diff --git a/libc/mem/unveil.c b/libc/mem/unveil.c
index 022ee615b..a2ffbb61b 100644
--- a/libc/mem/unveil.c
+++ b/libc/mem/unveil.c
@@ -25,12 +25,14 @@
 #include "libc/calls/syscall-sysv.internal.h"
 #include "libc/calls/syscall_support-sysv.internal.h"
 #include "libc/errno.h"
+#include "libc/intrin/kprintf.h"
 #include "libc/mem/mem.h"
 #include "libc/nexgen32e/threaded.h"
 #include "libc/runtime/internal.h"
 #include "libc/str/str.h"
 #include "libc/sysv/consts/at.h"
 #include "libc/sysv/consts/f.h"
+#include "libc/sysv/consts/fd.h"
 #include "libc/sysv/consts/o.h"
 #include "libc/sysv/consts/pr.h"
 #include "libc/sysv/consts/s.h"
@@ -90,7 +92,8 @@ static int err_close(int rc, int fd) {
 
 static int unveil_init(void) {
   int rc, fd;
-  if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) < 0) {
+  if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) <
+      0) {
     if (errno == EOPNOTSUPP) errno = ENOSYS;
     return -1;
   }
@@ -98,10 +101,16 @@ static int unveil_init(void) {
   const struct landlock_ruleset_attr attr = {
       .handled_access_fs = State.fs_mask,
   };
+  // [undocumented] landlock_create_ruleset() always returns o_cloexec
+  //                assert(__sys_fcntl(rc, F_GETFD, 0) == FD_CLOEXEC);
   if ((rc = landlock_create_ruleset(&attr, sizeof(attr), 0)) < 0) return -1;
   // grant file descriptor a higher number that's less likely to interfere
-  if ((fd = __sys_fcntl(rc, F_DUPFD, 100)) == -1) return err_close(-1, rc);
-  if (sys_close(rc) == -1) return err_close(-1, fd);
+  if ((fd = __sys_fcntl(rc, F_DUPFD_CLOEXEC, 100)) == -1) {
+    return err_close(-1, rc);
+  }
+  if (sys_close(rc) == -1) {
+    return err_close(-1, fd);
+  }
   State.fd = fd;
   return 0;
 }
diff --git a/libc/sysv/consts.sh b/libc/sysv/consts.sh
index eb40b3872..33e9a1ca3 100755
--- a/libc/sysv/consts.sh
+++ b/libc/sysv/consts.sh
@@ -355,7 +355,7 @@ syscon	fcntl2	F_GETOWN				9			5			5			5			5			0			# bsd consensus
 syscon	fcntl2	F_FULLFSYNC				0			51			0			0			0			0			#
 syscon	fcntl2	F_NOCACHE				0			48			0			0			0			0			#
 syscon	fcntl3	FD_CLOEXEC				1			1			1			1			1			1			# unix consensus & faked nt
-syscon	fcntl	F_DUPFD_CLOEXEC				0x0406			67			17			10			12			0x0406			# faked nt
+syscon	fcntl	F_DUPFD_CLOEXEC				0x0406			67			17			10			12			0x0406			# Linux 2.6.24+; faked nt
 syscon	fcntl	F_MAXFD					0			0			0			0			11			0			#
 syscon	fcntl	FREAD					0			1			1			1			1			0			#
 syscon	fcntl	FWRITE					0			2			2			2			2			0			#