Skip to content

fix(sandbox): avoid faccessat2 for Termux/Android + build docs#519

Closed
PatrickNoFilter wants to merge 11 commits into
Gitlawb:mainfrom
PatrickNoFilter:fix/termux-keyboard-sandbox-docs
Closed

fix(sandbox): avoid faccessat2 for Termux/Android + build docs#519
PatrickNoFilter wants to merge 11 commits into
Gitlawb:mainfrom
PatrickNoFilter:fix/termux-keyboard-sandbox-docs

Conversation

@PatrickNoFilter

@PatrickNoFilter PatrickNoFilter commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Two independent fixes for Termux/Android support, split from PR #509 per maintainer request.

1. Sandbox: avoid faccessat2 syscall

Replace exec.LookPath with a lookupExecutable helper using os.Stat instead of the faccessat2 syscall (syscall 439). This syscall is blocked by Samsung's seccomp filter on Android, causing SIGSYS termination. os.Stat uses newfstatat/statx which are universally permitted.

Also adds:

  • isExecutable() for cross-platform executable detection (Unix permission bits + Windows .exe/.com/.bat/.cmd)
  • Empty PATH segment skipping (e.g. trailing colon)

2. Termux build documentation

Added a ### Termux (Android) section to docs/INSTALL.md covering:

  • Building with GOOS=android to avoid SIGSYS (Go 1.26+ stdlib fix)
  • DNS resolution via proot bind-mount for /etc/resolv.conf
  • Free-tier provider setup (OpenCode Zen)

Commits

  • 6f3bf63 fix(sandbox): avoid faccessat2 for Termux/Android portability
  • 1f54bd6 docs(install): add Termux/Android build and configuration guide
  • d579d33 fix(sandbox): skip empty PATH segments, use platform-aware executable check

Ref #505

Summary by CodeRabbit

  • New Features

    • Added Android/Termux installation guidance, including build, DNS, and usage notes.
    • Improved terminal navigation with new keyboard shortcuts for scrolling and moving through prompts.
    • Adjusted mouse interaction to work better in Termux/Android environments.
  • Bug Fixes

    • Improved detection of executable helpers on different platforms.
    • Added support for additional prompt navigation behaviors and edge cases.
  • Chores

    • Updated ignore rules for Termux/Android build artifacts.
    • Expanded test coverage for keyboard and environment-specific behavior.

- mouseModeForTermEnv(): detect Termux/PRoot/Android env → use CellMotion
  (CellMotion is reliable through PRoot unlike AllMotion/1003 tracking)
- Add Ctrl+U/D half-page scroll keys (Termux-friendly, no PgUp/PgDn needed)
- Add Shift+Up/Down line scroll keys
- Update keybinding help overlay with new shortcuts
- Add focused-surface guards to Ctrl+U/D and Shift+Up/Down scroll keys
  (pendingPermission, pendingAskUser, providerWizard, mcpAddWizard,
   mcpManager, picker, suggestionsActive)
- Remove unreliable PROOT_CWD and CONTAINER from Termux detection;
  use only TERMUX_VERSION, PREFIX, and ANDROID_ROOT
…tion

- Move Ctrl+U/D and Shift+Up/Down scroll key cases to after KeyDown and
  KeyUp focused-surface handlers in the inner switch, using
  return-through-handler pattern instead of break.
- Fix PREFIX detection to check for /data/data/com.termux/files/usr prefix
  instead of any non-empty PREFIX env var.
- Add strings import to mouse.go for strings.HasPrefix.
…itignore

- Move Shift+Up/Shift+Down before plain KeyUp/KeyDown so shifted-arrow
  shortcuts are reachable (were swallowed by plain-arrow keyIs match)
- Swap Ctrl+U/Ctrl+D deltas for permission and ask-user focused prompts:
  Ctrl+U (up) now moves cursor UP (-1), Ctrl+D (down) moves DOWN (+1)
- Add TestPermissionCursorCtrlU/D and TestAskUserCursorCtrlU/D
  regression tests verifying the direction fix
- Remove unrelated zero-linux-sandbox entry from .gitignore
- Add composer-empty guard to Shift+Up/Down before scrollChat so
  shifted arrows navigate multiline text instead of scrolling
- Add TestShiftUp/DownWithComposerDoesNotScroll regression tests
- Add mouseModeForTermEnv tests: default/desktop, TERMUX_VERSION,
  PREFIX (Termux and unrelated), ANDROID_ROOT (/system and unrelated),
  and all Termux signals combined — each with per-test env cleanup
…t setup

- transcriptScrollOffset -> chatScrollOffset (actual field name)
- int != comparison instead of nonexistent .Equal()
- AltScreen: true + width/height + transcript rows so tests actually
  exercise the scroll path and would catch the guard regression
Replace exec.LookPath with lookupExecutable that uses os.Stat
instead of the faccessat2 syscall. The faccessat2 syscall (439)
is blocked by the Samsung seccomp filter on Android, causing
SIGSYS termination. os.Stat uses the newfstatat/statx syscalls
which are universally permitted.

