diff --git a/src/error.rs b/src/error.rs
index 8fe2c282..983d4a65 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -21,6 +21,7 @@ pub enum ErrorCode {
     SetNs = 12,
     CapSet = 13,
     PreExec = 14,
+    SetGroupsDeny = 15,
 }
 
 /// Error runnning process
@@ -93,6 +94,8 @@ pub enum Error {
     BeforeUnfreeze(Box<dyn (::std::error::Error) + Send + Sync + 'static>),
     /// Before exec callback error
     PreExec(i32),
+    /// Writing /proc/self/setgroups < deny failed
+    SetGroupsDeny(i32)
 }
 
 impl Error {
@@ -120,6 +123,7 @@ impl Error {
             &CapSet(x) => Some(x),
             &BeforeUnfreeze(..) => None,
             &PreExec(x) => Some(x),
+            &SetGroupsDeny(x) => Some(x),
         }
     }
 }
@@ -148,6 +152,7 @@ impl Error {
             &CapSet(_) => "error when setting capabilities",
             &BeforeUnfreeze(_) => "error in before_unfreeze callback",
             &PreExec(_) => "error in pre_exec callback",
+            &SetGroupsDeny(_) => "error setting /proc/self/setgroups < deny"
         }
     }
 }
@@ -240,6 +245,7 @@ impl ErrorCode {
             C::SetNs => E::SetNs(errno),
             C::CapSet => E::CapSet(errno),
             C::PreExec => E::PreExec(errno),
+            C::SetGroupsDeny => E::SetGroupsDeny(errno),
         }
     }
     pub fn from_i32(code: i32, errno: i32) -> Error {
diff --git a/src/run.rs b/src/run.rs
index ccce6d11..248589b5 100644
--- a/src/run.rs
+++ b/src/run.rs
@@ -334,6 +334,14 @@ impl Command {
                 result(Err::SetIdMap,
                     File::create(format!("/proc/{}/uid_map", pid))
                     .and_then(|mut f| f.write_all(&buf[..])))?;
+
+
+                let buf = "deny".as_bytes();
+
+                result(Err::SetGroupsDeny,
+                    File::create(format!("/proc/{}/setgroups", pid))
+                    .and_then(|mut f| f.write_all(&buf[..])))?;
+
                 let mut buf = Vec::new();
                 for map in gids {
                     writeln!(&mut buf, "{} {} {}",