diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh
index bf386f2..c298876 100755
--- a/cfg/setup-user.sh
+++ b/cfg/setup-user.sh
@@ -37,9 +37,13 @@ cat > $ROOTFS/etc/systemd/nspawn/workspace.nspawn <<'EOF'
 [Exec]
 Boot=yes
 ResolvConf=copy-host
+Capability=all
+SystemCallFilter=@keyring bpf
+PrivateUsers=no
 
 [Files]
 Bind=/home/ai:/root
+SuppressSync=false
 
 [Network]
 VirtualEthernet=no