diff --git a/third_party/seccomp/BUILD b/third_party/seccomp/BUILD
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/third_party/seccomp/BUILD
diff --git a/third_party/seccomp/external.bzl b/third_party/seccomp/external.bzl
new file mode 100644
index 0000000..66f933b
--- /dev/null
+++ b/third_party/seccomp/external.bzl
@@ -0,0 +1,36 @@
+#  Copyright 2020 The Monogon Project Authors.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+def seccomp_external(name, version):
+    sums = {
+        "2.5.1": "76ad54e31d143b39a99083564045212a965e026a1010a742edd793d26d699829",
+    }
+
+    http_archive(
+        name = name,
+        patch_args = ["-p1"],
+        patches = [
+            "//third_party/seccomp/patches:bazel_cc_fix.patch",
+            "//third_party/seccomp/patches:fix_generated_includes.patch",
+        ],
+        sha256 = sums[version],
+        build_file = "@//third_party/seccomp:seccomp.bzl",
+        strip_prefix = "libseccomp-" + version,
+        # We cannot use the actual release tarball as it contains files generated incorrectly for our environment
+        urls = ["https://github.com/seccomp/libseccomp/archive/v%s.tar.gz" % version],
+    )
diff --git a/third_party/seccomp/patches/BUILD b/third_party/seccomp/patches/BUILD
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/third_party/seccomp/patches/BUILD
diff --git a/third_party/seccomp/patches/bazel_cc_fix.patch b/third_party/seccomp/patches/bazel_cc_fix.patch
new file mode 100644
index 0000000..5cd94ca
--- /dev/null
+++ b/third_party/seccomp/patches/bazel_cc_fix.patch
@@ -0,0 +1,166 @@
+Copyright 2020 The Monogon Project Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+From f8ee9738c83ccca8f83b70605e8e7dda382f4fb7 Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@nexantic.com>
+Date: Tue, 9 Mar 2021 17:08:46 +0100
+Subject: [PATCH 1/2] bazel_cc_fix patch
+
+---
+ src/api.c               | 2 +-
+ src/arch-syscall-dump.c | 2 +-
+ src/arch.c              | 2 +-
+ src/arch.h              | 2 +-
+ src/db.c                | 2 +-
+ src/db.h                | 2 +-
+ src/gen_bpf.c           | 2 +-
+ src/gen_pfc.c           | 2 +-
+ src/syscalls.c          | 2 +-
+ src/system.c            | 2 +-
+ 10 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/src/api.c b/src/api.c
+index 5cec088..b3f3b33 100644
+--- a/src/api.c
++++ b/src/api.c
+@@ -29,7 +29,7 @@
+ #include <stdbool.h>
+ #include <sys/ioctl.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ #include "db.h"
+diff --git a/src/arch-syscall-dump.c b/src/arch-syscall-dump.c
+index 2055d34..59881a6 100644
+--- a/src/arch-syscall-dump.c
++++ b/src/arch-syscall-dump.c
+@@ -27,7 +27,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ #include "arch-x86.h"
+diff --git a/src/arch.c b/src/arch.c
+index 73bf710..0184ed8 100644
+--- a/src/arch.c
++++ b/src/arch.c
+@@ -27,7 +27,7 @@
+ #include <linux/audit.h>
+ #include <stdbool.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ #include "arch-x86.h"
+diff --git a/src/arch.h b/src/arch.h
+index 38c3a9c..33f46a5 100644
+--- a/src/arch.h
++++ b/src/arch.h
+@@ -26,7 +26,7 @@
+ #include <stddef.h>
+ #include <stdbool.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "system.h"
+ 
+diff --git a/src/db.c b/src/db.c
+index 2dc9733..678890d 100644
+--- a/src/db.c
++++ b/src/db.c
+@@ -27,7 +27,7 @@
+ #include <string.h>
+ #include <stdarg.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ #include "db.h"
+diff --git a/src/db.h b/src/db.h
+index 765c607..ffeaeaa 100644
+--- a/src/db.h
++++ b/src/db.h
+@@ -25,7 +25,7 @@
+ #include <inttypes.h>
+ #include <stdbool.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ 
+diff --git a/src/gen_bpf.c b/src/gen_bpf.c
+index 6961d09..c0b60e4 100644
+--- a/src/gen_bpf.c
++++ b/src/gen_bpf.c
+@@ -32,7 +32,7 @@
+ #endif
+ #include <endian.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ #include "arch-x32.h"
+diff --git a/src/gen_pfc.c b/src/gen_pfc.c
+index 405f080..fd2e187 100644
+--- a/src/gen_pfc.c
++++ b/src/gen_pfc.c
+@@ -29,7 +29,7 @@
+ /* NOTE: needed for the arch->token decoding in _pfc_arch() */
+ #include <linux/audit.h>
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ #include "db.h"
+diff --git a/src/syscalls.c b/src/syscalls.c
+index 9091fa9..72e26ab 100644
+--- a/src/syscalls.c
++++ b/src/syscalls.c
+@@ -19,7 +19,7 @@
+  * You should have received a copy of the GNU Lesser General Public License
+  * along with this library; if not, see <http://www.gnu.org/licenses>.
