diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go
index d8c9e283e..e66309eff 100644
--- a/cmd/runtimetest/main.go
+++ b/cmd/runtimetest/main.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -191,6 +192,29 @@ func validateSysctls(spec *rspec.Spec) error {
 	return nil
 }
 
+func validateMaskedPaths(spec *rspec.Spec) error {
+	fmt.Println("validating maskedPaths")
+	for _, maskedPath := range spec.Linux.MaskedPaths {
+		fi, err := os.Stat(maskedPath)
+		if err != nil {
+			return err
+		}
+		if fi.Mode()&0444 != 0 {
+			f, err := os.Open(maskedPath)
+			if err != nil {
+				return err
+			}
+			defer f.Close()
+			b := make([]byte, 1)
+			_, err = f.Read(b)
+			if err != io.EOF {
+				return fmt.Errorf("%v should not be readable", maskedPath)
+			}
+		}
+	}
+	return nil
+}
+
 func main() {
 	spec, err := loadSpecConfig()
 	if err != nil {
@@ -203,6 +227,7 @@ func main() {
 		validateHostname,
 		validateRlimits,
 		validateSysctls,
+		validateMaskedPaths,
 	}
 
 	for _, v := range validations {