diff --git a/configure.ac b/configure.ac
index 36cef3f8a..9b0b8e151 100644
--- a/configure.ac
+++ b/configure.ac
@@ -625,10 +625,10 @@ AC_CHECK_DECLS([PR_SET_NO_NEW_PRIVS], [], [], [#include <sys/prctl.h>])
 AC_CHECK_DECLS([PR_GET_NO_NEW_PRIVS], [], [], [#include <sys/prctl.h>])
 
 # Check for some headers
-AC_CHECK_HEADERS([sys/signalfd.h pty.h ifaddrs.h sys/capability.h sys/personality.h utmpx.h sys/timerfd.h])
+AC_CHECK_HEADERS([sys/signalfd.h pty.h ifaddrs.h sys/capability.h sys/memfd.h sys/personality.h utmpx.h sys/timerfd.h])
 
 # Check for some syscalls functions
-AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid])
+AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create])
 
 # Check for some functions
 AC_CHECK_LIB(pthread, main)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d5ea3c07b..7b66e3747 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -24,20 +24,33 @@
 #define _GNU_SOURCE
 #include "config.h"
 
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <inttypes.h>
+#include <libgen.h>
+#include <pwd.h>
+#include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <stdarg.h>
-#include <errno.h>
 #include <string.h>
-#include <dirent.h>
+#include <time.h>
 #include <unistd.h>
-#include <inttypes.h>
-#include <sys/wait.h>
+#include <arpa/inet.h>
+#include <linux/loop.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
+#include <sys/param.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
-#include <pwd.h>
-#include <grp.h>
-#include <time.h>
+#include <sys/utsname.h>
+#include <sys/wait.h>
 
 #ifdef HAVE_STATVFS
 #include <sys/statvfs.h>
@@ -49,37 +62,25 @@
 #include <../include/openpty.h>
 #endif
 
-#include <linux/loop.h>
+#ifdef HAVE_LINUX_MEMFD_H
+#include <linux/memfd.h>
+#endif
 
-#include <sys/types.h>
-#include <sys/utsname.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/mount.h>
-#include <sys/mman.h>
-#include <sys/prctl.h>
-
-#include <arpa/inet.h>
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include <libgen.h>
-
-#include "bdev.h"
-#include "network.h"
-#include "error.h"
 #include "af_unix.h"
+#include "bdev.h"
+#include "caps.h"       /* for lxc_caps_last_cap() */
+#include "cgroup.h"
+#include "conf.h"
+#include "error.h"
+#include "log.h"
+#include "lxcaufs.h"
+#include "lxclock.h"
+#include "lxcoverlay.h"
+#include "lxcseccomp.h"
+#include "namespace.h"
+#include "network.h"
 #include "parse.h"
 #include "utils.h"
-#include "conf.h"
-#include "log.h"
-#include "caps.h"       /* for lxc_caps_last_cap() */
-#include "lxcaufs.h"
-#include "lxcoverlay.h"
-#include "cgroup.h"
-#include "lxclock.h"
-#include "namespace.h"
 #include "lsm/lsm.h"
 
 #if HAVE_SYS_CAPABILITY_H
@@ -96,8 +97,6 @@
 #include <mntent.h>
 #endif
 
-#include "lxcseccomp.h"
-
 lxc_log_define(lxc_conf, lxc);
 
 #define LINELEN 4096
@@ -135,10 +134,10 @@ lxc_log_define(lxc_conf, lxc);
 static int pivot_root(const char * new_root, const char * put_old)
 {
 #ifdef __NR_pivot_root
-return syscall(__NR_pivot_root, new_root, put_old);
+	return syscall(__NR_pivot_root, new_root, put_old);
 #else
-errno = ENOSYS;
-return -1;
+	errno = ENOSYS;
+	return -1;
 #endif
 }
 #else
@@ -150,10 +149,10 @@ extern int pivot_root(const char * new_root, const char * put_old);
 static int sethostname(const char * name, size_t len)
 {
 #ifdef __NR_sethostname
-return syscall(__NR_sethostname, name, len);
+	return syscall(__NR_sethostname, name, len);
 #else
-errno = ENOSYS;
-return -1;
+	errno = ENOSYS;
+	return -1;
 #endif
 }
 #endif
@@ -167,6 +166,59 @@ return -1;
 #define MS_PRIVATE (1<<18)
 #endif
 
