I'm using runc 1.0.0_rc2 on Linux 4.7.10 with grsecurity. Say I have a container rootfs mounted like so:
rpool/srv/test/rootfs-1 on /srv/test/rootfs type zfs (rw,nosuid,nodev,noatime,xattr,noacl)
I have in my /srv/test/config.json: "root": { "path": "rootfs", "readonly": true }

When I run runc run -b /srv/test test, I get container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:110: setting rootfs as readonly caused \\\"operation not permitted\\\"\""

strace tells me the failing mount call is
mount("/", "/", 0xc4200da900, MS_RDONLY|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM

This looks to be from setReadonly() manually specifying the mount flags and not respecting existing ones.

If I remount the rootfs like so:
host0/srv/test/rootfs-1 on /srv/test/rootfs type zfs (rw,noatime,xattr,noacl)
starting the container succeeds.

This can be fixed by changing setReadonly() to also pass MS_NODEV/MS_NOEXEC/MS_NOSUID to mount() if they are already present in the mount options.