diff --git a/crates/libcontainer/src/process/container_init_process.rs b/crates/libcontainer/src/process/container_init_process.rs
index 6c4997577d..d1187903b6 100644
--- a/crates/libcontainer/src/process/container_init_process.rs
+++ b/crates/libcontainer/src/process/container_init_process.rs
@@ -9,6 +9,7 @@ use crate::{
 use anyhow::{bail, Context, Result};
 use nix::mount::MsFlags;
 use nix::sched::CloneFlags;
+use nix::sys::stat::Mode;
 use nix::{
     fcntl,
     unistd::{self, Gid, Uid},
@@ -294,6 +295,14 @@ pub fn container_init_process(
         )?
     }
 
+    if let Some(umask) = proc.user().umask() {
+        if let Some(mode) = Mode::from_bits(umask) {
+            nix::sys::stat::umask(mode);
+        } else {
+            bail!("invalid umask {}", umask);
+        }
+    }
+
     if let Some(paths) = linux.readonly_paths() {
         // mount readonly path
         for path in paths {