It tried to debug this, but it's not easy. Things happen very early in
glibc initialization, too quickly after fork for strace to show. After looking
at the changes in glibc, the reason why mprotect(2) seems easy, I also filed a
pull request to add it to @default filter in systemd. setsid is called from the
daemonization code, but I'm not sure why it didn't cause an issue earlier. Either
new syscalls are called, or something changed in error handling…
The sandbox is designed to allow standard select&paste operation on
the text console. More fancy uses of gpm are unlikely to work, but
that's on purpose: the only thing that people should be using gpm for
is the occasional text copying when they land in rescue mode.
This serves as an alternative to [1]. The replacement policy is probably
stricter in some regards, while less strict in others… But I think it's
much less magic and should be easier to maintain.
[1] https://src.fedoraproject.org/rpms/gpm/pull-request/4
