diff --git a/common/pkg/timezone/timezone.go b/common/pkg/timezone/timezone.go
index 40333841e2..10a972355f 100644
--- a/common/pkg/timezone/timezone.go
+++ b/common/pkg/timezone/timezone.go
@@ -106,5 +106,5 @@ func copyTimezoneFile(containerRunDir, zonePath string) (string, error) {
 }
 
 func openDirectory(path string) (fd int, err error) {
-	return unix.Open(path, unix.O_RDONLY|O_PATH|unix.O_CLOEXEC, 0)
+	return unix.Open(path, O_PATH|unix.O_CLOEXEC, 0)
 }
diff --git a/storage/drivers/overlay/overlay.go b/storage/drivers/overlay/overlay.go
index b12366852a..e7e6131dab 100644
--- a/storage/drivers/overlay/overlay.go
+++ b/storage/drivers/overlay/overlay.go
@@ -2057,17 +2057,27 @@ func (g *overlayFileGetter) Get(path string) (io.ReadCloser, error) {
 	buf := make([]byte, unix.PathMax)
 	for _, d := range g.diffDirs {
 		if f, found := g.composefsMounts[d]; found {
-			// there is no *at equivalent for getxattr, but it can be emulated by opening the file under /proc/self/fd/$FD/$PATH
-			len, err := unix.Getxattr(fmt.Sprintf("/proc/self/fd/%d/%s", int(f.Fd()), path), "trusted.overlay.redirect", buf)
+			cfd, err := unix.Openat2(int(f.Fd()), path, &unix.OpenHow{
+				Flags:   unix.O_CLOEXEC | unix.O_PATH,
+				Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_BENEATH,
+			})
+			if err != nil {
+				if errors.Is(err, unix.ENOENT) {
+					continue
+				}
+				return nil, &fs.PathError{Op: "openat2", Path: path, Err: err}
+			}
+			n, err := unix.Fgetxattr(cfd, "trusted.overlay.redirect", buf)
+			unix.Close(cfd)
 			if err != nil {
 				if errors.Is(err, unix.ENODATA) {
 					continue
 				}
-				return nil, &fs.PathError{Op: "getxattr", Path: path, Err: err}
+				return nil, &fs.PathError{Op: "fgetxattr", Path: path, Err: err}
 			}
 
 			// the xattr value is the path to the file in the composefs layer diff directory
-			return os.Open(filepath.Join(d, string(buf[:len])))
+			return os.Open(filepath.Join(d, string(buf[:n])))
 		}
 
 		f, err := os.Open(filepath.Join(d, path))
diff --git a/storage/pkg/chunked/filesystem_linux.go b/storage/pkg/chunked/filesystem_linux.go
index ceba7d0f3d..152ffee392 100644
--- a/storage/pkg/chunked/filesystem_linux.go
+++ b/storage/pkg/chunked/filesystem_linux.go
@@ -510,7 +510,7 @@ func safeMkdir(dirfd int, mode os.FileMode, name string, metadata *fileMetadata,
 }
 
 func safeLink(dirfd int, mode os.FileMode, metadata *fileMetadata, options *archive.TarOptions) error {
-	sourceFile, err := openFileUnderRoot(dirfd, metadata.Linkname, unix.O_PATH|unix.O_RDONLY|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+	sourceFile, err := openFileUnderRoot(dirfd, metadata.Linkname, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
 	if err != nil {
 		return err
 	}
diff --git a/storage/pkg/chunked/storage_linux.go b/storage/pkg/chunked/storage_linux.go
index e42359d845..2cae973775 100644
--- a/storage/pkg/chunked/storage_linux.go
+++ b/storage/pkg/chunked/storage_linux.go
@@ -1549,7 +1549,7 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions, diff
 		}
 	}
 
-	dirfd, err := unix.Open(dest, unix.O_RDONLY|unix.O_PATH|unix.O_CLOEXEC, 0)
+	dirfd, err := unix.Open(dest, unix.O_PATH|unix.O_CLOEXEC, 0)
 	if err != nil {
 		return output, &fs.PathError{Op: "open", Path: dest, Err: err}
 	}