diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index c84a25188fb237e9603747711834935b6ca7bd14..00b405beb9e969b68c26744d07776c50db806f31 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -49,10 +49,11 @@ static const char *const defaultDeviceACL[] = {
 #define DEVICE_PTY_MAJOR 136
 #define DEVICE_SND_MAJOR 116
 
-int
-qemuSetImageCgroup(virDomainObjPtr vm,
-                   virStorageSourcePtr src,
-                   bool deny)
+static int
+qemuSetImageCgroupInternal(virDomainObjPtr vm,
+                           virStorageSourcePtr src,
+                           bool deny,
+                           bool forceReadonly)
 {
     qemuDomainObjPrivatePtr priv = vm->privateData;
     int perms = VIR_CGROUP_DEVICE_READ;
@@ -75,7 +76,7 @@ qemuSetImageCgroup(virDomainObjPtr vm,
 
         ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms);
     } else {
-        if (!src->readonly)
+        if (!src->readonly && !forceReadonly)
             perms |= VIR_CGROUP_DEVICE_WRITE;
 
         VIR_DEBUG("Allow path %s, perms: %s",
@@ -102,15 +103,28 @@ qemuSetImageCgroup(virDomainObjPtr vm,
 }
 
 
+int
+qemuSetImageCgroup(virDomainObjPtr vm,
+                   virStorageSourcePtr src,
+                   bool deny)
+{
+    return qemuSetImageCgroupInternal(vm, src, deny, false);
+}
+
+
 int
 qemuSetupDiskCgroup(virDomainObjPtr vm,
                     virDomainDiskDefPtr disk)
 {
     virStorageSourcePtr next;
+    bool forceReadonly = false;
 
     for (next = disk->src; next; next = next->backingStore) {
-        if (qemuSetImageCgroup(vm, next, false) < 0)
+        if (qemuSetImageCgroupInternal(vm, next, false, forceReadonly) < 0)
             return -1;
+
+        /* setup only the top level image for read-write */
+        forceReadonly = true;
     }
 
     return 0;