diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index fa05a8a5b4f..673b627c3b1 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -84,7 +84,6 @@ static int add_syscall_filters(
                 { 0,                  "sched_rr_get_interval"        },
                 { 0,                  "sched_rr_get_interval_time64" },
                 { 0,                  "sched_yield"                  },
-                { 0,                  "seccomp"                      },
                 { 0,                  "sendfile"                     },
                 { 0,                  "sendfile64"                   },
                 { 0,                  "setdomainname"                },
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 46ca55ec8d2..22cafb1b2f7 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .name = "@default",
                 .help = "System calls that are always permitted",
                 .value =
+                "@sandbox\0"
                 "arch_prctl\0"      /* Used during platform-specific initialization by ld-linux.so. */
                 "brk\0"
                 "cacheflush\0"