+  */
+-#include <seccomp.h>
++#include "seccomp.h"
+ #include <string.h>
+ 
+ #include "arch.h"
+diff --git a/src/system.c b/src/system.c
+index ae445bf..44f5b5c 100644
+--- a/src/system.c
++++ b/src/system.c
+@@ -28,7 +28,7 @@
+ 
+ #include "system.h"
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ 
+ #include "arch.h"
+ #include "db.h"
+-- 
+2.25.1
+
diff --git a/third_party/seccomp/patches/fix_generated_includes.patch b/third_party/seccomp/patches/fix_generated_includes.patch
new file mode 100644
index 0000000..9ded20c
--- /dev/null
+++ b/third_party/seccomp/patches/fix_generated_includes.patch
@@ -0,0 +1,57 @@
+Copyright 2020 The Monogon Project Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+From ac0286c4e85bef34485ad3cd1161da5c379af316 Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@nexantic.com>
+Date: Tue, 9 Mar 2021 17:18:30 +0100
+Subject: [PATCH 2/2] Fix generated includes
+
+---
+ include/seccomp.h.in       | 2 +-
+ src/syscalls.perf.template | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/seccomp.h.in b/include/seccomp.h.in
+index 1e47de9..444ca93 100644
+--- a/include/seccomp.h.in
++++ b/include/seccomp.h.in
+@@ -818,7 +818,7 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
+ #define __NR_SCMP_ERROR		-1
+ #define __NR_SCMP_UNDEF		-2
+ 
+-#include <seccomp-syscalls.h>
++#include "include/seccomp-syscalls.h"
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/src/syscalls.perf.template b/src/syscalls.perf.template
+index f1fd3db..9540ad0 100644
+--- a/src/syscalls.perf.template
++++ b/src/syscalls.perf.template
+@@ -20,9 +20,9 @@
+  * along with this library; if not, see <http://www.gnu.org/licenses>.
+  */
+ 
+-#include <seccomp.h>
++#include "seccomp.h"
+ #include <string.h>
+-#include "syscalls.h"
++#include "src/syscalls.h"
+ 
+ %}
+ struct arch_syscall_table;
+-- 
+2.25.1
+
diff --git a/third_party/seccomp/seccomp.bzl b/third_party/seccomp/seccomp.bzl
new file mode 100644
index 0000000..782c762
--- /dev/null
+++ b/third_party/seccomp/seccomp.bzl
@@ -0,0 +1,82 @@
+#  Copyright 2020 The Monogon Project Authors.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+load("@rules_cc//cc:defs.bzl", "cc_library")
+load("@dev_source_monogon//build/utils:template_file.bzl", "template_file")
+
+genrule(
+    name = "config-h",
+    outs = ["configure.h"],
+    cmd = "echo \"#define HAVE_LINUX_SECCOMP_H 1\" > \"$@\"",
+    visibility = ["//visibility:public"],
+)
+
+genrule(
+    name = "syscalls-tables",
+    srcs = [
+        "src/syscalls.perf.template",
+        "src/syscalls.csv",
+    ],
+    outs = ["syscalls.perf.c"],
+    cmd = """
+    # From src/arch-gperf-generate, modified to not write over source files
+    grep -v '^#' $(location src/syscalls.csv) | nl -ba -s, -v0 | \
+        sed -e 's/^[[:space:]]\\+\\([0-9]\\+\\),\\([^,]\\+\\),\\(.*\\)/\\2,\\1,\\3/' \
+            -e ':repeat; {s|\\([^,]\\+\\)\\(.*\\)[^_]PNR|\\1\\2,__PNR_\\1|g;}; t repeat' \
+             > "$(@D)/syscalls_tmp.csv"
+
+    # create the gperf file
+    sed -e "/@@SYSCALLS_TABLE@@/r $(@D)/syscalls_tmp.csv" \
+        -e '/@@SYSCALLS_TABLE@@/d' \
+        $(location src/syscalls.perf.template) > "$(@D)/syscalls.perf"
+    ./$(location @gperf//:gperf) -m 100 --null-strings --pic -tCEG -T -S1 --output-file="$(location syscalls.perf.c)" "$(@D)/syscalls.perf"
+    """,
+    tools = [
+        "@gperf//:gperf",
+    ],
+)
+
+template_file(
+    name = "seccomp.h",
+    src = "include/seccomp.h.in",
+    substitutions = {
+        # Irrelevant for Bazel. Just look at WORKSPACE.
+        # Make it obviously invalid so nobody is mislead.
+        "@VERSION_MAJOR@": "0",
+        "@VERSION_MINOR@": "0",
+        "@VERSION_MICRO@": "0",
+    },
+    visibility = ["//visibility:public"],
+)
+
+cc_library(
+    name = "seccomp",
+    srcs = glob(
+        [
+            "src/*.c",
+            "src/*.h",
+        ],
+        exclude = [
+            "src/arch-syscall-check.c",
+            "src/arch-syscall-dump.c",
+        ],
+    ) + ["//:configure.h", ":syscalls.perf.c"],
+    hdrs = [
+        ":seccomp.h",
+        "include/seccomp-syscalls.h",
+    ],
+    visibility = ["//visibility:public"],
+)