From cf0701eff0f3b06e0324be07f7810cbaf261f7f3 Mon Sep 17 00:00:00 2001
From: Philipp Stephani <phst@google.com>
Date: Sun, 11 Apr 2021 21:14:09 +0200
Subject: [PATCH] * lib-src/seccomp-filter.c (main): Also allow O_NOFOLLOW.

---
 lib-src/seccomp-filter.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index 9d25a5fe142..a5f2e0adbca 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -241,12 +241,12 @@ main (int argc, char **argv)
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (open),
         SCMP_A1_32 (SCMP_CMP_MASKED_EQ,
                     ~(O_RDONLY | O_BINARY | O_CLOEXEC | O_PATH
-                      | O_DIRECTORY),
+                      | O_DIRECTORY | O_NOFOLLOW),
                     0));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (openat),
         SCMP_A2_32 (SCMP_CMP_MASKED_EQ,
                     ~(O_RDONLY | O_BINARY | O_CLOEXEC | O_PATH
-                      | O_DIRECTORY),
+                      | O_DIRECTORY | O_NOFOLLOW),
                     0));
 
   /* Allow `tcgetpgrp'.  */