--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -802,19 +802,16 @@ public:
 
       // Rust's stdlib seems to use FIOCLEX instead of equivalent fcntls.
       return If(request == FIOCLEX, Allow())
         // Rust's stdlib also uses FIONBIO instead of equivalent fcntls.
         .ElseIf(request == FIONBIO, Allow())
         // ffmpeg, and anything else that calls isatty(), will be told
         // that nothing is a typewriter:
         .ElseIf(request == TCGETS, Error(ENOTTY))
-        // Bug 1408498: libgio uses FIONREAD on inotify fds.
-        // (We should stop using inotify: bug 1408497.)
-        .ElseIf(request == FIONREAD, Allow())
         // Allow anything that isn't a tty ioctl, for now; bug 1302711
         // will cover changing this to a default-deny policy.
         .ElseIf(shifted_type != kTtyIoctls, Allow())
         .Else(SandboxPolicyCommon::EvaluateSyscall(sysno));
     }
 #endif // !MOZ_ALSA
 
     CASES_FOR_fcntl: {
@@ -933,21 +930,24 @@ public:
     case __NR_wait4:
 #ifdef __NR_waitpid
     case __NR_waitpid:
 #endif
       // NSPR will start a thread to wait for child processes even if
       // fork() fails; see bug 227246 and bug 1299581.
       return Error(ECHILD);
 
-    case __NR_eventfd2:
+      // inotify_{add,rm}_watch take filesystem paths.  Pretend the
+      // kernel doesn't support inotify; note that this could make
+      // libgio attempt network connections for FAM.
     case __NR_inotify_init:
     case __NR_inotify_init1:
-    case __NR_inotify_add_watch:
-    case __NR_inotify_rm_watch:
+      return Error(ENOSYS);
+
+    case __NR_eventfd2:
       return Allow();
 
 #ifdef __NR_memfd_create
     case __NR_memfd_create:
       return Allow();
 #endif
 
 #ifdef __NR_rt_tgsigqueueinfo