diff --git a/3468.patch b/3468.patch
new file mode 100644
index 0000000..a02339d
--- /dev/null
+++ b/3468.patch
@@ -0,0 +1,84 @@
+From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Wed, 4 May 2022 14:56:16 -0700
+Subject: [PATCH] Remove tun/tap from the default device rules
+
+Looking through git blame, this was added by commit 9fac18329
+aka "Initial commit of runc binary", most probably by mistake.
+
+Obviously, a container should not have access to tun/tap device, unless
+it is explicitly specified in configuration.
+
+Now, removing this might create a compatibility issue, but I see no
+other choice.
+
+Aside from the obvious misconfiguration, this should also fix the
+annoying
+
+> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
+
+messages from systemd on every container start, when runc uses systemd
+cgroup driver, and the system runs an old (< v240) version of systemd
+(the message was presumably eliminated by [1]).
+
+[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
+
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+---
+ .../ebpf/devicefilter/devicefilter_test.go    | 19 ++++++-------------
+ libcontainer/specconv/spec_linux.go           | 10 ----------
+ 2 files changed, 6 insertions(+), 23 deletions(-)
+
+diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
+index d279335821..25703be5ad 100644
+--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
++++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
+@@ -120,21 +120,14 @@ block-8:
+         51: Mov32Imm dst: r0 imm: 1
+         52: Exit
+ block-9:
+-// tuntap (c, 10, 200, rwm, allow)
++// /dev/pts (c, 136, wildcard, rwm, true)
+         53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
+-        54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
+-        55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
+-        56: Mov32Imm dst: r0 imm: 1
+-        57: Exit
++        54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
++        55: Mov32Imm dst: r0 imm: 1
++        56: Exit
+ block-10:
+-// /dev/pts (c, 136, wildcard, rwm, true)
+-        58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
+-        59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
+-        60: Mov32Imm dst: r0 imm: 1
+-        61: Exit
+-block-11:
+-        62: Mov32Imm dst: r0 imm: 0
+-        63: Exit
++        57: Mov32Imm dst: r0 imm: 0
++        58: Exit
+ `
+ 	var devices []*devices.Rule
+ 	for _, device := range specconv.AllowedDevices {
+diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
+index 5ae95c6c18..83c7a2c348 100644
+--- a/libcontainer/specconv/spec_linux.go
++++ b/libcontainer/specconv/spec_linux.go
+@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
+ 			Allow:       true,
+ 		},
+ 	},
+-	// tuntap
+-	{
+-		Rule: devices.Rule{
+-			Type:        devices.CharDevice,
+-			Major:       10,
+-			Minor:       200,
+-			Permissions: "rwm",
+-			Allow:       true,
+-		},
+-	},
+ }
+ 
+ type CreateOpts struct {
diff --git a/runc.spec b/runc.spec
index 8058cdf..447ccd0 100644
--- a/runc.spec
+++ b/runc.spec
@@ -33,6 +33,7 @@ ExcludeArch: %{ix86}
 License: ASL 2.0
 URL: %{git0}
 Source0: %{git0}/archive/v%{version}.tar.gz
+Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch
 Provides: oci-runtime
 BuildRequires: golang >= 1.17.7
 BuildRequires: git
@@ -85,17 +86,12 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
-* Fri Aug 26 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-1
+* Mon Aug 29 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-1
 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.4
 - Related: #2061390
 
-* Thu Aug 25 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-3
-- fix "Error: runc: exec failed: unable to start container process:
-  open /dev/pts/0: operation not permitted: OCI permission denied"
-- Related: #2061390
-
-* Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2
-- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
+* Mon Jun 13 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2
+- update to https://github.com/opencontainers/runc/releases/tag/v1.1.3
 - Related: #2061390
 
 * Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-1
@@ -106,23 +102,16 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.2
 - Related: #2061390
 
-* Thu May 12 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-6
-- Fix every podman run invocation generates two "Couldn't stat device
-  /dev/char/10:200: No such file or directory" lines in the journal
+* Fri Apr 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3
+- bump golang BR to 1.17.7
 - Related: #2061390
 
-* Wed May 11 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-5
-- BuildRequires: /usr/bin/go-md2man
-- Related: #2061390
-
-* Fri Apr 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-4
-- Related: #2061390
-
-* Tue Mar 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3
+* Fri Mar 11 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-2
 - require at least libseccomp >= 2.5
 - Resolves: #2053990
+- Related: #2061390
 
-* Wed Feb 16 2022 Jindrich Novy <jnovy@redhat.com> - 1.0.3-2
+* Fri Feb 18 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-1
 - rollback to 1.0.3 due to gating test issues
 - Related: #2001445