It looks like Torsocks whitelists calls that are allowed to be made via the glibc `syscall()` function, but unfortunately the whitelist is too restrictive. For example `seccomp()` is not permitted, and that results in the syscall being denied (new kernels use that rather than `prctl()` to enable sandboxes). This results in any program that uses a seccomp sandbox being unsandboxed when used in combination with Torsocks! Ideally, `gettimeofday()` and `clock_gettime()` would also be whitelisted, because they are harmless and calling them as syscalls directly is a handy way to avoid them being used as vDSOs. The same goes with `fork()`, where calling it directly is a handy way to avoid having to use the glibc wrapper, which uses `clone()` instead.