caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroot