diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 3b3cebfb18f14d44a78186eac40561413b43aa21..64cbc19bd96fd970f496c747b468881e8c645293 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph()
 void setupSeccomp()
 {
 #if __linux__
+    if (!settings.filterSyscalls) return;
+
     scmp_filter_ctx ctx;
 
     if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 41d3323117b4d80d8d00b93b4f29f732b7fdc892..264e82a16e20d9bb9c1e777af51c6b8ee0d765f6 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -336,6 +336,12 @@ public:
         "String appended to the user agent in HTTP requests."};
 
 #if __linux__
+    Setting<bool> filterSyscalls{this, true, "filter-syscalls",
+            "Whether to prevent certain dangerous system calls, such as "
+            "creation of setuid/setgid files or adding ACLs or extended "
+            "attributes. Only disable this if you're aware of the "
+            "security implications."};
+
     Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
         "Whether builders can acquire new privileges by calling programs with "
         "setuid/setgid bits or with file capabilities."};