diff --git a/conf.c b/conf.c
index ac81c15..d936157 100644
--- a/conf.c
+++ b/conf.c
@@ -562,18 +562,14 @@ static int conf_ns_opt(struct ctx *c,
 				continue;
 		}
 
-		/* Don't pass O_CLOEXEC here: ns_enter() needs those files */
 		if (!c->netns_only) {
 			if (*conf_userns)
-				/* NOLINTNEXTLINE(android-cloexec-open) */
-				ufd = open(conf_userns, O_RDONLY);
+				ufd = open(conf_userns, O_RDONLY | O_CLOEXEC);
 			else if (*userns)
-				/* NOLINTNEXTLINE(android-cloexec-open) */
-				ufd = open(userns, O_RDONLY);
+				ufd = open(userns, O_RDONLY | O_CLOEXEC);
 		}
 
-		/* NOLINTNEXTLINE(android-cloexec-open) */
-		nfd = open(netns, O_RDONLY);
+		nfd = open(netns, O_RDONLY | O_CLOEXEC);
 
 		if (nfd == -1 || (ufd == -1 && !c->netns_only)) {
 			if (nfd >= 0)
diff --git a/passt.c b/passt.c
index 0113002..bbf53d9 100644
--- a/passt.c
+++ b/passt.c
@@ -329,8 +329,7 @@ int main(int argc, char **argv)
 
 	__setlogmask(LOG_MASK(LOG_EMERG));
 
-	/* NOLINTNEXTLINE(android-cloexec-epoll-create1): forking in a moment */
-	c.epollfd = epoll_create1(0);
+	c.epollfd = epoll_create1(EPOLL_CLOEXEC);
 	if (c.epollfd == -1) {
 		perror("epoll_create1");
 		exit(EXIT_FAILURE);
@@ -381,8 +380,7 @@ int main(int argc, char **argv)
 	pcap_init(&c);
 
 	if (!c.foreground) {
-		/* NOLINTNEXTLINE(android-cloexec-open): see __daemon() */
-		if ((devnull_fd = open("/dev/null", O_RDWR)) < 0) {
+		if ((devnull_fd = open("/dev/null", O_RDWR | O_CLOEXEC)) < 0) {
 			perror("/dev/null open");
 			exit(EXIT_FAILURE);
 		}
diff --git a/pasta.c b/pasta.c
index 5a78065..830748f 100644
--- a/pasta.c
+++ b/pasta.c
@@ -223,7 +223,7 @@ void pasta_ns_conf(struct ctx *c)
  */
 int pasta_netns_quit_init(struct ctx *c)
 {
-	int flags = O_NONBLOCK | (c->foreground ? O_CLOEXEC : 0);
+	int flags = O_NONBLOCK | O_CLOEXEC;
 	struct epoll_event ev = { .events = EPOLLIN };
 	int inotify_fd;