1 files changed, 14 insertions, 1 deletions
diff --git a/src/pseccomp.c b/src/pseccomp.c
index 07f4152..a08bc11 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -15,11 +15,14 @@
 static int pseccomp_using_valgrind(void);
 
 static const int minimum_disabled_syscalls[] = {
+    SCMP_SYS(reboot),
     SCMP_SYS(mount),
     SCMP_SYS(umount), SCMP_SYS(umount2),
     SCMP_SYS(ptrace),
     SCMP_SYS(kexec_load),
+    SCMP_SYS(kexec_file_load),
     SCMP_SYS(open_by_handle_at),
+    SCMP_SYS(create_module),
     SCMP_SYS(init_module),
     SCMP_SYS(finit_module),
     SCMP_SYS(delete_module),
@@ -28,10 +31,19 @@ static const int minimum_disabled_syscalls[] = {
     SCMP_SYS(swapoff),
     SCMP_SYS(syslog),
     SCMP_SYS(nice),
-    SCMP_SYS(kcmp)
+    SCMP_SYS(kcmp),
+    SCMP_SYS(unshare),
+    SCMP_SYS(setns),
+    SCMP_SYS(pivot_root),
+    SCMP_SYS(chroot),
+    SCMP_SYS(fchdir),
+    SCMP_SYS(capset),
+    SCMP_SYS(mknod),
+    SCMP_SYS(mknodat)
 };
 
 static const int default_allowed_syscalls[] = {
+    SCMP_SYS(restart_syscall),
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
@@ -83,6 +95,7 @@ static const int protocol_disabled_syscalls[] = {
 };
 
 static const int jail_allowed_syscalls[] = {
+    SCMP_SYS(restart_syscall),
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),