diff --git a/etc/systemd/system/drone.service b/etc/systemd/system/drone.service
index 85cc514..ffd91af 100644
--- a/etc/systemd/system/drone.service
+++ b/etc/systemd/system/drone.service
@@ -16,6 +16,9 @@ IOSchedulingClass=1
 IOSchedulingPriority=0
 
 CapabilityBoundingSet=
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*
+
+SystemCallFilter=~memfd_create @reboot @swap @resources @cpu-emulation @debug @module @clock @raw-io @obsolete
 # ProtectProc=invisible
 ProtectHome=true
 RestrictNamespaces=uts ipc pid user cgroup