Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#65250 - [file] "Bad system call" when examining .tar.zst file with -z

Attached to Project: Arch Linux
Opened by Luca Weiss (z3ntu) - Thursday, 23 January 2020, 21:56 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 23 January 2020, 22:02 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Running the command "file -z /var/cache/pacman/pkg/*.pkg.tar.zst" results in "Bad system call" being printed.

-z, --uncompress
Try to look inside compressed files.

Looking at the dmesg there are messages from audit that tell that the syscall with id 22 is blocked - which is 'pipe'. Allowing that syscall in src/seccomp.c makes another syscall appear in the dmesg, shmctl, then vfork. I'm now at execve and wait4 but have given up as it seems to be a bigger problem than just one syscall.

Additional info:
* file 5.38-1

Steps to reproduce:
Run "file -z" on any .zst file (tested only with pacman .pkg.tar.zst for now)
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Thursday, 23 January 2020, 22:02 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Working as intended.
Comment by Eli Schwartz (eschwartz) - Thursday, 23 January 2020, 22:01 GMT
Since you've successfully tracked down the problem as being "because seccomp doesn't allow it", you must know that the -S, --no-sandbox option can disable this.

Given the problem is seccomp, a security sandbox, I think it's plenty obvious why execve is blocked. Security is more important than usability, so if you actually need -z, you should generally also use -S...