diff --git a/engine/compiler/util.go b/engine/compiler/util.go
index 1a9d3f4..faed8cb 100644
--- a/engine/compiler/util.go
+++ b/engine/compiler/util.go
@@ -146,11 +146,14 @@ func isRestrictedVolume(path string) bool {
 	switch {
 	case path == "/":
 	case path == "/var":
+	case path == "/etc":
 	case strings.Contains(path, "/var/run"):
 	case strings.Contains(path, "/proc"):
 	case strings.Contains(path, "/mount"):
 	case strings.Contains(path, "/bin"):
 	case strings.Contains(path, "/usr/local/bin"):
+	case strings.Contains(path, "/usr/local/sbin"):
+	case strings.Contains(path, "/usr/bin"):
 	case strings.Contains(path, "/mnt"):
 	case strings.Contains(path, "/media"):
 	case strings.Contains(path, "/sys"):
@@ -161,3 +164,23 @@ func isRestrictedVolume(path string) bool {
 	}
 	return true
 }
+
+// helper function returns true if the environment variable
+// is restricted for internal-use only.
+func isRestrictedVariable(env map[string]*manifest.Variable) bool {
+	for _, name := range restrictedVars {
+		if _, ok := env[name]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+// list of restricted variables
+var restrictedVars = []string{
+	"XDG_RUNTIME_DIR",
+	"DOCKER_OPTS",
+	"DOCKER_HOST",
+	"PATH",
+	"HOME",
+}