This is part of broader Termux/Android support for Zero.
Document how to build Zero for native Android/Termux: GOOS=android
to avoid the SIGSYS crash, proot bind-mount for DNS resolution,
PRoot scroll fix, and free-tier provider setup.
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Adds Termux/Android build support (ignore entries, install docs, environment-aware mouse mode), replaces exec.LookPath with a custom executable lookup in sandbox backend selection, and introduces Shift+Up/Down and Ctrl+U/Ctrl+D scrolling and cursor navigation across TUI components with accompanying tests.

Changes

Termux/Android support

Layer / File(s) Summary
Ignore rules and install docs
.gitignore, docs/INSTALL.md
Adds Termux/Android build artifact ignore entries and a new "Termux (Android)" install section covering GOOS=android builds, DNS via proot, a wrapper script, and mouse-behavior notes.
Environment-aware mouse mode
internal/tui/mouse.go, internal/tui/mouse_test.go, internal/tui/model.go
Adds mouseModeForTermEnv() detecting TERMUX_VERSION/PREFIX/ANDROID_ROOT, wires it into model construction and View, replacing hardcoded tea.MouseModeAllMotion, with new tests.
Executable lookup rework
internal/sandbox/manager.go
Replaces exec.LookPath with new isExecutable/lookupExecutable helpers using $PATH and os.Stat for platform backend discovery.

TUI keyboard scrolling

Layer / File(s) Summary
Transcript scrolling handlers
internal/tui/model.go, internal/tui/keybinding_help.go
Adds Shift+Up/Down line scrolling and Ctrl+U/Ctrl+D half-page scrolling with modal/composer gating; updates keybinding help label glyph.
Cursor and gating tests
internal/tui/ask_user_test.go, internal/tui/permission_prompt_test.go
Adds tests for Ctrl+U/Ctrl+D cursor movement in ask-user and permission prompts, and verifies Shift+Up/Down don't scroll when composer has input.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • Gitlawb/zero#127: Touches the same ask_user modal navigation logic in internal/tui/model.go and internal/tui/ask_user_test.go.
  • Gitlawb/zero#158: Both modify internal/tui/model.go's Update/input handling and rendering behavior.
  • Gitlawb/zero#232: Both target the permission prompt's cursor-based option selection behavior.

Suggested reviewers: gnanam1990

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the sandbox syscall fix and the Termux/Android build documentation updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
internal/tui/permission_prompt_test.go (1)

333-376: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Strengthen composer-guard tests to confirm the key actually reaches the input field.

Both tests only assert the transcript doesn't scroll and no command is returned, but don't verify the key was actually forwarded to m.input for multiline navigation (e.g., input cursor line/position change). As written, a bug that simply swallows the key entirely (does nothing) would also pass these assertions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/tui/permission_prompt_test.go` around lines 333 - 376, The
composer-guard tests in TestShiftUpWithComposerDoesNotScroll and
TestShiftDownWithComposerDoesNotScroll only check that chatScrollOffset stays
unchanged and cmd is nil, so a bug that drops the key entirely would still pass.
Update both tests to also assert the Shift+Up/Shift+Down key is forwarded into
m.input for multiline navigation by checking an input state change such as
cursor position/line movement after m.Update(testKeyShift(...)). Use the
existing model and input symbols (m.Update, m.input, chatScrollOffset) to verify
the key reaches the composer rather than being swallowed.
internal/sandbox/manager.go (1)

125-169: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

No unit tests for the new lookup helpers.

isExecutable/lookupExecutable are new, non-trivial cross-platform logic (permission bits, extension checks, PATH parsing, empty-segment skipping) but aren't covered by tests in this diff. internal/sandbox/manager_test.go already exists as the natural place for this coverage. Want me to draft table-driven tests for both functions?

