Removing time-reading syscalls from @clock group.

It stops several networked programs such as firefox, or any other
program that tries to access the time. For example:
firejail sleep 10

src/lib/syscall.c

@@ -6,7 +6,7 @@
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
+ * (at your option) any later version.1
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -256,36 +256,36 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_clock_getres
 	  "clock_getres,"
 #endif
-#ifdef SYS_clock_getres_time64
-	  "clock_getres_time64,"
-#endif
-#ifdef SYS_clock_gettime
-	  "clock_gettime,"
-#endif
-#ifdef SYS_clock_gettime64
-	  "clock_gettime64,"
-#endif
-#ifdef SYS_clock_nanosleep
-	  "clock_nanosleep,"
-#endif
-#ifdef SYS_clock_nanosleep_time64
-	  "clock_nanosleep_time64,"
-#endif
+	  //groupfix: #ifdef SYS_clock_getres_time64
+	  //groupfix: 	  "clock_getres_time64,"
+	  //groupfix: #endif
+	  //groupfix: #ifdef SYS_clock_gettime
+	  //groupfix: 	  "clock_gettime,"
+	  //groupfix: #endif
+	  //groupfix: #ifdef SYS_clock_gettime64
+	  //groupfix: 	  "clock_gettime64,"
+	  //groupfix: #endif
+	  //groupfix: #ifdef SYS_clock_nanosleep
+	  //groupfix: 	  "clock_nanosleep,"
+	  //groupfix: #endif
+	  //groupfix: #ifdef SYS_clock_nanosleep_time64
+	  //groupfix: 	  "clock_nanosleep_time64,"
+	  //groupfix: #endif
 #ifdef SYS_clock_settime
 	  "clock_settime,"
 #endif
 #ifdef SYS_clock_settime64
 	  "clock_settime64,"
 #endif
-#ifdef SYS_gettimeofday
-	  "gettimeofday,"
-#endif
+	  //groupfix: #ifdef SYS_gettimeofday
+	  //groupfix: 	  "gettimeofday,"
+	  //groupfix: #endif
 #ifdef SYS_old_adjtimex
 	  "old_adjtimex,"
 #endif
-#ifdef SYS_osf_gettimeofday
-	  "osf_gettimeofday,"
-#endif
+	  //groupfix: #ifdef SYS_osf_gettimeofday
+	  //groupfix: 	  "osf_gettimeofday,"
+	  //groupfix: #endif
 #ifdef SYS_osf_settimeofday
 	  "osf_settimeofday,"
 #endif
@@ -295,9 +295,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_stime
 	  "stime,"
 #endif
-#ifdef SYS_time
-	  "time"
-#endif
+	  //groupfix: #ifdef SYS_time
+	  //groupfix: 	  "time"
+	  //groupfix: #endif
 	},
 	{ .name = "@cpu-emulation", .list =
 #ifdef SYS_modify_ldt

test/apps/apps.sh

@@ -2,15 +2,42 @@
 # This file is part of Firejail project
 # Copyright (C) 2014-2026 Firejail Authors
 # License GPL v2
-
+#
+# quic test for several applications
+#
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 
-apps=(firefox qbittorrent firefox-xephyr galculator libreoffice firefox-xorg lowriter \
-     xterm x11-none xterm-xorg xterm-xephyr xterm-xpra firefox-xpra)
+# keeping sudo avaliable
+sudo ls
 
+# console apps
+apps=(ping dig wget)
 for app in "${apps[@]}"; do
+	if command -v "$app"
+	then
+		echo "TESTING: $app"
+		./$app.exp
+	else
+		echo "TESTING SKIP: $app not found"
+	fi
+done
+rm -f index.html
+rm wget-log*
+sudo ls
+
+# testing seccomp @clock group
+echo "TESTING: seccomp @clock group (test/apps/seccomp-clock.exp)"
+./seccomp-clock.exp
+
+# X11 apps
+x11apps=(firefox qbittorrent firefox-xephyr galculator libreoffice firefox-xorg \
+		 lowriter gimp inkscape \
+		 xterm x11-none xterm-xorg xterm-xephyr xterm-xpra firefox-xpra)
+
+for app in "${x11apps[@]}"; do
+	sudo ls
 	if file -v "$app".exp
 	then
 		echo "TESTING: $app (test/apps/$app.exp)"

test/apps/dig.exp

@@ -0,0 +1,24 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --ignore=quiet dig cloudflare.com\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/dig.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "ANSWER SECTION"
+}
+after 100
+puts "\nall done\n"

test/apps/gimp.exp

@@ -0,0 +1,45 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gimp\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/gimp.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 5
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"gimp"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"gimp"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"Seccomp:	2"
+}
+after 100
+
+puts "\nall done\n"

test/apps/inkscape.exp

@@ -0,0 +1,45 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --ignore=quiet inkscape\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/inkscape.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 5
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"inkscape"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"inkscape"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"Seccomp:	2"
+}
+after 100
+
+puts "\nall done\n"

test/apps/ping.exp

@@ -0,0 +1,24 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --ignore=quiet ping -c 5 1.1.1.1\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/ping.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "64 bytes from"
+}
+sleep 5
+puts "\nall done\n"

test/apps/seccomp-clock.exp

@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --ignore=quiet sleep 5\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/default.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Operation not permitted" {puts "TESTING ERROR 3\n";exit}
+	"Parent is shutting down"
+}
+after 100
+puts "\nall done\n"

test/apps/wget.exp

@@ -0,0 +1,24 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --ignore=quiet wget cloudflare.com\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/wget.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Saving to"
+}
+after 100
+puts "\nall done\n"