diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index ac3b104ea02..822edefc9bb 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -407,6 +407,13 @@ func (p *initProcess) start() (retErr error) {
 		}
 	}()
 
+	// We should join the cgroup after the initial setup finished,
+	// but before runc init clone new children processes. (#4427)
+	err = <-waitInit
+	if err != nil {
+		return err
+	}
+
 	// Do this before syncing with child so that no children can escape the
 	// cgroup. We don't need to worry about not doing this and not being root
 	// because we'd be using the rootless cgroup manager in that case.
@@ -421,10 +428,6 @@ func (p *initProcess) start() (retErr error) {
 	if _, err := io.Copy(p.messageSockPair.parent, p.bootstrapData); err != nil {
 		return fmt.Errorf("can't copy bootstrap data to pipe: %w", err)
 	}
-	err = <-waitInit
-	if err != nil {
-		return err
-	}
 
 	childPid, err := p.getChildPid()
 	if err != nil {