diff --git a/hack/vendor.sh b/hack/vendor.sh
index 6fb5a6f8fe..f174ef6a14 100755
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -68,7 +68,7 @@ if [ "$1" = '--go' ]; then
 	mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar
 fi
 
-clone git github.com/docker/libcontainer 5d6c507d7cfeff97172deedf3db13b5295bcacef
+clone git github.com/docker/libcontainer 52a8c004ca94cf98f6866536de828c71eb42d1ec
 # see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file)
 rm -rf src/github.com/docker/libcontainer/vendor
 eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')"
diff --git a/vendor/src/github.com/docker/libcontainer/Dockerfile b/vendor/src/github.com/docker/libcontainer/Dockerfile
index e2c441615a..fb34c8c95a 100644
--- a/vendor/src/github.com/docker/libcontainer/Dockerfile
+++ b/vendor/src/github.com/docker/libcontainer/Dockerfile
@@ -9,7 +9,7 @@ RUN go get github.com/docker/docker/pkg/term
 RUN mkdir /busybox && \
     curl -sSL 'https://github.com/jpetazzo/docker-busybox/raw/buildroot-2014.11/rootfs.tar' | tar -xC /busybox
 
-RUN curl -sSL https://raw.githubusercontent.com/docker/docker/master/project/dind -o /dind && \
+RUN curl -sSL https://raw.githubusercontent.com/docker/docker/master/hack/dind -o /dind && \
     chmod +x /dind
 
 COPY . /go/src/github.com/docker/libcontainer
diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go
index 7dc245595f..f6c0d7d597 100644
--- a/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go
+++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go
@@ -99,11 +99,12 @@ func (m *Manager) Apply(pid int) error {
 		// created then join consists of writing the process pids to cgroup.procs
 		p, err := d.path(name)
 		if err != nil {
-			if cgroups.IsNotFound(err) {
-				continue
-			}
 			return err
 		}
+		if !cgroups.PathExists(p) {
+			continue
+		}
+
 		paths[name] = p
 	}
 	m.Paths = paths
@@ -173,6 +174,9 @@ func (m *Manager) Freeze(state configs.FreezerState) error {
 	if err != nil {
 		return err
 	}
+	if !cgroups.PathExists(dir) {
+		return cgroups.NewNotFoundError("freezer")
+	}
 
 	prevState := m.Cgroups.Freezer
 	m.Cgroups.Freezer = state
@@ -197,6 +201,9 @@ func (m *Manager) GetPids() ([]int, error) {
 	if err != nil {
 		return nil, err
 	}
+	if !cgroups.PathExists(dir) {
+		return nil, cgroups.NewNotFoundError("devices")
+	}
 
 	return cgroups.ReadProcsFile(dir)
 }
@@ -237,17 +244,7 @@ func (raw *data) path(subsystem string) (string, error) {
 
 	// If the cgroup name/path is absolute do not look relative to the cgroup of the init process.
 	if filepath.IsAbs(raw.cgroup) {
-		path := filepath.Join(raw.root, subsystem, raw.cgroup)
-
-		if _, err := os.Stat(path); err != nil {
-			if os.IsNotExist(err) {
-				return "", cgroups.NewNotFoundError(subsystem)
-			}
-
-			return "", err
-		}
-
-		return path, nil
+		return filepath.Join(raw.root, subsystem, raw.cgroup), nil
 	}
 
 	parent, err := raw.parent(subsystem)
diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuset.go
index 75f38cd26b..d8465a666b 100644
--- a/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuset.go
+++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuset.go
@@ -17,12 +17,9 @@ type CpusetGroup struct {
 func (s *CpusetGroup) Apply(d *data) error {
 	dir, err := d.path("cpuset")
 	if err != nil {
-		if cgroups.IsNotFound(err) {
-			return nil
-		} else {
-			return err
-		}
+		return err
 	}
+
 	return s.ApplyDir(dir, d.c, d.pid)
 }
 
