diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix
index b4053c7a956..29f8e1ae257 100644
--- a/pkgs/tools/networking/ntp/default.nix
+++ b/pkgs/tools/networking/ntp/default.nix
@@ -15,6 +15,10 @@ stdenv.mkDerivation rec {
     sha256 = "17xrk7gxrl3hgg0i73n8qm53knyh01lf0f3l1zx9x6r1cip3dlnx";
   };
 
+  # The hardcoded list of allowed system calls for seccomp is
+  # insufficient for NixOS, add more to make it work (issue #21136).
+  patches = [ ./seccomp.patch ];
+
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"
diff --git a/pkgs/tools/networking/ntp/seccomp.patch b/pkgs/tools/networking/ntp/seccomp.patch
new file mode 100644
index 00000000000..28de2f01d07
--- /dev/null
+++ b/pkgs/tools/networking/ntp/seccomp.patch
@@ -0,0 +1,44 @@
+diff -urN ntp-4.2.8p10.orig/ntpd/ntpd.c ntp-4.2.8p10/ntpd/ntpd.c
+--- ntp-4.2.8p10.orig/ntpd/ntpd.c	2017-04-02 20:21:17.371319663 +0200
++++ ntp-4.2.8p10/ntpd/ntpd.c	2017-04-02 21:26:02.766178723 +0200
+@@ -1157,10 +1157,12 @@
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(connect),
+ 	SCMP_SYS(exit_group),
++	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fstat),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
++	SCMP_SYS(getpid),
+ 	SCMP_SYS(getsockname),
+ 	SCMP_SYS(ioctl),
+ 	SCMP_SYS(lseek),
+@@ -1179,6 +1181,7 @@
+ 	SCMP_SYS(sendto),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
++        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(socket),
+ 	SCMP_SYS(stat),
+ 	SCMP_SYS(time),
+@@ -1195,9 +1198,11 @@
+ 	SCMP_SYS(clock_settime),
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(exit_group),
++	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
++	SCMP_SYS(getpid),
+ 	SCMP_SYS(madvise),
+ 	SCMP_SYS(mmap),
+ 	SCMP_SYS(mmap2),
+@@ -1211,6 +1216,7 @@
+ 	SCMP_SYS(select),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
++        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(sigprocmask),
+ 	SCMP_SYS(sigreturn),
+ 	SCMP_SYS(socketcall),