diff --git a/git-commit b/git-commit
index 92cc7b4a6ba1be7029f5c6c5183b0356bee09440..36e4edcb2e8748653b3c44a0a3a222c6fa4cfb93 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-f4036ea04db8cd0df716110b147057209c36ac78
+cbf2b5fbcc5fe032a694335f80c651c54a6c27e6
diff --git a/patch/0030-runc-support-specify-umask.patch b/patch/0030-runc-support-specify-umask.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a76e795b186ec5b4650bc4f33dfc311bc589f800
--- /dev/null
+++ b/patch/0030-runc-support-specify-umask.patch
@@ -0,0 +1,55 @@
+From cb7c43347df720787be7457d4a991181ba608080 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Tue, 10 Jan 2023 11:52:14 +0800
+Subject: [PATCH] runc:support specify umask
+
+---
+ libcontainer/rootfs_linux.go     | 6 ++++++
+ libcontainer/setns_init_linux.go | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index 0bf1729..280a633 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -190,6 +190,12 @@ func finalizeRootfs(config *configs.Config) (err error) {
+ 	} else {
+ 		unix.Umask(0o022)
+ 	}
++	umask := utils.SearchLabels(config.Labels, "native.umask")
++	if umask == "normal" {
++		unix.Umask(0o022)
++	} else {
++		unix.Umask(0o027)
++	}
+ 	return nil
+ }
+ 
+diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
+index 09ab552..e9b8d62 100644
+--- a/libcontainer/setns_init_linux.go
++++ b/libcontainer/setns_init_linux.go
+@@ -14,6 +14,7 @@ import (
+ 	"github.com/opencontainers/runc/libcontainer/keys"
+ 	"github.com/opencontainers/runc/libcontainer/seccomp"
+ 	"github.com/opencontainers/runc/libcontainer/system"
++	"github.com/opencontainers/runc/libcontainer/utils"
+ )
+ 
+ // linuxSetnsInit performs the container's initialization for running a new process
+@@ -54,6 +55,12 @@ func (l *linuxSetnsInit) Init() error {
+ 			return err
+ 		}
+ 	}
++        umask := utils.SearchLabels(l.config.Config.Labels, "native.umask")
++        if umask == "normal" {
++                unix.Umask(0o022)
++        } else {
++                unix.Umask(0o027)
++        }
+ 	if l.config.NoNewPrivileges {
+ 		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+ 			return err
+-- 
+2.30.0
+
diff --git a/runc.spec b/runc.spec
index bc62cff280873277e7f6b1ca7dd4cf73d5f61c0f..c5a2f3ee4576125cf866b2fed9bc1b034b6a033d 100644
--- a/runc.spec
+++ b/runc.spec
@@ -3,7 +3,7 @@
 
 Name: docker-runc
 Version: 1.1.3
-Release: 8
+Release: 9
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Tue Jan 10 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:support specify umask
+
 * Thu Jan 5 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-8
 - Type:bugfix
 - CVE:NA