diff --git a/mount.c b/mount.c
index 9f6b8e3..6f7bd81 100644
--- a/mount.c
+++ b/mount.c
@@ -104,11 +104,11 @@ static bool mountMount(struct nsjconf_t *nsjconf, struct mounts_t *mpt, const ch
 			LOG_W("Couldn't create upper directories for '%s'", dst);
 			return false;
 		}
-		int fd = TEMP_FAILURE_RETRY(open(dst, O_CREAT | O_RDONLY, 0644));
+		int fd = TEMP_FAILURE_RETRY(open(dst, O_CREAT | O_RDONLY | O_CLOEXEC, 0644));
 		if (fd >= 0) {
 			close(fd);
 		} else {
-			PLOG_W("open('%s', O_CREAT|O_RDONLY, 0700)", dst);
+			PLOG_W("open('%s', O_CREAT|O_RDONLY|O_CLOEXEC, 0700)", dst);
 		}
 	}
 
diff --git a/subproc.c b/subproc.c
index 0f287be..047600a 100644
--- a/subproc.c
+++ b/subproc.c
@@ -112,7 +112,7 @@ static void subprocAdd(struct nsjconf_t *nsjconf, pid_t pid, int sock)
 
 	char fname[PATH_MAX];
 	snprintf(fname, sizeof(fname), "/proc/%d/syscall", (int)pid);
-	p->pid_syscall_fd = TEMP_FAILURE_RETRY(open(fname, O_RDONLY));
+	p->pid_syscall_fd = TEMP_FAILURE_RETRY(open(fname, O_RDONLY | O_CLOEXEC));
 
 	TAILQ_INSERT_HEAD(&nsjconf->pids, p, pointers);
 
diff --git a/util.c b/util.c
index 3458433..afb0083 100644
--- a/util.c
+++ b/util.c
@@ -62,9 +62,9 @@ ssize_t utilReadFromFd(int fd, void *buf, size_t len)
 ssize_t utilReadFromFile(const char *fname, void *buf, size_t len)
 {
 	int fd;
-	TEMP_FAILURE_RETRY(fd = open(fname, O_RDONLY));
+	TEMP_FAILURE_RETRY(fd = open(fname, O_RDONLY | O_CLOEXEC));
 	if (fd == -1) {
-		LOG_E("open('%s', O_RDONLY)", fname);
+		LOG_E("open('%s', O_RDONLY|O_CLOEXEC)", fname);
 		return -1;
 	}
 	ssize_t ret = utilReadFromFd(fd, buf, len);