diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index 69bd05997..1e4249c76 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -355,6 +355,24 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 		return nil, errors.Wrapf(err, "failed to set OCI bind mounts %+v", mounts)
 	}
 
+	// Apply masked paths if specified.
+	// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
+	// When `MaskedPaths` is specified, but length is zero, clear masked path list.
+	if securityContext.GetMaskedPaths() != nil {
+		g.Config.Linux.MaskedPaths = nil
+		for _, path := range securityContext.GetMaskedPaths() {
+			g.AddLinuxMaskedPaths(path)
+		}
+	}
+
+	// Apply readonly paths if specified.
+	if securityContext.GetReadonlyPaths() != nil {
+		g.Config.Linux.ReadonlyPaths = nil
+		for _, path := range securityContext.GetReadonlyPaths() {
+			g.AddLinuxReadonlyPaths(path)
+		}
+	}
+
 	if securityContext.GetPrivileged() {
 		if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
 			return nil, errors.New("no privileged container allowed in sandbox")
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index fc665febf..c590c64f8 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -248,7 +248,6 @@ func TestContainerCapabilities(t *testing.T) {
 		spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
 		require.NoError(t, err)
 		specCheck(t, testID, testSandboxID, testPid, spec)
-		t.Log(spec.Process.Capabilities.Bounding)
 		for _, include := range test.includes {
 			assert.Contains(t, spec.Process.Capabilities.Bounding, include)
 			assert.Contains(t, spec.Process.Capabilities.Effective, include)
@@ -913,3 +912,45 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 		}
 	}
 }
+
+func TestMaskedAndReadonlyPaths(t *testing.T) {
+	testID := "test-id"
+	testSandboxID := "sandbox-id"
+	testPid := uint32(1234)
+	config, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+	c := newTestCRIService()
+	defaultSpec, err := defaultRuntimeSpec(testID)
+	require.NoError(t, err)
+	for desc, test := range map[string]struct {
+		masked           []string
+		readonly         []string
+		expectedMasked   []string
+		expectedReadonly []string
+	}{
+		"should apply default if not specified": {
+			expectedMasked:   defaultSpec.Linux.MaskedPaths,
+			expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
+		},
+		"should be able to specify empty paths": {
+			masked:           []string{},
+			readonly:         []string{},
+			expectedMasked:   nil,
+			expectedReadonly: nil,
+		},
+		"should apply CRI specified paths": {
+			masked:           []string{"/proc"},
+			readonly:         []string{"/sys"},
+			expectedMasked:   []string{"/proc"},
+			expectedReadonly: []string{"/sys"},
+		},
+	} {
+		t.Logf("TestCase %q", desc)
+		config.Linux.SecurityContext.MaskedPaths = test.masked
+		config.Linux.SecurityContext.ReadonlyPaths = test.readonly
+		spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
+		require.NoError(t, err)
+		specCheck(t, testID, testSandboxID, testPid, spec)
+		assert.Equal(t, test.expectedMasked, spec.Linux.MaskedPaths)
+		assert.Equal(t, test.expectedReadonly, spec.Linux.ReadonlyPaths)
+	}
+}