diff --git a/docs/packages.md b/docs/packages.md
index 77c537f77..4a0a024b2 100644
--- a/docs/packages.md
+++ b/docs/packages.md
@@ -29,6 +29,7 @@ A package source consists of a directory containing at least two files:
 - `network` _(bool)_: Allow network access during the package build (default: no)
 - `disable-content-trust` _(bool)_: Disable Docker content trust for this package (default: no)
 - `disable-cache` _(bool)_: Disable build cache for this package (default: no)
+- `config`: _(struct `github.com/moby/tool/src/moby.ImageConfig`)_: Image configuration, marshalled to JSON and added as `org.mobyproject.config` label on image (default: no label)
 
 ## Building packages
 
diff --git a/pkg/sysctl/Dockerfile b/pkg/sysctl/Dockerfile
index 6a8e3ee76..e01f8c2c4 100644
--- a/pkg/sysctl/Dockerfile
+++ b/pkg/sysctl/Dockerfile
@@ -13,4 +13,3 @@ WORKDIR /
 COPY --from=mirror /go/bin/sysctl /usr/bin/sysctl
 COPY etc/ /etc/
 CMD ["/usr/bin/sysctl"]
-LABEL org.mobyproject.config='{"pid": "host", "readonly": true, "capabilities": ["CAP_SYS_ADMIN"]}'
diff --git a/pkg/sysctl/build.yml b/pkg/sysctl/build.yml
index 21d62da47..471e3993d 100644
--- a/pkg/sysctl/build.yml
+++ b/pkg/sysctl/build.yml
@@ -1 +1,6 @@
 image: sysctl
+config:
+  pid: "host"
+  readonly: true
+  capabilities:
+    - CAP_SYS_ADMIN
diff --git a/src/cmd/linuxkit/pkglib/build.go b/src/cmd/linuxkit/pkglib/build.go
index 8049ee632..83ea540cc 100644
--- a/src/cmd/linuxkit/pkglib/build.go
+++ b/src/cmd/linuxkit/pkglib/build.go
@@ -1,6 +1,7 @@
 package pkglib
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"runtime"
@@ -122,6 +123,15 @@ func (p Pkg) Build(bos ...BuildOpt) error {
 			args = append(args, "--network=none")
 		}
 
+		if p.config != nil {
+			b, err := json.Marshal(*p.config)
+			if err != nil {
+				return err
+			}
+
+			args = append(args, "--label=org.mobyproject.config="+string(b))
+		}
+
 		if err := d.build(p.Tag()+suffix, p.pkgPath, args...); err != nil {
 			return err
 		}
diff --git a/src/cmd/linuxkit/pkglib/pkglib.go b/src/cmd/linuxkit/pkglib/pkglib.go
index 9708710a2..f698c326a 100644
--- a/src/cmd/linuxkit/pkglib/pkglib.go
+++ b/src/cmd/linuxkit/pkglib/pkglib.go
@@ -8,17 +8,20 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/moby/tool/src/moby"
 )
 
 // Containers fields settable in the build.yml
 type pkgInfo struct {
-	Image               string   `yaml:"image"`
-	Org                 string   `yaml:"org"`
-	Arches              []string `yaml:"arches"`
-	GitRepo             string   `yaml:"gitrepo"` // ??
-	Network             bool     `yaml:"network"`
-	DisableContentTrust bool     `yaml:"disable-content-trust"`
-	DisableCache        bool     `yaml:"disable-cache"`
+	Image               string            `yaml:"image"`
+	Org                 string            `yaml:"org"`
+	Arches              []string          `yaml:"arches"`
+	GitRepo             string            `yaml:"gitrepo"` // ??
+	Network             bool              `yaml:"network"`
+	DisableContentTrust bool              `yaml:"disable-content-trust"`
+	DisableCache        bool              `yaml:"disable-cache"`
+	Config              *moby.ImageConfig `yaml:"config"`
 }
 
 // Pkg encapsulates information about a package's source
@@ -31,6 +34,7 @@ type Pkg struct {
 	network bool
 	trust   bool
 	cache   bool
+	config  *moby.ImageConfig
 
 	// Internal state
 	pkgPath    string
@@ -185,6 +189,7 @@ func NewFromCLI(fs *flag.FlagSet, args ...string) (Pkg, error) {
 		network:    pi.Network,
 		trust:      !pi.DisableContentTrust,
 		cache:      !pi.DisableCache,
+		config:     pi.Config,
 		dirty:      dirty,
 		pkgPath:    pkgPath,
 		git:        git,
diff --git a/src/cmd/linuxkit/vendor.conf b/src/cmd/linuxkit/vendor.conf
index 09a22b669..23eb34dd6 100644
--- a/src/cmd/linuxkit/vendor.conf
+++ b/src/cmd/linuxkit/vendor.conf
@@ -24,7 +24,7 @@ github.com/jmespath/go-jmespath bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d
 github.com/mitchellh/go-ps 4fdf99ab29366514c69ccccddab5dc58b8d84062
 github.com/moby/datakit 97b3d230535397a813323902c23751e176481a86
 github.com/moby/hyperkit a12cd7250bcd8d689078e3e42ae4a7cf6a0cbaf3
-github.com/moby/tool 63a5dedd28a459900eba56dd191edaeb688cfdf4
+github.com/moby/tool 656bd87fd26b4cfc7da735939ce78cc7cb541181
 github.com/moby/vpnkit 0e4293bb1058598c4b0a406ed171f52573ef414c
 github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448
 github.com/opencontainers/image-spec v1.0.0
diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go
index 9d4119cc4..d4f57c8aa 100644
--- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go
+++ b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go
@@ -62,8 +62,14 @@ type File struct {
 
 // Image is the type of an image config
 type Image struct {
-	Name              string                  `yaml:"name" json:"name"`
-	Image             string                  `yaml:"image" json:"image"`
+	Name        string `yaml:"name" json:"name"`
+	Image       string `yaml:"image" json:"image"`
+	ImageConfig `yaml:",inline"`
+}
+
+// ImageConfig is the configuration part of Image, it is the subset
+// which is valid in a "org.mobyproject.config" label on an image.
+type ImageConfig struct {
 	Capabilities      *[]string               `yaml:"capabilities" json:"capabilities,omitempty"`
 	Ambient           *[]string               `yaml:"ambient" json:"ambient,omitempty"`
 	Mounts            *[]specs.Mount          `yaml:"mounts" json:"mounts,omitempty"`