diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go
index 21c888a034..e7d3143df9 100644
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@@ -20,6 +20,7 @@ func New() *libcontainer.Container {
 			"SETFCAP",
 			"SETPCAP",
 			"NET_BIND_SERVICE",
+			"SYS_CHROOT",
 		},
 		Namespaces: map[string]bool{
 			"NEWNS":  true,
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 209d730f93..545ad371ee 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -873,3 +873,15 @@ func TestThatCharacterDevicesActLikeCharacterDevices(t *testing.T) {
 
 	logDone("run - test that character devices work.")
 }
+
+func TestRunUnprivilegedWithChroot(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "run", "busybox", "chroot", "/", "true")
+
+	if _, err := runCommand(cmd); err != nil {
+		t.Fatal(err)
+	}
+
+	deleteAllContainers()
+
+	logDone("run - unprivileged with chroot")
+}