diff --git a/pkg/sentry/devices/tpuproxy/seccomp_filter.go b/pkg/sentry/devices/tpuproxy/seccomp_filter.go
index 0c53f27dca..696e20e70f 100644
--- a/pkg/sentry/devices/tpuproxy/seccomp_filter.go
+++ b/pkg/sentry/devices/tpuproxy/seccomp_filter.go
@@ -104,6 +104,10 @@ func Filters() seccomp.SyscallRules {
 				seccomp.NonNegativeFD{},
 				seccomp.EqualTo(linux.VFIO_SET_IOMMU),
 			},
+			seccomp.PerArg{
+				seccomp.NonNegativeFD{},
+				seccomp.EqualTo(linux.VFIO_DEVICE_RESET),
+			},
 			seccomp.PerArg{
 				seccomp.NonNegativeFD{},
 				seccomp.EqualTo(gasket.GASKET_IOCTL_RESET),
diff --git a/pkg/sentry/fsimpl/sys/pci.go b/pkg/sentry/fsimpl/sys/pci.go
index 5539f5f88f..f80a0acf06 100644
--- a/pkg/sentry/fsimpl/sys/pci.go
+++ b/pkg/sentry/fsimpl/sys/pci.go
@@ -71,7 +71,9 @@ func sysDevicesPCIPaths(sysDevicesPath string) ([]string, error) {
 				return nil, err
 			}
 			for _, pciDent := range pciDents {
-				pciPaths = append(pciPaths, path.Join(sysDevicesPath, dent, pciDent))
+				if pciDeviceRegex.MatchString(pciDent) {
+					pciPaths = append(pciPaths, path.Join(sysDevicesPath, dent, pciDent))
+				}
 			}
 		}
 	}