Date: 2022mar4 OS: Linux Q. Systemd: RestrictAddressFamilies=none / SystemCallFilter=none A. The man page says you can do:

RestrictAddressFamilies=none

to disallow all network families but I get an error for that (at least in systemd 248) But this works:

RestrictAddressFamilies=~AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET

--- Similarly, I couldn't see a way to disable all system calls. But then I read there are some that are always allowed. So if you code that you only want that list:

SystemCallFilter=@default

That is the most restricted list possible.