From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: New field seen in audit.log
Date: Fri, 18 Oct 2019 10:56:09 -0400
Message-ID: <2506810.HO3NYBUXJ5@x2>
References: <mailman.103.1571328019.6486.linux-audit@redhat.com>
	<CABD0H0vS3THc--rx2ZS=A_g8p-MvSX8EBzt7qa1R7or7ba3xNw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CABD0H0vS3THc--rx2ZS=A_g8p-MvSX8EBzt7qa1R7or7ba3xNw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Evelyn Mitchell <efmphone@gmail.com>
List-Id: linux-audit@redhat.com

On Friday, October 18, 2019 10:38:08 AM EDT Evelyn Mitchell wrote:
> For my own learning, I'm trying to understand what personality=40000 means.
> 
> In looking at /uapi/linux/personality.h where the
> personality types are defined, and manually converting 40000 to hex
> 0x9C40, it looks to me like the personality is set to enable:
> ADDR_LIMIT_3GB =        0x8000000
> SHORT_INODE =           0x1000000
> ADDR_LIMIT_32BIT =      0x0800000
> READ_IMPLIES_EXEC =     0x0400000
> ADDR_COMPAT_LAYOUT =    0x0200000
> MMAP_PAGE_ZERO =        0x0100000
> ADDR_NO_RANDOMIZE =     0x0040000
> 
> But, this looks unreasonable to me as a set of flags someone would
> deliberately pick, so I thought I'd ask if I'm interpreting this
> correctly.

I think so. The executable is gdb. It needs to disable ASLR so that it can 
reliably  map the symbols to addresses.

-Steve


> > You may never have seen it before because it appears you now have a
> > personality other than PER_LINUX for this event.  32-bit binary on 64
> > bit?  I assume your arch is x86 64 (LE)?
> > 
> > > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> > > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc
> > > a3=7f483b98bcc0
> > > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000
> > > suid=1000
> > > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> > > exe="/usr/bin/gdb" key=(null)
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
> > 
> > 
> > 
> > ------------------------------
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit