diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin
index 38a12d4e00..7f70cd945e 100644
Binary files a/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin and b/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin differ
diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin
index 0264978c1d..5bb506b934 100644
Binary files a/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin and b/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin differ
diff --git a/tool/seccomp/.gitignore b/tool/seccomp/.gitignore
new file mode 100644
index 0000000000..b9659241aa
--- /dev/null
+++ b/tool/seccomp/.gitignore
@@ -0,0 +1,3 @@
+/seccomp_bpf_policy_arm.bin
+/seccomp_bpf_policy_x86_32.bin
+/seccomp_bpf_policy_x86_64.bin
diff --git a/tool/seccomp/Makefile b/tool/seccomp/Makefile
index f996bc2362..15f213cb27 100644
--- a/tool/seccomp/Makefile
+++ b/tool/seccomp/Makefile
@@ -5,9 +5,11 @@ seccomp_bpf_filters: seccomp_bpf_policy_x86_32.bin seccomp_bpf_policy_x86_64.bin
 seccomp_bpf_policy_%.bin: seccomp_bpf_compiler_%.prg
 	./$< > $@
 
-seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc
+seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc seccomp_bpf_compiler.h
 	@g++ $< -o $@ -lseccomp
 
 clean:
 	@rm seccomp_bpf_policy_*.bin 2> /dev/null; true
 	@rm seccomp_bpf_compiler_*.prg 2> /dev/null; true
+
+.PHONY: seccomp_bpf_filters
diff --git a/tool/seccomp/seccomp_bpf_compiler.h b/tool/seccomp/seccomp_bpf_compiler.h
index c666547c16..0f9e06c39e 100644
--- a/tool/seccomp/seccomp_bpf_compiler.h
+++ b/tool/seccomp/seccomp_bpf_compiler.h
@@ -140,6 +140,9 @@ class Filter
 						/* The nmap syscall has a different name on different architectures
 						 * but it slould be save as it only uses an already open socket. */
 						_add_allow_rule(SCMP_SYS(mmap2));
+
+						/* returning from signal handlers is safe */
+						_add_allow_rule(SCMP_SYS(sigreturn));
 					}
 					break;
 				case SCMP_ARCH_X86_64:
@@ -158,6 +161,9 @@ class Filter
 						/* The nmap syscall has a different name on different architectures
 						 * but it slould be save as it only uses an already open socket. */
 						_add_allow_rule(SCMP_SYS(mmap));
+
+						/* returning from signal handlers is safe */
+						_add_allow_rule(SCMP_SYS(rt_sigreturn));
 					}
 					break;
 				case SCMP_ARCH_ARM:
@@ -180,7 +186,7 @@ class Filter
 						/* This syscall is only used on ARM. */
 						_add_allow_rule(SCMP_SYS(cacheflush));
 
-						/* This syscall is only used on ARM. */
+						/* returning from signal handlers is safe */
 						_add_allow_rule(SCMP_SYS(sigreturn));
 					}
 					break;
@@ -189,7 +195,7 @@ class Filter
 					throw -104;
 			}
 
-			// build and export
+			/* build and export */
 			seccomp_export_bpf(_ctx, 1);
 
 			return 0;