file - Bad system call

morgothsauron · 2020-06-03 19:18:50

When I run 'file' (/usr/bin/file), it throws an error: "Bad system call"

It happens when I run the command as my user or as root.

The following messages are logged in 'dmesg' when I run the command:

[  +0.000004] audit: type=1326 audit(1591210853.918:698): auid=1000 uid=0 gid=0 ses=2 pid=10736 comm="file" exe="/usr/bin/file" sig=31 arch=c000003e syscall=39 compat=0 ip=0x7f4e4a6cdb6b code=0x0
[  +0.000008] audit: type=1701 audit(1591210853.918:699): auid=1000 uid=0 gid=0 ses=2 pid=10736 comm="file" exe="/usr/bin/file" sig=31 res=1

I searched the bug reports and found the following: FS#65250 - [file] "Bad system call" when examining .tar.zst file with -z

In this bug it is specified that it's caused by 'seccomp'. I searched the wiki for seccomp and I couldn't find information about this.

Running 'strace file' do show some references to 'seccomp'

stat("/opt/eset/esets/sbin/esets_daemon", {st_mode=S_IFREG|0755, st_size=838632, ...}) = 0
stat("/opt/eset/esets/sbin/esets_daemon", {st_mode=S_IFREG|0755, st_size=838632, ...}) = 0
shmget(0x320189e3, 0, 000)              = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3040432, ...}) = 0
mmap(NULL, 3040432, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9b9e0eb000
close(3)                                = 0
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
prctl(PR_SET_DUMPABLE, SUID_DUMP_DISABLE) = 0
getpid()                                = 10904
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=53, filter=0x55c245aaa1f0}) = 0
stat("/home/root/.magic.mgc", 0x7ffdab251700) = -1 ENOENT (No such file or directory)
stat("/home/root/.magic", 0x7ffdab251700) = -1 ENOENT (No such file or directory)
getpid()                                = ?
+++ killed by SIGSYS +++
Bad system call (core dumped)

I didn't install firejail, bubblewrap or apparmor. The only security software I installed are firewalld and ESET NOD 32. I tried to stop NOD32, but I still get the same error.

I use the default kernel. By default I mean it's not the hardened kernel.

Where can I find more information on seccomp ? The output of 'strace' seems to indicate that something is being filtered.

seth · 2020-06-03 19:44:43

I tried to stop NOD32

Does the strace still refer to it despite your efforts?

morgothsauron · 2020-06-03 20:03:47

I tried to stop ESET but it was still showing in 'strace'. I masked the service (systemctl mask esets) and rebooted. ESET was still showing in strace.

At that point I was able to run 'file' if I was using the --no-sandbox option.

Then I uninstalled NOD32. 'file' executes normally even without the --no-sandbox option.

I ran strace again. seccomp still appear. However the 'SECCOMP_SET_MODE_FILTER' is different

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
prctl(PR_SET_DUMPABLE, SUID_DUMP_DISABLE) = 0
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, 0x55d5274f7b60) = 0
stat(0x55d5274fb6b0, 0x7ffcdf09ec80)    = -1 ENOENT (No such file or directory)
stat(0x55d5274fb6b0, 0x7ffcdf09ec80)    = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, 0x55d5274f9840, O_RDONLY) = 3
fstat(3, 0x7ffcdf09ed60)                = 0
mmap(NULL, 5818072, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x7f754c453000
close(3)                                = 0
mprotect(0x7f754c453000, 5818072, PROT_READ) = 0

With NOD32 installed, SECCOMP_SET_MODE_FILTER

seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=53, filter=0x55c245aaa1f0}) = 0

Without NOD32 installed, SECCOMP_SET_MODE_FILTER

seccomp(SECCOMP_SET_MODE_FILTER, 0, 0x55d5274f7b60) = 0

I looks like that some form of sandoxing is enabled when NOD32 is installed. I'll investigate the ESET side to understand why it's happening and if it's possible to configure this behavior.

loqs · 2020-06-03 20:10:07

file using the seccomp sandbox is intended. eset preloading something into the file binary which changes the set of system calls file uses and triggering seccomp to detect the unexpected syscall is the issue.

morgothsauron · 2020-06-03 20:38:10

loqs wrote:

file using the seccomp sandbox is intended. eset preloading something into the file binary which changes the set of system calls file uses and triggering seccomp to detect the unexpected syscall is the issue.

Thanks for the info. I already opened a ticket to ESET. I hope they won't bother too much about the fact that it's Arch (it's not in the list of supported distros.

eschwartz · 2020-06-03 20:46:21

I hope they do fix it. Debian is probably a supported distro, and Debian had a seccomp-enabled file program for a while.

They've temporarily disabled it due to https://bugs.debian.org/cgi-bin/bugrepo … bug=932762 but the intention is I'm pretty sure to re-enable it at some point.

morgothsauron · 2020-06-17 16:56:54

I got some update on my support ticket with eset. I don't have a solution yet, but they wrote that the development team had a look and the issue is mostly related to eset. They will let me know when the bug is fixed. Let's see how it goes.

Arch Linux

#1 2020-06-03 19:18:50

file - Bad system call

#2 2020-06-03 19:44:43

Re: file - Bad system call

#3 2020-06-03 20:03:47

Re: file - Bad system call

#4 2020-06-03 20:10:07

Re: file - Bad system call

#5 2020-06-03 20:38:10

Re: file - Bad system call

#6 2020-06-03 20:46:21

Re: file - Bad system call

#7 2020-06-17 16:56:54

Re: file - Bad system call

Board footer