diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
index 4e63d97a201..6e44601ef1a 100644
--- a/libcontainer/capabilities/capabilities.go
+++ b/libcontainer/capabilities/capabilities.go
@@ -45,6 +45,9 @@ func KnownCapabilities() []string {
 // printing a warning instead.
 func New(capConfig *configs.Capabilities) (*Caps, error) {
 	var c Caps
+	if capConfig == nil {
+		return &c, nil
+	}
 
 	_, err := capMap()
 	if err != nil {
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 12e219179d3..c9e74188e2b 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -691,7 +691,7 @@ func (c *Container) newInitConfig(process *Process) *initConfig {
 		User:             process.User,
 		AdditionalGroups: process.AdditionalGroups,
 		Cwd:              process.Cwd,
-		Capabilities:     process.Capabilities,
+		Capabilities:     c.config.Capabilities,
 		PassedFilesCount: len(process.ExtraFiles),
 		ContainerID:      c.ID(),
 		NoNewPrivileges:  c.config.NoNewPrivileges,
@@ -707,6 +707,9 @@ func (c *Container) newInitConfig(process *Process) *initConfig {
 
 	// Overwrite config properties with ones from process.
 
+	if process.Capabilities != nil {
+		cfg.Capabilities = process.Capabilities
+	}
 	if process.NoNewPrivileges != nil {
 		cfg.NoNewPrivileges = *process.NoNewPrivileges
 	}
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index bb9eca45ee8..613f6200f3a 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -351,13 +351,7 @@ func finalizeNamespace(config *initConfig) error {
 		}
 	}
 
-	caps := &configs.Capabilities{}
-	if config.Capabilities != nil {
-		caps = config.Capabilities
-	} else if config.Config.Capabilities != nil {
-		caps = config.Config.Capabilities
-	}
-	w, err := capabilities.New(caps)
+	w, err := capabilities.New(config.Capabilities)
 	if err != nil {
 		return err
 	}