diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 9e2f8587c..c688a8746 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -81,7 +81,7 @@ int lxc_abstract_unix_open(const char *path, int type, int flags)
 	ssize_t len;
 	struct sockaddr_un addr;
 
-	fd = socket(PF_UNIX, type, 0);
+	fd = socket(PF_UNIX, type | SOCK_CLOEXEC, 0);
 	if (fd < 0)
 		return -1;
 
@@ -129,7 +129,7 @@ int lxc_abstract_unix_connect(const char *path)
 	ssize_t len;
 	struct sockaddr_un addr;
 
-	fd = socket(PF_UNIX, SOCK_STREAM, 0);
+	fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
 	if (fd < 0)
 		return -1;
 
@@ -371,7 +371,7 @@ int lxc_unix_connect(struct sockaddr_un *addr)
 	int ret;
 	ssize_t len;
 
-	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
 	if (fd < 0) {
 		SYSERROR("Failed to open new AF_UNIX socket");
 		return -1;
diff --git a/src/lxc/network.c b/src/lxc/network.c
index b415d17b5..5edd822b4 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -2202,7 +2202,7 @@ int lxc_bridge_attach(const char *bridge, const char *ifname)
 	if (is_ovs_bridge(bridge))
 		return lxc_ovs_attach_bridge(bridge, ifname);
 
-	fd = socket(AF_INET, SOCK_STREAM, 0);
+	fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
 	if (fd < 0)
 		return -errno;
 
@@ -2307,7 +2307,7 @@ int setup_private_host_hw_addr(char *veth1)
 	int err, sockfd;
 	struct ifreq ifr;
 
-	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+	sockfd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (sockfd < 0)
 		return -errno;
 
@@ -3294,7 +3294,7 @@ static int setup_hw_addr(char *hwaddr, const char *ifname)
 	ifr.ifr_name[IFNAMSIZ-1] = '\0';
 	memcpy((char *) &ifr.ifr_hwaddr, (char *) &sockaddr, sizeof(sockaddr));
 
-	fd = socket(AF_INET, SOCK_DGRAM, 0);
+	fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
 	if (fd < 0)
 		return -1;
 
diff --git a/src/lxc/nl.c b/src/lxc/nl.c
index eb4535a73..15beec2a0 100644
--- a/src/lxc/nl.c
+++ b/src/lxc/nl.c
@@ -295,7 +295,7 @@ extern int netlink_open(struct nl_handler *handler, int protocol)
 
 	memset(handler, 0, sizeof(*handler));
 
-	handler->fd = socket(AF_NETLINK, SOCK_RAW, protocol);
+	handler->fd = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, protocol);
 	if (handler->fd < 0)
 		return -errno;