diff --git a/vendor/src/github.com/docker/libcontainer/container_linux_test.go b/vendor/src/github.com/docker/libcontainer/container_linux_test.go
index 5f589f3df9..5ee46ab140 100644
--- a/vendor/src/github.com/docker/libcontainer/container_linux_test.go
+++ b/vendor/src/github.com/docker/libcontainer/container_linux_test.go
@@ -125,7 +125,7 @@ func TestGetContainerState(t *testing.T) {
 	container := &linuxContainer{
 		id: "myid",
 		config: &configs.Config{
-			Namespaces: configs.Namespaces{
+			Namespaces: []configs.Namespace{
 				{Type: configs.NEWPID},
 				{Type: configs.NEWNS},
 				{Type: configs.NEWNET, Path: expectedNetworkPath},
diff --git a/vendor/src/github.com/docker/libcontainer/hack/validate.sh b/vendor/src/github.com/docker/libcontainer/hack/validate.sh
index 19bd7adaa5..70635377b9 100755
--- a/vendor/src/github.com/docker/libcontainer/hack/validate.sh
+++ b/vendor/src/github.com/docker/libcontainer/hack/validate.sh
@@ -7,6 +7,8 @@ validate() {
     sed -i 's!docker/docker!docker/libcontainer!' /go/src/github.com/docker/docker/hack/make/.validate
     bash /go/src/github.com/docker/docker/hack/make/validate-dco
     bash /go/src/github.com/docker/docker/hack/make/validate-gofmt
+    go get golang.org/x/tools/cmd/vet
+    go vet github.com/docker/libcontainer/...
 }
 
 # run validations
diff --git a/vendor/src/github.com/docker/libcontainer/rootfs_linux.go b/vendor/src/github.com/docker/libcontainer/rootfs_linux.go
index 5a94e68658..c0c470defa 100644
--- a/vendor/src/github.com/docker/libcontainer/rootfs_linux.go
+++ b/vendor/src/github.com/docker/libcontainer/rootfs_linux.go
@@ -95,7 +95,7 @@ func mount(m *configs.Mount, rootfs, mountLabel string) error {
 	}
 
 	switch m.Device {
-	case "proc":
+	case "proc", "mqueue", "sysfs":
 		if err := os.MkdirAll(dest, 0755); err != nil && !os.IsExist(err) {
 			return err
 		}
@@ -116,14 +116,10 @@ func mount(m *configs.Mount, rootfs, mountLabel string) error {
 			}
 		}
 		return nil
-	case "mqueue", "devpts", "sysfs":
+	case "devpts":
 		if err := os.MkdirAll(dest, 0755); err != nil && !os.IsExist(err) {
 			return err
 		}
-		if m.Device == "mqueue" {
-			// mqueue should not be labeled, otherwise the mount will fail
-			data = ""
-		}
 		return syscall.Mount(m.Source, dest, m.Device, uintptr(m.Flags), data)
 	case "bind":
 		stat, err := os.Stat(m.Source)
diff --git a/vendor/src/github.com/docker/libcontainer/selinux/selinux.go b/vendor/src/github.com/docker/libcontainer/selinux/selinux.go
index b3a61d187a..28bc405afc 100644
--- a/vendor/src/github.com/docker/libcontainer/selinux/selinux.go
+++ b/vendor/src/github.com/docker/libcontainer/selinux/selinux.go
@@ -159,6 +159,11 @@ func Setfilecon(path string, scon string) error {
 // Getfilecon returns the SELinux label for this path or returns an error.
 func Getfilecon(path string) (string, error) {
 	con, err := system.Lgetxattr(path, xattrNameSelinux)
+
+	// Trim the NUL byte at the end of the byte buffer, if present.
+	if con[len(con)-1] == '\x00' {
+		con = con[:len(con)-1]
+	}
 	return string(con), err
 }