diff --git a/codex-rs/linux-sandbox/src/landlock.rs b/codex-rs/linux-sandbox/src/landlock.rs
index 485301179..d49491233 100644
--- a/codex-rs/linux-sandbox/src/landlock.rs
+++ b/codex-rs/linux-sandbox/src/landlock.rs
@@ -149,6 +149,9 @@ fn install_network_seccomp_filter_on_current_thread() -> std::result::Result<(),
     deny_syscall(libc::SYS_getsockopt);
     deny_syscall(libc::SYS_setsockopt);
     deny_syscall(libc::SYS_ptrace);
+    deny_syscall(libc::SYS_io_uring_setup);
+    deny_syscall(libc::SYS_io_uring_enter);
+    deny_syscall(libc::SYS_io_uring_register);
 
     // For `socket` we allow AF_UNIX (arg0 == AF_UNIX) and deny everything else.
     let unix_only_rule = SeccompRule::new(vec![SeccompCondition::new(