A general seccomp filter should be used with the Linux sandbox to block system calls which are generally not considered "safe" to be used by sandbox clients.

A good summary on some syscalls which fit this description can be found in docker's docs:
https://docs.docker.com/engine/security/seccomp/