strict sandbox mode blocks required syscalls
Strict sandbox mode disallows the syscalls gettimeofday and clock_gettime, which seem to be necessary during startup (doing :set sandbox strict after starting works fine), at least on my end. This also causes the AUR package zathura-git to fail installation as ninja test fails at the sandbox unit test.
Here is the relevant ninja test log bit:
$ ninja test
[0/1] Running all tests.
1/6 validate-desktop OK 0.02s
2/6 utils OK 0.02s
3/6 document OK 0.03s
4/6 types OK 0.02s
5/6 sandbox FAIL 0.21s exit status 1
>>> MALLOC_PERTURB_=176 /home/lambda/src/repos/zathura/build/tests/test_sandbox
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― ✀ ―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
stdout:
Running suite(s): Sandbox
0%: Checks: 1, Failures: 0, Errors: 1
../tests/test_sandbox.c:11:E:basic:test_create:0: (after this point) Received signal 31 (Bad system call)
[...]And relevant strace logs (obtained by using set sandbox strict in zathurarc. the second one was obtained after unblocking the first syscall):
$ strace ./zathura -c .
[...]
seccomp(SECCOMP_SET_MODE_FILTER, 0, 0x55b1a37840f0) = 0
futex(0x7f16b014b0b8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f16b014b0b8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f16b014b0b8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
gettimeofday(0x7ffc57ab2020, NULL) = 96
+++ killed by SIGSYS +++
fish: Job 1, 'strace ./zathura -c .' terminated by signal SIGSYS (Bad system call)$ strace ./zathura -c .
[...]
futex(0x7f71259b30b8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x55588d69f340, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x7f71256f9ba0, FUTEX_WAIT_PRIVATE, 2, NULL) = -1 EAGAIN (Resource temporarily unavailable)
futex(0x7f71256f9ba0, FUTEX_WAKE_PRIVATE, 1) = 0
clock_gettime(CLOCK_MONOTONIC, 0x7ffe498ba660) = 228
+++ killed by SIGSYS +++
fish: Job 1, 'strace ./zathura -c .' terminated by signal SIGSYS (Bad system call)I'll submit a pull request allowing the two syscalls shortly.