Harden systemd services with this step-by-step guide to gather the right information to define sandboxing features and secure and protect resources from misuse.
Seccomp
Articles about Seccomp
Firejail is a tool to sandbox applications to restrict what they can do. It is a useful tool to limit the risk on privilege escalation and exploits.
Seccomp, or secure computing, is a security measure in the Linux kernel that allows processes to protect themselves against unexpected or unwanted behavior.
Harden system and users services, by defining if they are allowed to use specific syscalls or groups, with the use of systemd unit setting SystemCallFilter.
Learn more about the system calls (syscalls) that systemd may use in commands and unit files, such as with SystemCallFilter property.