diff --git a/test/sandbox/assert.go b/test/sandbox/assert.go
index 4df2774..12323a0 100644
--- a/test/sandbox/assert.go
+++ b/test/sandbox/assert.go
@@ -78,3 +78,9 @@ func MustAssertFS(e fs.FS, wantFile string) {
 		fatalf("%v", err)
 	}
 }
+
+func MustAssertSeccomp() {
+	if TrySyscalls() != nil {
+		os.Exit(1)
+	}
+}
diff --git a/test/sandbox/default.nix b/test/sandbox/default.nix
index eb46845..8543493 100644
--- a/test/sandbox/default.nix
+++ b/test/sandbox/default.nix
@@ -8,6 +8,7 @@ writeShellScript "check-sandbox" ''
   set -e
   ${callPackage ./mount.nix { inherit version; }}/bin/test
   ${callPackage ./fs.nix { inherit version; }}/bin/test
+  ${callPackage ./seccomp.nix { inherit version; }}/bin/test
 
   touch /tmp/sandbox-ok
 ''
diff --git a/test/sandbox/seccomp.go b/test/sandbox/seccomp.go
new file mode 100644
index 0000000..9ccf134
--- /dev/null
+++ b/test/sandbox/seccomp.go
@@ -0,0 +1,45 @@
+package sandbox
+
+import (
+	"os"
+	"syscall"
+)
+
+/*
+#include <sys/quota.h>
+*/
+import "C"
+
+const NULL = 0
+
+func TrySyscalls() error {
+	testCases := []struct {
+		name  string
+		errno syscall.Errno
+
+		trap, a1, a2, a3, a4, a5, a6 uintptr
+	}{
+		{"syslog", syscall.EPERM, syscall.SYS_SYSLOG, 0, NULL, NULL, NULL, NULL, NULL},
+		{"uselib", syscall.EPERM, syscall.SYS_USELIB, 0, NULL, NULL, NULL, NULL, NULL},
+		{"acct", syscall.EPERM, syscall.SYS_ACCT, 0, NULL, NULL, NULL, NULL, NULL},
+		{"quotactl", syscall.EPERM, syscall.SYS_QUOTACTL, C.Q_GETQUOTA, NULL, uintptr(os.Getuid()), NULL, NULL, NULL},
+		{"add_key", syscall.EPERM, syscall.SYS_ADD_KEY, NULL, NULL, NULL, NULL, NULL, NULL},
+		{"keyctl", syscall.EPERM, syscall.SYS_KEYCTL, NULL, NULL, NULL, NULL, NULL, NULL},
+		{"request_key", syscall.EPERM, syscall.SYS_REQUEST_KEY, NULL, NULL, NULL, NULL, NULL, NULL},
+		{"move_pages", syscall.EPERM, syscall.SYS_MOVE_PAGES, uintptr(os.Getpid()), NULL, NULL, NULL, NULL, NULL},
+		{"mbind", syscall.EPERM, syscall.SYS_MBIND, NULL, NULL, NULL, NULL, NULL, NULL},
+		{"get_mempolicy", syscall.EPERM, syscall.SYS_GET_MEMPOLICY, NULL, NULL, NULL, NULL, NULL, NULL},
+		{"set_mempolicy", syscall.EPERM, syscall.SYS_SET_MEMPOLICY, NULL, NULL, NULL, NULL, NULL, NULL},
+		{"migrate_pages", syscall.EPERM, syscall.SYS_MIGRATE_PAGES, NULL, NULL, NULL, NULL, NULL, NULL},
+	}
+
+	for _, tc := range testCases {
+		if _, _, errno := syscall.Syscall6(tc.trap, tc.a1, tc.a2, tc.a3, tc.a4, tc.a5, tc.a6); errno != tc.errno {
+			printf("[FAIL] %s: %v, want %v", tc.name, errno, tc.errno)
+			return errno
+		}
+		printf("[ OK ] %s: %v", tc.name, tc.errno)
+	}
+
+	return nil
+}
diff --git a/test/sandbox/seccomp.nix b/test/sandbox/seccomp.nix
new file mode 100644
index 0000000..3cf9b58
--- /dev/null
+++ b/test/sandbox/seccomp.nix
@@ -0,0 +1,27 @@
+{
+  writeText,
+  buildGoModule,
+
+  version,
+}:
+let
+  mainFile = writeText "main.go" ''
+    package main
+
+    import "git.gensokyo.uk/security/fortify/test/sandbox"
+
+    func main() { sandbox.MustAssertSeccomp() }
+  '';
+in
+buildGoModule {
+  pname = "check-seccomp";
+  inherit version;
+
+  src = ../.;
+  vendorHash = null;
+
+  preBuild = ''
+    go mod init git.gensokyo.uk/security/fortify/test >& /dev/null
+    cp ${mainFile} main.go
+  '';
+}