2 files changed, 50 insertions, 2 deletions
diff --git a/src/options.c b/src/options.c
index 0f23f4d..a9b96f7 100644
--- a/src/options.c
+++ b/src/options.c
@@ -10,6 +10,9 @@
 #include <string.h>
 #include <assert.h>
 #include <getopt.h>
+#include <linux/limits.h>
+#include <libgen.h>
+#include <errno.h>
 
 #include "options.h"
 
@@ -99,6 +102,37 @@ static size_t snprint_multilined_ljust(const char *prefix,
 static void usage(const char *arg0, int print_copyright);
 
 
+static int parse_path(opt_ptr *d, char *some_path)
+{
+    int rc = 1;
+    char path[PATH_MAX];
+    char *dir, *base;
+
+    d->str_dup = realpath(some_path, NULL);
+    if (!d->str_dup && errno == ENOENT) {
+        snprintf(path, sizeof path, "%s", some_path);
+        dir = dirname(path);
+        if (!dir)
+            return 1;
+        dir = realpath(dir, NULL);
+        if (!dir)
+            return 1;
+        snprintf(path, sizeof path, "%s", some_path);
+        base = basename(path);
+        if (!base)
+            goto error;
+        snprintf(path, sizeof path, "%s/%s", dir, base);
+        d->str_dup = strndup(path, strnlen(path, sizeof path));
+error:
+        free(dir);
+    }
+
+    if (d->str_dup)
+        rc = 0;
+
+    return rc;
+}
+
 static int opt_convert(opt_type t, opt_ptr *d)
 {
     char *endptr = NULL;
@@ -114,7 +148,8 @@ static int opt_convert(opt_type t, opt_ptr *d)
             d->str_dup = strdup(optarg);
             break;
         case OT_PATH:
-            d->str_dup = realpath(optarg, NULL);
+            if (parse_path(d, optarg))
+                return 1;
             break;
         case OT_NOARG:
         case OT_INVALID:
diff --git a/src/pseccomp.c b/src/pseccomp.c
index 07f4152..a08bc11 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -15,11 +15,14 @@
 static int pseccomp_using_valgrind(void);
 
 static const int minimum_disabled_syscalls[] = {
+    SCMP_SYS(reboot),
     SCMP_SYS(mount),
     SCMP_SYS(umount), SCMP_SYS(umount2),
     SCMP_SYS(ptrace),
     SCMP_SYS(kexec_load),
+    SCMP_SYS(kexec_file_load),
     SCMP_SYS(open_by_handle_at),
+    SCMP_SYS(create_module),
     SCMP_SYS(init_module),
     SCMP_SYS(finit_module),
     SCMP_SYS(delete_module),
@@ -28,10 +31,19 @@ static const int minimum_disabled_syscalls[] = {
     SCMP_SYS(swapoff),
     SCMP_SYS(syslog),
     SCMP_SYS(nice),
-    SCMP_SYS(kcmp)
+    SCMP_SYS(kcmp),
+    SCMP_SYS(unshare),
+    SCMP_SYS(setns),
+    SCMP_SYS(pivot_root),
+    SCMP_SYS(chroot),
+    SCMP_SYS(fchdir),
+    SCMP_SYS(capset),
+    SCMP_SYS(mknod),
+    SCMP_SYS(mknodat)
 };
 
 static const int default_allowed_syscalls[] = {
+    SCMP_SYS(restart_syscall),
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
@@ -83,6 +95,7 @@ static const int protocol_disabled_syscalls[] = {
 };
 
 static const int jail_allowed_syscalls[] = {
+    SCMP_SYS(restart_syscall),
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),