This will likely easily be possible once we're based on Debian version 9 codename Stretch.
Once available, its a matter of adding whitelisted calls using SystemCallFilter= in a service unit file.
strace logs may help further debugging:
Worth checking out... Quote: Tails report for January, 2016
Change to systemd as init system and use it to:
- Sandbox many services using Linux namespaces and make them harder to exploit.