=== modified file 'mandos.service'
--- mandos.service	2015-08-10 16:19:28 +0000
+++ mandos.service	2016-03-04 22:07:35 +0000
@@ -21,6 +21,13 @@
 ## bind() on the socket, and also won't announce the ZeroConf service.
 #ExecStart=/usr/sbin/mandos --foreground --socket=0
 #StandardInput=socket
+# Restrict what the Mandos daemon can do.  Note that this also affects
+# "checker" programs!
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+CapabilityBoundingSet=CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_RAW
 
 [Install]
 WantedBy=multi-user.target