View previous topic :: View next topic |
Author |
Message |
copapa n00b
Joined: 14 Nov 2014 Posts: 7
|
Posted: Fri Nov 14, 2014 5:20 pm Post subject: Cannot load modules in gentoo hardened |
|
|
Hi there.
I just inherited a box equipped with several ethernet ports; it has been installed by a previous intern and I have a minimal documentation on what this person did but I can't just reinstall everything. I know the system is gentoo hardened.
Now I am trying to bridge two of the interfaces together but I can't seem to load the corresponding module. Bridge support seems to have been compiled with the kernel :
Code: |
# gunzip -c /proc/config.gz | grep BRIDGE
CONFIG_BRIDGE_NETFILTER=y
# CONFIG_NF_TABLES_BRIDGE is not set
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_BRIDGE_EBT_802_3=m
CONFIG_BRIDGE_EBT_AMONG=m
CONFIG_BRIDGE_EBT_ARP=m
CONFIG_BRIDGE_EBT_IP=m
# CONFIG_BRIDGE_EBT_IP6 is not set
CONFIG_BRIDGE_EBT_LIMIT=m
CONFIG_BRIDGE_EBT_MARK=m
CONFIG_BRIDGE_EBT_PKTTYPE=m
CONFIG_BRIDGE_EBT_STP=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_BRIDGE_EBT_ARPREPLY=m
CONFIG_BRIDGE_EBT_DNAT=m
CONFIG_BRIDGE_EBT_MARK_T=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_EBT_SNAT=m
CONFIG_BRIDGE_EBT_LOG=m
CONFIG_BRIDGE_EBT_ULOG=m
# CONFIG_BRIDGE_EBT_NFLOG is not set
CONFIG_BRIDGE=m
CONFIG_BRIDGE_IGMP_SNOOPING=y
# CONFIG_BRIDGE_VLAN_FILTERING is not set
# CONFIG_SSB_B43_PCI_BRIDGE is not set
|
Code: | # brctl addbr br0
add bridge failed: Package not installed
|
But I already installed 'bridge-utils'
Loading the module manually gives :
Code: | # modprobe bridge
modprobe: ERROR: could not insert 'bridge': Cannot allocate memory |
And according to some internet readings (https://www.mythtv.org/wiki/Common_Problem:_vmalloc_too_small), I check dmesg and effectively I have the vmap error mentionned :
Code: | [ 45.204350] audit: type=1400 audit(1416008344.019:99): avc: denied { write } for pid=2719 comm="login" name="utmp" dev="tmpfs" ino=8124 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 51.561963] vmap allocation for size 233472 failed: use vmalloc=<size> to increase size.
[ 65.827505] audit: type=1400 audit(1416008364.639:100): avc: denied { read } for pid=2724 comm="dmesg" name="kmsg" dev="devtmpfs" ino=1033 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
[ 65.827542] audit: type=1400 audit(1416008364.639:101): avc: denied { open } for pid=2724 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=1033 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
|
I adjusted the vmalloc parameter of the kernel in /etc/default/grub, regenerated grub config and rebooted.
Code: | # cat /proc/cmdline
BOOT_IMAGE=/kernel-genkernel-x86-3.15.5-hardened-r2 root=UUID=e479b312-c7da-42a2-8787-031442bfd95e ro vmalloc=512M |
I tried several sizes for vmalloc parameter (default was 122880kB) but nothing seems to work.
Code: | # grep Vmalloc /proc/meminfo
VmallocTotal: 524288 kB
VmallocUsed: 9488 kB
VmallocChunk: 505680 kB
|
Module seems to be here.
Code: | # ls -l /lib/modules/3.15.5-hardened-r2/kernel/net/bridge/bridge.ko
-rw-r--r--. 1 root root 112983 Aug 12 17:26 /lib/modules/3.15.5-hardened-r2/kernel/net/bridge/bridge.ko |
Code: | # uname -a
Linux new-host-2.home 3.15.5-hardened-r2 #1 SMP Tue Aug 12 16:29:59 Local time zone must be set--see zic i686 Intel(R) Atom(TM) CPU D525 @ 1.80GHz GenuineIntel GNU/Linux
|
Any idea how I could dig further ? |
|
Back to top |
|
|
jpc22 Apprentice
Joined: 29 Jan 2012 Posts: 195
|
Posted: Tue Nov 18, 2014 4:18 am Post subject: |
|
|
can you post your /etc/portage/make.conf there is a certain use flag that can cause vmalloc errors. (will do some research to find back what it was- gave me and someone else problems)
If you are familiar with the kernel compiling procedure, i would try compiling those drivers directly in the kernel instead of modules.
This should eliminate the problem of loading the modules since it seems like you will be using those ports constantly. (modules are more for stuff you use once in a while but those ports are always plugged in)
From a security point of view having moduls allows you to shutdown those interface when they are not used to prevent them being used as an attack vector (probably why he had them set up that way)
By the way welcome to the joys of gentoo. Hardened can be quite a beast to tame be the community will be glad to help you. |
|
Back to top |
|
|
copapa n00b
Joined: 14 Nov 2014 Posts: 7
|
Posted: Wed Nov 19, 2014 10:50 am Post subject: |
|
|
Here is the content of the file :
Code: | # These settings were set by the catalyst build script that automatically
# built this stage.
# Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example.
CFLAGS="-O2 -march=i686 -pipe"
CXXFLAGS="${CFLAGS}"
# WARNING: Changing your CHOST is not something that should be done lightly.
# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing.
CHOST="i686-pc-linux-gnu"
# These are the USE flags that were used in addition to what is provided by the
# profile used for building.
USE="bindist"
PORTDIR="/usr/portage"
DISTDIR="${PORTDIR}/distfiles"
PKGDIR="${PORTDIR}/packages"
MAKEOPTS="-j2"
POLICY_TYPES="strict"
#ACCEPT_KEYWORDS ">readline-6.3_r1 ~x86"
#ACCEPT_KEYWORDS ">bash-4.2_p53 ~x86"
|
I am currently rewriting the doc and trying to automate the installation to understand what he did so I will consider building the bridge support directly in the kernel. |
|
Back to top |
|
|
|