diff --git a/init/Android.mk b/init/Android.mk
index c0c490559..fe58e04e0 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -75,6 +75,7 @@ LOCAL_STATIC_LIBRARIES := \
     libcutils \
     libbase \
     libc \
+    libseccomp_policy \
     libselinux \
     liblog \
     libcrypto_utils \
diff --git a/init/init.cpp b/init/init.cpp
index e84d069a7..8f726d89a 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -23,6 +23,7 @@
 #include <inttypes.h>
 #include <libgen.h>
 #include <paths.h>
+#include <seccomp_policy.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -554,6 +555,15 @@ static int queue_property_triggers_action(const std::vector<std::string>& args)
     return 0;
 }
 
+static void global_seccomp() {
+    import_kernel_cmdline(false, [](const std::string& key, const std::string& value, bool in_qemu) {
+        if (key == "androidboot.seccomp" && value == "global" && !set_global_seccomp_filter()) {
+            LOG(ERROR) << "Failed to globally enable seccomp!";
+            panic();
+        }
+    });
+}
+
 static void selinux_init_all_handles(void)
 {
     sehandle = selinux_android_file_context_handle();
@@ -1026,6 +1036,9 @@ int main(int argc, char** argv) {
 
         SetInitAvbVersionInRecovery();
 
+        // Enable seccomp if global boot option was passed (otherwise it is enabled in zygote).
+        global_seccomp();
+
         // Set up SELinux, loading the SELinux policy.
         selinux_initialize(true);