diff --git a/log2ram.service b/log2ram.service
index 70c4681..3c575b4 100644
--- a/log2ram.service
+++ b/log2ram.service
@@ -15,5 +15,28 @@ ExecReload= /usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
+#SANDBOXING# -- NEEDS TESTING
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+#PrivateDevices=
+#PrivateNetwork=true 
+  #Will likely break "MAIL" in log2ram.config if does not point to localhost / disabled
+ProtectClock=true
+ProtectControlGroups=
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=full
+  # ALT: ProtectSystem=true # if-and-only-if needs /etc, but can whitelist dir prn 
+ProtectHome=true 
+  #will likely break situations wherein configured to also copy logs from $HOME. 
+  #can probably fix with systemctl edit to whitelist relevant dirs 
+
+
+
+
 [Install]
 WantedBy=sysinit.target