diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c
index a1391e045..f9a6ba24e 100644
--- a/fs_mgr/fs_mgr.c
+++ b/fs_mgr/fs_mgr.c
@@ -185,19 +185,22 @@ static void remove_trailing_slashes(char *n)
  * Mark the given block device as read-only, using the BLKROSET ioctl.
  * Return 0 on success, and -1 on error.
  */
-static void fs_set_blk_ro(const char *blockdev)
+int fs_mgr_set_blk_ro(const char *blockdev)
 {
     int fd;
+    int rc = -1;
     int ON = 1;
 
-    fd = open(blockdev, O_RDONLY);
+    fd = TEMP_FAILURE_RETRY(open(blockdev, O_RDONLY | O_CLOEXEC));
     if (fd < 0) {
         // should never happen
-        return;
+        return rc;
     }
 
-    ioctl(fd, BLKROSET, &ON);
-    close(fd);
+    rc = ioctl(fd, BLKROSET, &ON);
+    TEMP_FAILURE_RETRY(close(fd));
+
+    return rc;
 }
 
 /*
@@ -223,7 +226,7 @@ static int __mount(const char *source, const char *target, const struct fstab_re
     save_errno = errno;
     INFO("%s(source=%s,target=%s,type=%s)=%d\n", __func__, source, target, rec->fs_type, ret);
     if ((ret == 0) && (mountflags & MS_RDONLY) != 0) {
-        fs_set_blk_ro(source);
+        fs_mgr_set_blk_ro(source);
     }
     errno = save_errno;
     return ret;
diff --git a/fs_mgr/fs_mgr_priv.h b/fs_mgr/fs_mgr_priv.h
index 4ba6f92bc..88a104088 100644
--- a/fs_mgr/fs_mgr_priv.h
+++ b/fs_mgr/fs_mgr_priv.h
@@ -79,5 +79,7 @@
 
 #define DM_BUF_SIZE 4096
 
+int fs_mgr_set_blk_ro(const char *blockdev);
+
 #endif /* __CORE_FS_MGR_PRIV_H */
 
diff --git a/fs_mgr/fs_mgr_verity.c b/fs_mgr/fs_mgr_verity.c
index 4683acb50..db63bcc1c 100644
--- a/fs_mgr/fs_mgr_verity.c
+++ b/fs_mgr/fs_mgr_verity.c
@@ -442,6 +442,9 @@ int fs_mgr_setup_verity(struct fstab_rec *fstab) {
         goto out;
     }
 
+    // mark the underlying block device as read-only
+    fs_mgr_set_blk_ro(fstab->blk_device);
+
     // assign the new verity block device as the block device
     free(fstab->blk_device);
     fstab->blk_device = verity_blk_name;