GitLab

It looks like Torsocks whitelists calls that are allowed to be made via the glibc syscall() function, but unfortunately the whitelist is too restrictive. For example seccomp() is not permitted, and that results in the syscall being denied (new kernels use that rather than prctl() to enable sandboxes). This results in any program that uses a seccomp sandbox being unsandboxed when used in combination with Torsocks!

Ideally, gettimeofday() and clock_gettime() would also be whitelisted, because they are harmless and calling them as syscalls directly is a handy way to avoid them being used as vDSOs. The same goes with fork(), where calling it directly is a handy way to avoid having to use the glibc wrapper, which uses clone() instead.