diff --git a/go.mod b/go.mod
index 59e1e515194..aacc4bb8ed9 100644
--- a/go.mod
+++ b/go.mod
@@ -5,16 +5,16 @@ go 1.18
 require (
 	github.com/checkpoint-restore/go-criu/v5 v5.3.0
 	github.com/cilium/ebpf v0.7.0
-	github.com/containerd/console v1.0.3
-	github.com/coreos/go-systemd/v22 v22.3.2
+	github.com/containerd/console v1.0.4
+	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/cyphar/filepath-securejoin v0.2.4
 	github.com/docker/go-units v0.4.0
 	github.com/godbus/dbus/v5 v5.0.6
 	github.com/moby/sys/mountinfo v0.5.0
 	github.com/mrunalp/fileutils v0.5.1
-	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
-	github.com/opencontainers/selinux v1.10.0
-	github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646
+	github.com/opencontainers/runtime-spec v1.2.0
+	github.com/opencontainers/selinux v1.11.1
+	github.com/seccomp/libseccomp-golang v0.10.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index ac3b104ea02..0ae7ff3ee5f 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -407,6 +407,13 @@ func (p *initProcess) start() (retErr error) {
 		}
 	}()
 
+	// We should join the cgroup after the initial setup finished,
+	// but before runc init clone new children processes. (#4427)
+	err = <-waitInit
+		if err != nil {
+		return err
+	}
+
 	// Do this before syncing with child so that no children can escape the
 	// cgroup. We don't need to worry about not doing this and not being root
 	// because we'd be using the rootless cgroup manager in that case.
@@ -421,10 +428,6 @@ func (p *initProcess) start() (retErr error) {
 	if _, err := io.Copy(p.messageSockPair.parent, p.bootstrapData); err != nil {
 		return fmt.Errorf("can't copy bootstrap data to pipe: %w", err)
 	}
-	err = <-waitInit
-	if err != nil {
-		return err
-	}
 
 	childPid, err := p.getChildPid()
 	if err != nil {
diff --git a/libcontainer/userns/userns_maps.c b/libcontainer/userns/userns_maps_linux.c
similarity index 99%
rename from libcontainer/userns/userns_maps.c
rename to libcontainer/userns/userns_maps_linux.c
index 84f2c6188c3..fdb20aecad8 100644
--- a/libcontainer/userns/userns_maps.c
+++ b/libcontainer/userns/userns_maps_linux.c
@@ -1,3 +1,5 @@
+//go:build linux
+
 #define _GNU_SOURCE
 #include <fcntl.h>
 #include <sched.h>