Re: New field seen in audit.log

For my own learning, I'm trying to understand what personality=40000 means. In looking at /uapi/linux/personality.h where the personality types are defined, and manually converting 40000 to hex 0x9C40, it looks to me like the personality is set to enable: ADDR_LIMIT_3GB = 0x8000000 SHORT_INODE = 0x1000000 ADDR_LIMIT_32BIT = 0x0800000 READ_IMPLIES_EXEC = 0x0400000 ADDR_COMPAT_LAYOUT = 0x0200000 MMAP_PAGE_ZERO = 0x0100000 ADDR_NO_RANDOMIZE = 0x0040000 But, this looks unreasonable to me as a set of flags someone would deliberately pick, so I thought I'd ask if I'm interpreting this correctly.

> You may never have seen it before because it appears you now have a > personality other than PER_LINUX for this event. 32-bit binary on 64 > bit? I assume your arch is x86 64 (LE)? > > > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3 > > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc > > a3=7f483b98bcc0 > > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 > > suid=1000 > > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb" > > exe="/usr/bin/gdb" key=(null) > > - RGB > > -- > Richard Guy Briggs <rgb(a)redhat.com&gt; > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > > > > ------------------------------ -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit