diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 1c3256a662..a39e800854 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1218,49 +1218,55 @@
             <tbody>
               <row>
                 <entry>@clock</entry>
-                <entry>System calls for changing the system clock (<function>adjtimex()</function>,
-                <function>settimeofday()</function>)</entry>
+                <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
+              </row>
+              <row>
+                <entry>@cpu-emulation</entry>
+                <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
+              </row>
+              <row>
+                <entry>@debug</entry>
+                <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
               </row>
               <row>
                 <entry>@io-event</entry>
-                <entry>Event loop use (<function>poll()</function>, <function>select()</function>,
-                <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-                <function>eventfd()</function>...)</entry>
+                <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
               </row>
               <row>
                 <entry>@ipc</entry>
-                <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-                <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+                <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+              </row>
+              <row>
+                <entry>@keyring</entry>
+                <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
               </row>
               <row>
                 <entry>@module</entry>
-                <entry>Kernel module control (<function>create_module()</function>, <function>init_module()</function>...)</entry>
+                <entry>Kernel module control (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
               </row>
               <row>
                 <entry>@mount</entry>
-                <entry>File system mounting and unmounting (<function>chroot()</function>, <function>mount()</function>...)</entry>
+                <entry>File system mounting and unmounting (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
               </row>
               <row>
                 <entry>@network-io</entry>
-                <entry>Socket I/O (including local AF_UNIX):
-                <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-                <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
+                <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
               </row>
               <row>
                 <entry>@obsolete</entry>
-                <entry>Unusual, obsolete or unimplemented (<function>fattach()</function>, <function>gtty()</function>, <function>vm86()</function>...)</entry>
+                <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
               </row>
               <row>
                 <entry>@privileged</entry>
-                <entry>All system calls which need superuser capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+                <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
               </row>
               <row>
                 <entry>@process</entry>
-                <entry>Process control, execution, namespaces (<function>execve()</function>, <function>kill()</function>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>...)</entry>
+                <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
               </row>
               <row>
                 <entry>@raw-io</entry>
-                <entry>Raw I/O ports (<function>ioperm()</function>, <function>iopl()</function>, <function>pciconfig_read()</function>...)</entry>
+                <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …</entry>
               </row>
             </tbody>
           </tgroup>
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 30d22d2242..8656d112b8 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -95,7 +95,31 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 .set_name = "@clock",
                 .value =
                 "adjtimex\0"
+                "clock_adjtime\0"
+                "clock_settime\0"
                 "settimeofday\0"
+                "stime\0"
+        }, {
+                /* CPU emulation calls */
+                .set_name = "@cpu-emulation",
+                .value =
+                "modify_ldt\0"
+                "subpage_prot\0"
+                "switch_endian\0"
+                "vm86\0"
+                "vm86old\0"
+        }, {
+                /* Debugging/Performance Monitoring/Tracing */
+                .set_name = "@debug",
+                .value =
+                "lookup_dcookie\0"
+                "perf_event_open\0"
+                "process_vm_readv\0"
+                "process_vm_writev\0"
+                "ptrace\0"
+                "rtas\0"
+                "s390_runtime_instr\0"
+                "sys_debug_setcontext\0"
         }, {
                 /* Default list */
                 .set_name = "@default",
@@ -147,11 +171,17 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 "shmctl\0"
                 "shmdt\0"
                 "shmget\0"
+        }, {
+                /* Keyring */
+                .set_name = "@keyring",
+                .value =
+                "add_key\0"
+                "keyctl\0"
+                "request_key\0"
         }, {
                 /* Kernel module control */
                 .set_name = "@module",
                 .value =
-                "create_module\0"
                 "delete_module\0"
                 "finit_module\0"
                 "init_module\0"
@@ -197,40 +227,26 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 "_sysctl\0"
                 "afs_syscall\0"
                 "break\0"
-                "fattach\0"
-                "fdetach\0"
+                "create_module\0"
                 "ftime\0"
                 "get_kernel_syms\0"
-                "get_mempolicy\0"
-                "getmsg\0"
                 "getpmsg\0"
                 "gtty\0"
-                "isastream\0"
                 "lock\0"
-                "madvise1\0"
-                "modify_ldt\0"
                 "mpx\0"
-                "pciconfig_iobase\0"
-                "perf_event_open\0"
                 "prof\0"
                 "profil\0"
-                "putmsg\0"
                 "putpmsg\0"
                 "query_module\0"
-                "rtas\0"
-                "s390_runtime_instr\0"
                 "security\0"
                 "sgetmask\0"
                 "ssetmask\0"
                 "stty\0"
-                "subpage_prot\0"
-                "switch_endian\0"
-                "sys_debug_setcontext\0"
+                "sysfs\0"
                 "tuxcall\0"
                 "ulimit\0"
                 "uselib\0"
-                "vm86\0"
-                "vm86old\0"
+                "ustat\0"
                 "vserver\0"
         }, {
                 /* Nice grab-bag of all system calls which need superuser capabilities */
@@ -242,6 +258,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 "acct\0"
                 "bdflush\0"
                 "bpf\0"
+                "capset\0"
                 "chown32\0"
                 "chown\0"
                 "chroot\0"
@@ -268,7 +285,6 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 "setreuid\0"
                 "setuid32\0"
                 "setuid\0"
-                "stime\0"
                 "swapoff\0"
                 "swapon\0"
                 "sysctl\0"
@@ -295,6 +311,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 .value =
                 "ioperm\0"
                 "iopl\0"
+                "pciconfig_iobase\0"
                 "pciconfig_read\0"
                 "pciconfig_write\0"
                 "s390_pci_mmio_read\0"