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/sandbox/manager.go` around lines 125 - 169, The new helper logic in
isExecutable and lookupExecutable is not covered by tests, so add table-driven
cases in internal/sandbox/manager_test.go for Unix permissions, Windows-style
executable extensions, PATH scanning, empty PATH segment skipping, and
direct-path checks. Use the isExecutable and lookupExecutable symbols to verify
regular files vs non-regular files, executable vs non-executable modes, and
ensure lookupExecutable returns the expected path or error for both PATH-based
and explicit-file lookups.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/INSTALL.md`:
- Around line 195-198: Reword the GOOS=android note in the INSTALL docs so it
does not imply the workaround only starts with Go 1.26+; the issue is the
version claim, and the fix is to state that Termux/Android builds require
GOOS=android because it makes os/exec.findExecutable avoid faccessat2 on Android
and fall back to permission-bit checks, regardless of toolchain version. Keep
the explanation tied to the Android/GOOS=android behavior and remove the
misleading version-specific wording.

---

Nitpick comments:
In `@internal/sandbox/manager.go`:
- Around line 125-169: The new helper logic in isExecutable and lookupExecutable
is not covered by tests, so add table-driven cases in
internal/sandbox/manager_test.go for Unix permissions, Windows-style executable
extensions, PATH scanning, empty PATH segment skipping, and direct-path checks.
Use the isExecutable and lookupExecutable symbols to verify regular files vs
non-regular files, executable vs non-executable modes, and ensure
lookupExecutable returns the expected path or error for both PATH-based and
explicit-file lookups.

In `@internal/tui/permission_prompt_test.go`:
- Around line 333-376: The composer-guard tests in
TestShiftUpWithComposerDoesNotScroll and TestShiftDownWithComposerDoesNotScroll
only check that chatScrollOffset stays unchanged and cmd is nil, so a bug that
drops the key entirely would still pass. Update both tests to also assert the
Shift+Up/Shift+Down key is forwarded into m.input for multiline navigation by
checking an input state change such as cursor position/line movement after
m.Update(testKeyShift(...)). Use the existing model and input symbols (m.Update,
m.input, chatScrollOffset) to verify the key reaches the composer rather than
being swallowed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 04d7d66e-6540-453d-85f0-272007e663d3

📥 Commits

Reviewing files that changed from the base of the PR and between 0f69d99 and d579d33.

📒 Files selected for processing (9)
  • .gitignore
  • docs/INSTALL.md
  • internal/sandbox/manager.go
  • internal/tui/ask_user_test.go
  • internal/tui/keybinding_help.go
  • internal/tui/model.go
  • internal/tui/mouse.go
  • internal/tui/mouse_test.go
  • internal/tui/permission_prompt_test.go

Comment thread docs/INSTALL.md
Comment on lines +195 to +198
> **Why `GOOS=android`?** Go 1.26+ detects `runtime.GOOS == "android"` and skips
> the `faccessat2` syscall inside `os/exec.findExecutable`, falling back to
> permission-bit checks. Without this flag, Android's seccomp sends SIGSYS and
> kills the process whenever Zero looks up a binary on `PATH` (git, sh, etc.).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

When was the runtime.GOOS == "android" check added to syscall.Faccessat in the Go standard library to skip faccessat2?

💡 Result:

The check runtime.GOOS != "android" was added to syscall.Faccessat in the Go standard library to skip faccessat2 as part of the commit titled "syscall: don't use faccessat2 on android" [1]. This change was submitted and reviewed on December 20, 2022 (Change-Id: I8d4e12a6f46cea5642d3b5b5a02c682529882f29) [1] and subsequently merged into the Go source tree [2]. The modification was implemented to address issue #57393 [3], as the Android seccomp policy does not allow the faccessat2 system call, which previously caused programs to crash with a SIGSYS signal when attempting to use it [1][2]. By checking the operating system and excluding Android, the library avoids faccessat2 on that platform and falls back to the standard faccessat syscall [1].

Citations:


Go 1.26+ is misleading — the Android faccessat2 skip has existed since 2022, so GOOS=android works on older Go toolchains too. Reword this to say the flag is required for Termux/Android builds without implying the workaround starts at Go 1.26.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/INSTALL.md` around lines 195 - 198, Reword the GOOS=android note in the
INSTALL docs so it does not imply the workaround only starts with Go 1.26+; the
issue is the version claim, and the fix is to state that Termux/Android builds
require GOOS=android because it makes os/exec.findExecutable avoid faccessat2 on
Android and fall back to permission-bit checks, regardless of toolchain version.
Keep the explanation tied to the Android/GOOS=android behavior and remove the
misleading version-specific wording.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant