Add RestrictAddressFamilies and SystemCallFilter

conf/systemd.service

@@ -16,6 +16,7 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1
 NoNewPrivileges=yes
 PrivateTmp=yes
 PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 DevicePolicy=closed
@@ -24,7 +25,7 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 LockPersonality=yes
-
+SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
 
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html