This is a backport of https://gitlab.com/NTPsec/ntpsec/commit/eef92d6217da03ad2ae41e298d110bdb05031381

diff -Naur ntpsec-1.0.0.orig/ntpd/ntp_sandbox.c ntpsec-1.0.0/ntpd/ntp_sandbox.c
--- ntpsec-1.0.0.orig/ntpd/ntp_sandbox.c	2017-10-09 23:54:39.000000000 -0400
+++ ntpsec-1.0.0/ntpd/ntp_sandbox.c	2018-02-28 07:31:28.381406881 -0500
@@ -354,6 +354,10 @@
 	SCMP_SYS(write),
         SCMP_SYS(unlink),
 
+#ifdef ENABLE_EARLY_DROPROOT
+	SCMP_SYS(getdents),
+#endif
+
 #ifdef ENABLE_DNS_LOOKUP
 /* Don't comment out this block for testing.
  * pthread_create blocks signals so it will crash