_IWUGO		(S_IWUSR|S_IWGRP|S_IWOTH)
 #define S_IRUGO		(S_IRUSR|S_IRGRP|S_IROTH)
 #define REDIRECT_STDERR	"TITUS_REDIRECT_STDERR"
@@ -32,6 +37,7 @@
 #define TITUS_CB_PATH	"TITUS_UNIX_CB_PATH"
 #define TITUS_CONFIRM	"TITUS_CONFIRM"
 #define TINI_HANDOFF	"TINI_HANDOFF"
+#define TINI_UNSHARE	"TINI_UNSHARE"
 
 const char stdioattr[] = "user.stdio";
 
@@ -169,6 +175,7 @@ int do_execvp(char* const argv[], int new_stdout_fd, int new_stderr_fd, const si
 	unsetenv(TITUS_CB_PATH);
 	unsetenv(TITUS_CONFIRM);
 	unsetenv(TINI_HANDOFF);
+	unsetenv(TINI_UNSHARE);
 
 	execvp(argv[0], argv);
 
@@ -219,6 +226,16 @@ int spawn(const signal_configuration_t* const sigconf_ptr, char* const argv[], i
 			return 1;
 		}
 	}
+
+	// Should unshare happen here, or in do_execvp / the child?
+	if (getenv(TINI_UNSHARE)) {
+		if (unshare(CLONE_NEWCGROUP)) {
+			PRINT_FATAL("Unable to unshare new cgroup namespace: %s", strerror(errno));
+			return 1;
+		}
+	}
+
+
 	if (getenv(TINI_HANDOFF))
 		return do_execvp(argv, new_stdout_fd, new_stderr_fd, sigconf_ptr);