diff --git a/debian/haveged.service b/debian/haveged.service
index 3ab94b0..4425c10 100644
--- a/debian/haveged.service
+++ b/debian/haveged.service
@@ -26,8 +26,9 @@ RestrictRealtime=true
 LockPersonality=true
 MemoryDenyWriteExecute=true
 SystemCallArchitectures=native
-SystemCallFilter=@basic-io @file-system @io-event @network-io @signal
-SystemCallFilter=arch_prctl brk ioctl mprotect sysinfo
+SystemCallFilter=@system-service
+SystemCallFilter=~@mount
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=sysinit.target