If I enable the sandbox on my system, I get killed with: ``` (Sandbox) Caught a bad syscall attempt (syscall openat) /usr/lib/x86_64-linux-gnu/libasan.so.4(+0x558c0)[0x7fb5203ab8c0] /lib/x86_64-linux-gnu/libpthread.so.0(open64+0x4e)[0x7fb51ec6667e] /lib/x86_64-linux-gnu/libpthread.so.0(+0x13150)[0x7fb51ec67150] /lib/x86_64-linux-gnu/libpthread.so.0(open64+0x4e)[0x7fb51ec6667e] /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(evutil_open_closeonexec_+0x20)[0x7fb51fbb5540] /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(evutil_read_file_+0x53)[0x7fb51fbb5603] /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(evdns_base_load_hosts+0x8b)[0x7fb51fbc429b] /home/dgoulet/Documents/git/tor/src/or/tor(+0x9f7adf)[0x55aa44446adf] /home/dgoulet/Documents/git/tor/src/or/tor(do_main_loop+0x745)[0x55aa440f01d5] /home/dgoulet/Documents/git/tor/src/or/tor(tor_run_main+0x1895)[0x55aa440f4065] /home/dgoulet/Documents/git/tor/src/or/tor(tor_main+0x86)[0x55aa440e1fb6] /home/dgoulet/Documents/git/tor/src/or/tor(main+0x1c)[0x55aa440df20c] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fb51db741c1] /home/dgoulet/Documents/git/tor/src/or/tor(_start+0x2a)[0x55aa440e1c6a] ``` strace output: ``` 19360 openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 257 19360 --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7f7d90ab667e, si_syscall=__NR_openat, si_arch=AUDIT_ARCH_X86_64 ---} ``` It is the first file being opened _after_ the seccomp sandbox has been applied. Our sandbox code only considers "open()" to touch that file: `OPEN("/etc/hosts");` My libc is 2.26. We probably need to handle the same files with `openat()` as we do with `open()` for this.