Daniel Aleksandersen shows
how to sandbox a daemon process using a set of systemd features.
“These directives combined would have stopped the specific remote
code execution vulnerability that afflicted OpenSMTPD. However, the key
takeaway is that you should strive to sandbox long-running and
internet-exposed services. There’s no need for your webserver to be able to
load a kernel module, your email server to change the hostname, or your DNS
server to launch wget and schedule reoccurring tasks with cron.“

Source: LWN.net – Aleksandersen: Limit the impact of a security intrusion with systemd security directives