diff --git a/sandbox/sandbox-linux.cpp b/sandbox/sandbox-linux.cpp
index 5b3e43d..6c2dff9 100644
--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@@ -26,16 +26,26 @@
 bool SandboxLinux::enableForInit()
 {
 	umask(0027);
-	struct qssb_policy policy = {0};
-	int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
-	policy.blacklisted_syscalls = blacklisted_syscalls;
-	policy.no_new_privs = 1;
-	int result = qssb_enable_policy(&policy);
-	if(result != 0)
+	struct qssb_policy *policy = qssb_init_policy();
+	if(policy == NULL)
 	{
-		Logger::error() << "Failed to install sandboxing policy (init): " << result;
+		Logger::error() << "Failed to init sandboxing policy (init)";
 		return false;
 	}
+	policy->namespace_options = QSSB_UNSHARE_USER;
+	policy->drop_caps = 0;
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	int result = qssb_enable_policy(policy);
+	if(result != 0)
+	{
+		Logger::error() << "Failed to enable sandboxing policy (init): " << result;
+		qssb_free_policy(policy);
+		return false;
+	}
+	qssb_free_policy(policy);
 	return true;
 }
 
@@ -44,28 +54,34 @@ bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)
 	std::sort(fsPaths.begin(), fsPaths.end(),
 			  [](const std::string &a, const std::string &b) { return a.length() < b.length(); });
 
-	struct qssb_path_policy *policies = new qssb_path_policy[fsPaths.size()];
+	struct qssb_policy *policy = qssb_init_policy();
+	if(policy == NULL)
+	{
+		Logger::error() << "Failed to init sandboxing policy (pre)";
+		return false;
+	}
+
 	for(unsigned int i = 0; i < fsPaths.size(); i++)
 	{
-		policies[i].next = policies + (i + 1);
-		policies[i].mountpoint = fsPaths[i].c_str();
-		policies[i].policy = QSSB_MOUNT_ALLOW_READ | QSSB_MOUNT_ALLOW_WRITE;
+		qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
 	}
-	policies[fsPaths.size() - 1].next = NULL;
 
-	struct qssb_policy policy = {0};
-	policy.path_policies = policies;
-	policy.namespace_options |= QSSB_UNSHARE_MOUNT;
-	policy.namespace_options |= QSSB_UNSHARE_USER;
-	int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
-	policy.blacklisted_syscalls = blacklisted_syscalls;
-	int result = qssb_enable_policy(&policy);
+	policy->namespace_options = QSSB_UNSHARE_MOUNT;
+	policy->drop_caps = 0;
+	policy->mount_path_policies_to_chroot = 1;
+
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execveat));
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(execve));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	int result = qssb_enable_policy(policy);
 	if(result != 0)
 	{
 		Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result;
+		qssb_free_policy(policy);
 		return false;
 	}
-	delete[] policies;
+	qssb_free_policy(policy);
 	return true;
 }
 
@@ -88,30 +104,35 @@ bool SandboxLinux::supported()
 }
 bool SandboxLinux::enableForWorker()
 {
-	struct qssb_policy policy = {0};
-	policy.drop_caps = 1;
-	policy.not_dumpable = 1;
-	policy.no_new_privs = 1;
+	struct qssb_policy *policy = qssb_init_policy();
+	if(policy == NULL)
+	{
+		Logger::error() << "Failed to init sandboxing policy (worker) ";
+		return false;
+	}
+	policy->drop_caps = 1;
+	policy->not_dumpable = 1;
+	policy->no_new_privs = 1;
+	policy->namespace_options = 0;
 
 	/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
 	 * sense that more could be listed here and some critical ones are probably missing */
-	int blacklisted_syscalls[] = {QSSB_SYS(setuid),
-								  QSSB_SYS(connect),
-								  QSSB_SYS(chroot),
-								  QSSB_SYS(pivot_root),
-								  QSSB_SYS(mount),
-								  QSSB_SYS(setns),
-								  QSSB_SYS(unshare),
-								  QSSB_SYS(ptrace),
-								  QSSB_SYS(personality),
-								  QSSB_SYS(prctl),
-								  -1};
-	policy.blacklisted_syscalls = blacklisted_syscalls;
-	if(qssb_enable_policy(&policy) != 0)
+
+	/* TODO: use qssb groups */
+	long blacklisted_syscalls[] = {QSSB_SYS(setuid),	  QSSB_SYS(connect), QSSB_SYS(chroot),	QSSB_SYS(pivot_root),
+								   QSSB_SYS(mount),		  QSSB_SYS(setns),	 QSSB_SYS(unshare), QSSB_SYS(ptrace),
+								   QSSB_SYS(personality), QSSB_SYS(prctl)};
+
+	qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
+								sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	if(qssb_enable_policy(policy) != 0)
 	{
 		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
+		qssb_free_policy(policy);
 		return false;
 	}
-
+	qssb_free_policy(policy);
 	return true;
 }