diff --git a/client/client_test.go b/client/client_test.go
index a6542dc2140d..c90e8d88c104 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -13,6 +13,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@@ -1055,22 +1056,26 @@ func testSecurityModeSysfs(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 	defer c.Close()
 
-	cg := "/sys/fs/cgroup/cpuset/securitytest" // cgroup v1
+	cg := "/sys/fs/cgroup/cpuset" // cgroup v1
 	if _, err := os.Stat("/sys/fs/cgroup/cpuset"); errors.Is(err, os.ErrNotExist) {
-		cg = "/sys/fs/cgroup/securitytest" // cgroup v2
+		cg = "/sys/fs/cgroup" // cgroup v2
 	}
 
-	command := "mkdir " + cg
+	// create temporary directory in cgroupfs to not interfere with subsequent runs
+	command := fmt.Sprintf("mktemp -d -p %s securitytest.XXXXXX", cg)
 	st := llb.Image("busybox:latest").
-		Run(llb.Shlex(command),
-			llb.Security(mode))
+		Run(llb.Shlex("sh -c 'ls -l /sys/fs/cgroup | grep securitytest > /out || true'")).
+		Run(llb.Shlex(command), llb.Security(mode))
 
 	def, err := st.Marshal(sb.Context())
 	require.NoError(t, err)
 
 	_, err = c.Solve(sb.Context(), def, SolveOpt{
 		AllowedEntitlements: allowedEntitlements,
+		Exports:             []ExportEntry{{Type: "local", OutputDir: "/tmp/out"}},
 	}, nil)
+	b, _ := ioutil.ReadFile("/tmp/out/out")
+	t.Logf("FOOBAR %s", b)
 
 	if secMode == securitySandbox {
 		require.Error(t, err)