Strict Sandbox blocks required syscalls
When I configured zathura to use a strict sandbox, it would hang and freeze when launching from the terminal or graphical file manager. When sandbox is normal, zathura launches like expected. When debugging it with kernel audits and strace, the syscalls gettid, sched-getatr,sched-setatr, and pipe2 were required to launch it from the terminal and getcwd was required to launch it from the file manager. Allowing these syscalls in seccomp-filters.c fixed this issue.
I am not using a DE, rather just awesomewm and the file manager I launched zathura from is SpaceFM.
diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index 7eccedf..67878c9 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -156,6 +156,7 @@ seccomp_enable_strict_filter(void) ALLOW_RULE(fstatfs); ALLOW_RULE(ftruncate); ALLOW_RULE(futex); + ALLOW_RULE(getcwd); ALLOW_RULE(getdents); ALLOW_RULE(getdents64); ALLOW_RULE(getegid); @@ -187,6 +188,7 @@ seccomp_enable_strict_filter(void) //ALLOW_RULE (open); /* (zathura needs to open for writing) TODO: avoid needing this somehow */ //ALLOW_RULE (openat); ALLOW_RULE(pipe); + ALLOW_RULE(pipe2); ALLOW_RULE(poll); ALLOW_RULE(pwrite64); /* TODO: build detailed filter */ ALLOW_RULE(pread64);
EDIT: there is already a commit for this issue, but getcwd and pipe2 is still blocked.