diff --git a/generate/generate.go b/generate/generate.go
index 84762c3cb..9351959cb 100644
--- a/generate/generate.go
+++ b/generate/generate.go
@@ -35,8 +35,8 @@ func New() Generator {
 	spec := rspec.Spec{
 		Version: rspec.Version,
 		Root: &rspec.Root{
-			Path:     "",
-			Readonly: false,
+			Path:     "rootfs",
+			Readonly: true,
 		},
 		Process: &rspec.Process{
 			Terminal: false,
@@ -48,87 +48,33 @@ func New() Generator {
 				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 				"TERM=xterm",
 			},
-			Cwd: "/",
+			Cwd:             "/",
+			NoNewPrivileges: true,
 			Capabilities: &rspec.LinuxCapabilities{
 				Bounding: []string{
-					"CAP_CHOWN",
-					"CAP_DAC_OVERRIDE",
-					"CAP_FSETID",
-					"CAP_FOWNER",
-					"CAP_MKNOD",
-					"CAP_NET_RAW",
-					"CAP_SETGID",
-					"CAP_SETUID",
-					"CAP_SETFCAP",
-					"CAP_SETPCAP",
-					"CAP_NET_BIND_SERVICE",
-					"CAP_SYS_CHROOT",
-					"CAP_KILL",
 					"CAP_AUDIT_WRITE",
+					"CAP_KILL",
+					"CAP_NET_BIND_SERVICE",
 				},
 				Permitted: []string{
-					"CAP_CHOWN",
-					"CAP_DAC_OVERRIDE",
-					"CAP_FSETID",
-					"CAP_FOWNER",
-					"CAP_MKNOD",
-					"CAP_NET_RAW",
-					"CAP_SETGID",
-					"CAP_SETUID",
-					"CAP_SETFCAP",
-					"CAP_SETPCAP",
-					"CAP_NET_BIND_SERVICE",
-					"CAP_SYS_CHROOT",
-					"CAP_KILL",
 					"CAP_AUDIT_WRITE",
+					"CAP_KILL",
+					"CAP_NET_BIND_SERVICE",
 				},
 				Inheritable: []string{
-					"CAP_CHOWN",
-					"CAP_DAC_OVERRIDE",
-					"CAP_FSETID",
-					"CAP_FOWNER",
-					"CAP_MKNOD",
-					"CAP_NET_RAW",
-					"CAP_SETGID",
-					"CAP_SETUID",
-					"CAP_SETFCAP",
-					"CAP_SETPCAP",
-					"CAP_NET_BIND_SERVICE",
-					"CAP_SYS_CHROOT",
-					"CAP_KILL",
 					"CAP_AUDIT_WRITE",
-				},
-				Effective: []string{
-					"CAP_CHOWN",
-					"CAP_DAC_OVERRIDE",
-					"CAP_FSETID",
-					"CAP_FOWNER",
-					"CAP_MKNOD",
-					"CAP_NET_RAW",
-					"CAP_SETGID",
-					"CAP_SETUID",
-					"CAP_SETFCAP",
-					"CAP_SETPCAP",
-					"CAP_NET_BIND_SERVICE",
-					"CAP_SYS_CHROOT",
 					"CAP_KILL",
-					"CAP_AUDIT_WRITE",
+					"CAP_NET_BIND_SERVICE",
 				},
 				Ambient: []string{
-					"CAP_CHOWN",
-					"CAP_DAC_OVERRIDE",
-					"CAP_FSETID",
-					"CAP_FOWNER",
-					"CAP_MKNOD",
-					"CAP_NET_RAW",
-					"CAP_SETGID",
-					"CAP_SETUID",
-					"CAP_SETFCAP",
-					"CAP_SETPCAP",
-					"CAP_NET_BIND_SERVICE",
-					"CAP_SYS_CHROOT",
+					"CAP_AUDIT_WRITE",
 					"CAP_KILL",
+					"CAP_NET_BIND_SERVICE",
+				},
+				Effective: []string{
 					"CAP_AUDIT_WRITE",
+					"CAP_KILL",
+					"CAP_NET_BIND_SERVICE",
 				},
 			},
 			Rlimits: []rspec.POSIXRlimit{
@@ -177,8 +123,30 @@ func New() Generator {
 				Source:      "sysfs",
 				Options:     []string{"nosuid", "noexec", "nodev", "ro"},
 			},
+			{
+				Destination: "/sys/fs/cgroup",
+				Type:        "cgroup",
+				Source:      "cgroup",
+				Options:     []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+			},
 		},
 		Linux: &rspec.Linux{
+			MaskedPaths: []string{
+				"/proc/kcore",
+				"/proc/latency_stats",
+				"/proc/timer_list",
+				"/proc/timer_stats",
+				"/proc/sched_debug",
+				"/sys/firmware",
+			},
+			ReadonlyPaths: []string{
+				"/proc/asound",
+				"/proc/bus",
+				"/proc/fs",
+				"/proc/irq",
+				"/proc/sys",
+				"/proc/sysrq-trigger",
+			},
 			Resources: &rspec.LinuxResources{
 				Devices: []rspec.LinuxDeviceCgroup{
 					{
@@ -204,7 +172,6 @@ func New() Generator {
 					Type: "mount",
 				},
 			},
-			Devices: []rspec.LinuxDevice{},
 		},
 	}
 	spec.Linux.Seccomp = seccomp.DefaultProfile(&spec)