+/* memfd_create() */
+#ifndef MFD_CLOEXEC
+#define MFD_CLOEXEC 0x0001U
+#endif
+
+#ifndef MFD_ALLOW_SEALING
+#define MFD_ALLOW_SEALING 0x0002U
+#endif
+
+#ifndef HAVE_MEMFD_CREATE
+static int memfd_create(const char *name, unsigned int flags) {
+	#ifndef __NR_memfd_create
+		#if defined __i386__
+			#define __NR_memfd_create 356
+		#elif defined __x86_64__
+			#define __NR_memfd_create 319
+		#elif defined __arm__
+			#define __NR_memfd_create 385
+		#elif defined __aarch64__
+			#define __NR_memfd_create 279
+		#elif defined __s390__
+			#define __NR_memfd_create 350
+		#elif defined __powerpc__
+			#define __NR_memfd_create 360
+		#elif defined __sparc__
+			#define __NR_memfd_create 348
+		#elif defined __blackfin__
+			#define __NR_memfd_create 390
+		#elif defined __ia64__
+			#define __NR_memfd_create 1340
+		#elif defined _MIPS_SIM
+			#if _MIPS_SIM == _MIPS_SIM_ABI32
+				#define __NR_memfd_create 4354
+			#endif
+			#if _MIPS_SIM == _MIPS_SIM_NABI32
+				#define __NR_memfd_create 6318
+			#endif
+			#if _MIPS_SIM == _MIPS_SIM_ABI64
+				#define __NR_memfd_create 5314
+			#endif
+		#endif
+	#endif
+	#ifdef __NR_memfd_create
+	return syscall(__NR_memfd_create, name, flags);
+	#else
+	errno = ENOSYS;
+	return -1;
+	#endif
+}
+#else
+extern int memfd_create(const char *name, unsigned int flags);
+#endif
+
 char *lxchook_names[NUM_LXC_HOOKS] = {
 	"pre-start", "pre-mount", "mount", "autodev", "start", "stop", "post-stop", "clone", "destroy" };
 
@@ -1950,34 +2002,53 @@ static int setup_mount(const struct lxc_rootfs *rootfs, const char *fstab,
 	return ret;
 }
 
-FILE *write_mount_file(struct lxc_list *mount)
+FILE *make_anonymous_mount_file(struct lxc_list *mount)
 {
-	FILE *file;
-	struct lxc_list *iterator;
+	int ret;
 	char *mount_entry;
+	struct lxc_list *iterator;
+	FILE *file;
+	int fd = -1;
+
+	fd = memfd_create("lxc_mount_file", MFD_CLOEXEC);
+	if (fd < 0) {
+		if (errno != ENOSYS)
+			return NULL;
+		file = tmpfile();
+	} else {
+		file = fdopen(fd, "r+");
+	}
 
-	file = tmpfile();
 	if (!file) {
-		ERROR("Could not create temporary file: %s.", strerror(errno));
+		if (fd != -1)
+			close(fd);
+		ERROR("Could not create mount entry file: %s.", strerror(errno));
 		return NULL;
 	}
 
 	lxc_list_for_each(iterator, mount) {
 		mount_entry = iterator->elem;
-		fprintf(file, "%s\n", mount_entry);
+		ret = fprintf(file, "%s\n", mount_entry);
+		if (ret < strlen(mount_entry))
+			WARN("Could not write mount entry to anonymous mount file.");
+	}
+
+	if (fseek(file, 0, SEEK_SET) < 0) {
+		fclose(file);
+		return NULL;
 	}
 
-	rewind(file);
 	return file;
 }
 
-static int setup_mount_entries(const struct lxc_rootfs *rootfs, struct lxc_list *mount,
-	const char *lxc_name, const char *lxc_path)
+static int setup_mount_entries(const struct lxc_rootfs *rootfs,
+			       struct lxc_list *mount, const char *lxc_name,
+			       const char *lxc_path)
 {
 	FILE *file;
 	int ret;
 
-	file = write_mount_file(mount);
+	file = make_anonymous_mount_file(mount);
 	if (!file)
 		return -1;
 
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index ae29d4210..b7d15cbd2 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -452,6 +452,6 @@ extern int parse_mntopts(const char *mntopts, unsigned long *mntflags,
 extern void tmp_proc_unmount(struct lxc_conf *lxc_conf);
 void remount_all_slave(void);
 extern void suggest_default_idmap(void);
-FILE *write_mount_file(struct lxc_list *mount);
+FILE *make_anonymous_mount_file(struct lxc_list *mount);
 struct lxc_list *sort_cgroup_settings(struct lxc_list* cgroup_settings);
 #endif
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 50a74000d..125e67428 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -330,7 +330,7 @@ static void exec_criu(struct criu_opts *opts)
 		DECLARE_ARG(opts->user->action_script);
 	}
 
-	mnts = write_mount_file(&opts->c->lxc_conf->mount_list);
+	mnts = make_anonymous_mount_file(&opts->c->lxc_conf->mount_list);
 	if (!mnts)
 		goto err;