diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 7f6c95e76a7..a669c1badc6 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -481,6 +481,7 @@ func (c *linuxContainer) commandTemplate(p *Process, childPipe *os.File) (*exec.
 	cmd.ExtraFiles = append(cmd.ExtraFiles, childPipe)
 	cmd.Env = append(cmd.Env,
 		fmt.Sprintf("_LIBCONTAINER_INITPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1),
+		fmt.Sprintf("_LIBCONTAINER_STATEDIR=%s", c.root),
 	)
 	if disabledMemfdClone := os.Getenv("_LIBCONTAINER_DISABLE_MEMFD_CLONE"); disabledMemfdClone != "" {
 		cmd.Env = append(cmd.Env,
diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
index 72fbd015302..7d0fe8b055a 100644
--- a/libcontainer/nsenter/cloned_binary.c
+++ b/libcontainer/nsenter/cloned_binary.c
@@ -205,8 +205,14 @@ static int fetchve(char ***argv)
 
 static int make_execfd(int *fdtype, int allowed)
 {
-	int fd;
-	char template[] = "/tmp/runc-cloned-binary.XXXXXX";
+	int fd = -1;
+	char template[PATH_MAX] = {0};
+	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
+
+	if (!prefix || *prefix != '/')
+		prefix = "/tmp";
+	if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
+		return -1;
 
 	/*
 	 * Try memfd first, it's much nicer since it's easily detected thanks to
@@ -228,7 +234,7 @@ static int make_execfd(int *fdtype, int allowed)
 	 */
 	*fdtype = EFD_TMPFILE;
 	if (*fdtype & allowed) {
-		fd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
+		fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
 		if (fd >= 0) {
 			struct stat statbuf = {};
 			bool working_otmpfile = false;