diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
index bba7b46..4ddf5f4 100644
--- a/src/seccomp/policy/DefaultPolicy.cc
+++ b/src/seccomp/policy/DefaultPolicy.cc
@@ -188,6 +188,14 @@ void DefaultPolicy::addFileSystemAccessRules(bool readOnly) {
                 "openat",
                 action::ActionAllow(),
                 (filter::SyscallArg(2) & (O_RDWR | O_WRONLY)) == 0));
+        rules_.emplace_back(SeccompRule(
+                "open",
+                action::ActionErrno(EROFS),
+                (filter::SyscallArg(1) & (O_RDONLY | O_PATH)) == 0));
+        rules_.emplace_back(SeccompRule(
+                "openat",
+                action::ActionErrno(EROFS),
+                (filter::SyscallArg(2) & (O_RDONLY | O_PATH)) == 0));
 
         for (const auto& syscall: {
                      "unlink",