diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
index 415ffda7c8..04f8342547 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
@@ -1 +1 @@
-DIST docker-runc-1.0.0_rc3_p53.tar.gz 1042839 SHA256 d09b31b9a5adf0a3295d10b20e5f65ec8e1c52a371d463218694c37e075829e9 SHA512 8e937e8ccaa114913d61a450b030496668c1e2d80eecccf5e4914c5685d7dde9a0d50bc2aef9be844dc69eab81621aa1c043abbc72ba28ab6bdb9db5e86daeaf WHIRLPOOL bec7b506a6b2522d401733b32a9f500aec69920dc6d8072ab434c7bfbb1c88a6fb00afa1d2728f78fbaac1d58f890a2b5932fdbe2b0e87b749293f2b48ed2e8a
+DIST docker-runc-1.0.0_rc4_p25.tar.gz 1094599 SHA256 d5820f1c655061be79441bd57efea4e5b60b25b6a451214b64172395b9fda383 SHA512 0cb0748812296294a87dda257dbf0947897a1ada2aa861ff3e65309a6bbecebbe798929845fca6f23b66fd0dc019bca0a032737c7192fe20618d8e1849866f3d WHIRLPOOL ed34894a3878c0cae50888c936eba1dad8d58da8d7042d5e421f06e4e98c1d7701a5c877baaba14a46d588b2ee3354e19d72bb141d5d8e7f6c0bed2d3a6b71b6
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc4_p25.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc4_p25.ebuild
index 0a7f6c700e..22d144891a 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc4_p25.ebuild
@@ -7,13 +7,13 @@ GITHUB_URI="github.com/opencontainers/runc"
 COREOS_GO_PACKAGE="${GITHUB_URI}"
 COREOS_GO_VERSION="go1.8"
 # the commit of runc that docker uses.
-# see https://github.com/docker/docker-ce/blob/v17.06.2-ce/components/engine/hack/dockerfile/binaries-commits#L6
-# Note: this commit is only really present in `docker/runc` in the 'docker/17.06' branch
+# see https://github.com/docker/docker-ce/blob/v17.09.0-ce/components/engine/hack/dockerfile/binaries-commits#L6
+# Note: this commit is only really present in the `docker/runc` repository.
 # Update the patch number when this commit is changed (i.e. the _p in the ebuild).
 # The patch version is arbitrarily the number of commits since the tag version
 # spcified in the ebuild name. For example:
-# $ git log --oneline v1.0.0-rc3..${COMMIT_ID} | wc -l
-COMMIT_ID="810190ceaa507aa2727d7ae6f4790c76ec150bd2"
+# $ git log --oneline v1.0.0-rc4..${COMMIT_ID} | wc -l
+COMMIT_ID="3f2f8b84a77f73d38244dd690525642a72156c64"
 
 inherit eutils flag-o-matic coreos-go vcs-snapshot
 
@@ -25,7 +25,7 @@ HOMEPAGE="http://runc.io"
 
 LICENSE="Apache-2.0"
 SLOT="0"
-IUSE="apparmor ambient hardened +seccomp selinux"
+IUSE="ambient apparmor hardened +seccomp selinux"
 
 RDEPEND="
 	apparmor? ( sys-libs/libapparmor )
@@ -55,8 +55,8 @@ src_compile() {
 
 	# build up optional flags
 	local options=(
-		$(usex apparmor 'apparmor' '')
 		$(usex ambient 'ambient' '')
+		$(usex apparmor 'apparmor' '')
 		$(usex seccomp 'seccomp' '')
 		$(usex selinux 'selinux' '')
 	)
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch
index c284e9972d..d67c6951e2 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch
@@ -27,11 +27,11 @@ diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_li
 index 1575ae03..8a2947f6 100644
 --- a/libcontainer/specconv/spec_linux.go
 +++ b/libcontainer/specconv/spec_linux.go
-@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
- 	"slave":    syscall.MS_SLAVE,
- 	"rshared":  syscall.MS_SHARED | syscall.MS_REC,
- 	"shared":   syscall.MS_SHARED,
--	"":         syscall.MS_PRIVATE | syscall.MS_REC,
+@@ -37,7 +37,7 @@ var mountPropagationMapping = map[string]int{
+ 	"slave":    unix.MS_SLAVE,
+ 	"rshared":  unix.MS_SHARED | unix.MS_REC,
+ 	"shared":   unix.MS_SHARED,
+-	"":         unix.MS_PRIVATE | unix.MS_REC,
 +	"":         0,
  }