diff --git a/src/sandbox/seccomp.cpp b/src/sandbox/seccomp.cpp
index d86d571..ff0a5c9 100644
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@@ -52,12 +52,30 @@ static inline int seccomp(unsigned int operation, unsigned int flags, void *args
 #define KILL_PROCESS \
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
 
+/*
+ * The main supported configuration is Linux on x86_64 with either glibc or
+ * musl-libc, with secondary support for Linux on the Raspberry Pi (ARM).
+ *
+ * Syscalls marked with "maybe" don't seem to be used in the default
+ * configuration, but should probably be whitelisted anyway.
+ *
+ * Syscalls marked with "musl-libc", "raspi" or "alt DB" were observed to be
+ * necessary on that configuration, but are probably neccessary in other
+ * configurations as well. ("alt DB" represents libsqlite compiled with
+ * different options.)
+ *
+ * Syscalls marked "vdso" aren't normally caught by seccomp because they are
+ * implemented in the vdso(7) in most configurations, but it's still prudent
+ * to whitelist them here.
+ */
 static sock_filter filter[] = {
     VALIDATE_ARCHITECTURE,
     EXAMINE_SYSCALL,
 
     // memory management
+#ifdef __NR_mmap
     ALLOW_SYSCALL(mmap),
+#endif
     ALLOW_SYSCALL(munmap),
     ALLOW_SYSCALL(mprotect),
     ALLOW_SYSCALL(madvise),
@@ -74,19 +92,25 @@ static sock_filter filter[] = {
     ALLOW_SYSCALL(fsync), // maybe
     ALLOW_SYSCALL(creat), // maybe; for DB journal
     ALLOW_SYSCALL(unlink), // for DB journal
+    ALLOW_SYSCALL(lseek), // musl-libc; alt DB
 
     // more IO
     ALLOW_SYSCALL(pread64),
     ALLOW_SYSCALL(pwrite64),
     ALLOW_SYSCALL(fdatasync),
+    ALLOW_SYSCALL(writev), // musl-libc
+    ALLOW_SYSCALL(preadv), // maybe; alt-DB
+    ALLOW_SYSCALL(preadv2), // maybe
 
-    // misc libc things
+    // misc syscalls called from libc
     ALLOW_SYSCALL(getcwd),
     ALLOW_SYSCALL(getpid),
     ALLOW_SYSCALL(geteuid),
+    ALLOW_SYSCALL(ioctl), // musl-libc
     ALLOW_SYSCALL(fcntl),
     ALLOW_SYSCALL(exit),
     ALLOW_SYSCALL(exit_group),
+    ALLOW_SYSCALL(rt_sigprocmask), // musl-libc
 
     // threading
     ALLOW_SYSCALL(futex),
@@ -99,6 +123,46 @@ static sock_filter filter[] = {
     ALLOW_SYSCALL(recvfrom),
     ALLOW_SYSCALL(shutdown),
 
+    // vdso
+    ALLOW_SYSCALL(clock_gettime),
+    ALLOW_SYSCALL(gettimeofday),
+#ifdef __NR_time
+    ALLOW_SYSCALL(time),
+#endif
+    ALLOW_SYSCALL(rt_sigreturn),
+
+    // Raspberry Pi (ARM)
+#ifdef __NR_set_robust_list
+    ALLOW_SYSCALL(set_robust_list),
+#endif
+#ifdef __NR_clock_gettime64
+    ALLOW_SYSCALL(clock_gettime64),
+#endif
+#ifdef __NR_mmap2
+    ALLOW_SYSCALL(mmap2),
+#endif
+#ifdef __NR_fcntl64
+    ALLOW_SYSCALL(fcntl64),
+#endif
+#ifdef __NR_stat64
+    ALLOW_SYSCALL(stat64),
+#endif
+#ifdef __NR_send
+    ALLOW_SYSCALL(send),
+#endif
+#ifdef __NR_recv
+    ALLOW_SYSCALL(recv),
+#endif
+#ifdef __NR_fstat64
+    ALLOW_SYSCALL(fstat64),
+#endif
+#ifdef __NR_geteuid32
+    ALLOW_SYSCALL(geteuid32),
+#endif
+#ifdef __NR_sigreturn
+    ALLOW_SYSCALL(sigreturn), // vdso
+#endif
+
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
 };