diff --git a/src/services/execution/execute/execution.c b/src/services/execution/execute/execution.c
index 824a0a28e8497df8c8dfd1a794c86cebcdba30a7..5e9631bd279aa0cac41bb0c5c69a15fe8b19ab03 100644
--- a/src/services/execution/execute/execution.c
+++ b/src/services/execution/execute/execution.c
@@ -527,9 +527,23 @@ static int mount_dev_tmpfs_for_system_container(const container_t *cont)
             return -1;
         }
     }
-    if (mount("tmpfs", rootfs_dev_path, "tmpfs", 0, "size=500000,mode=755")) {
-        ERROR("Failed to mount dev tmpfs on '%s'", rootfs_dev_path);
-        return -1;
+    /* set /dev mount size to half of container memory limit */
+    if (cont->hostconfig->memory > 0) {
+        char mnt_opt[MOUNT_PROPERTIES_SIZE] = { 0 };
+        nret = snprintf(mnt_opt, sizeof(mnt_opt), "size=%lld,mode=755", (long long int)(cont->hostconfig->memory / 2));
+        if (nret < 0 || (size_t)nret >= sizeof(mnt_opt)) {
+            ERROR("Out of memory");
+            return -1;
+        }
+        if (mount("tmpfs", rootfs_dev_path, "tmpfs", 0, mnt_opt) != 0) {
+            ERROR("Failed to mount dev tmpfs on '%s'", rootfs_dev_path);
+            return -1;
+        }
+    } else {
+        if (mount("tmpfs", rootfs_dev_path, "tmpfs", 0, "mode=755") != 0) {
+            ERROR("Failed to mount dev tmpfs on '%s'", rootfs_dev_path);
+            return -1;
+        }
     }
     if (cont->hostconfig->user_remap != NULL) {
         unsigned int host_uid = 0;
diff --git a/src/services/execution/spec/specs.c b/src/services/execution/spec/specs.c
index c66bee1930225ceec0912657bac5d25b8210f936..ab0566a9033903615c7f80dfe09234150b12a266 100644
--- a/src/services/execution/spec/specs.c
+++ b/src/services/execution/spec/specs.c
@@ -1691,7 +1691,7 @@ out:
     return ret;
 }
 
-static int parse_security_opt(const host_config *host_spec, bool *no_new_privileges,
+int parse_security_opt(const host_config *host_spec, bool *no_new_privileges,
                               char ***label_opts, size_t *label_opts_len,
                               char **seccomp_profile)
 {
diff --git a/src/services/execution/spec/specs.h b/src/services/execution/spec/specs.h
index b2f596c4aad5d3122c2456fcc95df39ba0cbf48b..3852502cfa3449c64f494a74f77343d7756de911 100644
--- a/src/services/execution/spec/specs.h
+++ b/src/services/execution/spec/specs.h
@@ -37,6 +37,9 @@ oci_runtime_spec *default_spec(bool system_container);
 int merge_conf_cgroup(oci_runtime_spec *oci_spec, const host_config *host_spec);
 int save_oci_config(const char *id, const char *rootpath, const oci_runtime_spec *oci_spec);
 
+int parse_security_opt(const host_config *host_spec, bool *no_new_privileges,
+                              char ***label_opts, size_t *label_opts_len,
+                              char **seccomp_profile);
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/services/execution/spec/specs_security.c b/src/services/execution/spec/specs_security.c
index b5dee96fb97374027b5feaa3ca2ff49a3b82e621..a84c1434bb7acfa013f568e3093560bb32e33fc1 100644
--- a/src/services/execution/spec/specs_security.c
+++ b/src/services/execution/spec/specs_security.c
@@ -45,6 +45,7 @@
 #include "libisulad.h"
 #include "specs_extend.h"
 #include "selinux_label.h"
+#include "specs.h"
 
 #define MAX_CAP_LEN 32
 
@@ -984,6 +985,10 @@ int adapt_settings_for_system_container(oci_runtime_spec *oci_spec, const host_c
                                                         };
     char **adds = NULL;
     size_t adds_len = 0;
+    bool no_new_privileges = false;
+    char **label_opts = NULL;
+    size_t label_opts_len = 0;
+    char *seccomp_profile = NULL;
 
     ret = get_adds_cap_for_system_container(host_spec, &adds, &adds_len);
     if (ret != 0) {
@@ -1009,6 +1014,16 @@ int adapt_settings_for_system_container(oci_runtime_spec *oci_spec, const host_c
         goto out;
     }
 
+    ret = parse_security_opt(host_spec, &no_new_privileges, &label_opts,
+                             &label_opts_len, &seccomp_profile);
+    if (ret != 0) {
+        ERROR("Failed to parse security opt");
+        goto out;
+    }
+    /* do not append to seccomp if seccomp profile is NULL or unconfined */
+    if (seccomp_profile == NULL || strcmp(seccomp_profile, "unconfined") == 0) {
+        goto out;
+    }
     ret = append_systemcall_to_seccomp(
               oci_spec->linux->seccomp,
               make_seccomp_syscalls_element((const char **)unblocked_systemcall_for_system_container,
@@ -1021,6 +1036,8 @@ int adapt_settings_for_system_container(oci_runtime_spec *oci_spec, const host_c
         goto out;
     }
 out:
+    util_free_array(label_opts);
+    free(seccomp_profile);
     free_adds_cap_for_system_container(adds, adds_len);
     return ret;
 }