Before we decide to use the pers flag for this, I want to understand personality more.
I added an additional
printf("Personality: %ld\n", personality(0xffffffff));
statement in the test case before you make the call
personality(0x08);

Before you explicitly set personality to 8 in the test, personality is always=0 whether you compile the test in 64bit or 32bit mode.
Is that the expected behavior? Can you not tell from personality if something was compiled in 32bit vs 64bit mode?

-debbie


Inactive hide details for Steve Grubb <sgrubb@redhat.com>Steve Grubb <sgrubb@redhat.com>


          Steve Grubb <sgrubb@redhat.com>
          Sent by: linux-audit-bounces@redhat.com

          03/08/2005 02:34 PM
          Please respond to
          Linux Audit Discussion

To

Linux Audit Discussion <linux-audit@redhat.com>

cc


Subject

Re: syscall filtering on personality

On Tuesday 08 March 2005 15:18, Debora Velarde wrote:
> So it looks like, if you add a syscall by name to auditctl, it always adds
> only the rule for the 64bit syscall number.

Actually, this should be the syscall number that auditctl was compiled with.

> Should auditctl add both?

I don't think so. How does it know what personalities you want to watch?

> Or  should auditctl use the pers flag to figure out which syscall number to
> add?

How about we make pers take a list? This could be implemented one of 2 ways.
auditctl can generate a rule for each personality. Or with some changes in
the kernel, we can make personality act more like a bit mask so that we don't
have to load as many rules in the kernel.

Userspace can generate a mask or separate rules. Any preferences?

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit