diff --git a/dbus/dbus_test.go b/dbus/dbus_test.go
index 717ded7..7128c08 100644
--- a/dbus/dbus_test.go
+++ b/dbus/dbus_test.go
@@ -141,7 +141,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 
 				t.Run("unsealed start of "+id, func(t *testing.T) {
 					want := "proxy not sealed"
-					if err := p.Start(nil, nil, sandbox); err == nil || err.Error() != want {
+					if err := p.Start(nil, nil, sandbox, false); err == nil || err.Error() != want {
 						t.Errorf("Start() error = %v, wantErr %q",
 							err, errors.New(want))
 						return
@@ -175,7 +175,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 				}
 
 				t.Run("sealed start of "+id, func(t *testing.T) {
-					if err := p.Start(nil, output, sandbox); err != nil {
+					if err := p.Start(nil, output, sandbox, false); err != nil {
 						t.Fatalf("Start(nil, nil) error = %v",
 							err)
 					}
diff --git a/dbus/run.go b/dbus/run.go
index 0a554bf..0dfe7f8 100644
--- a/dbus/run.go
+++ b/dbus/run.go
@@ -16,7 +16,7 @@ import (
 
 // Start launches the D-Bus proxy and sets up the Wait method.
 // ready should be buffered and must only be received from once.
-func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
+func (p *Proxy) Start(ready chan error, output io.Writer, sandbox, seccomp bool) error {
 	p.lock.Lock()
 	defer p.lock.Unlock()
 
@@ -67,11 +67,16 @@ func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
 			Unshare:       nil,
 			Hostname:      "fortify-dbus",
 			Chdir:         "/",
+			Syscall:       &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
 			Clearenv:      true,
 			NewSession:    true,
 			DieWithParent: true,
 		}
 
+		if !seccomp {
+			bc.Syscall = nil
+		}
+
 		// resolve proxy socket directories
 		bindTarget := make(map[string]struct{}, 2)
 		for _, ps := range []string{p.session[1], p.system[1]} {
diff --git a/internal/system/dbus.go b/internal/system/dbus.go
index b74d5d3..886ba77 100644
--- a/internal/system/dbus.go
+++ b/internal/system/dbus.go
@@ -93,7 +93,7 @@ func (d *DBus) apply(_ *I) error {
 	ready := make(chan error, 1)
 
 	// background dbus proxy start
-	if err := d.proxy.Start(ready, d.out, true); err != nil {
+	if err := d.proxy.Start(ready, d.out, true, true); err != nil {
 		return fmsg.WrapErrorSuffix(err,
 			"cannot start message bus proxy:")
 	}