# Cannot load modules in gentoo hardened

## copapa

Hi there.

I just inherited a box equipped with several ethernet ports; it has been installed by a previous intern and I have a minimal documentation on what this person did but I can't just reinstall everything. I know the system is gentoo hardened.

Now I am trying to bridge two of the interfaces together but I can't seem to load the corresponding module. Bridge support seems to have been compiled with the kernel :

```

 # gunzip -c /proc/config.gz | grep BRIDGE

CONFIG_BRIDGE_NETFILTER=y

# CONFIG_NF_TABLES_BRIDGE is not set

CONFIG_BRIDGE_NF_EBTABLES=m

CONFIG_BRIDGE_EBT_BROUTE=m

CONFIG_BRIDGE_EBT_T_FILTER=m

CONFIG_BRIDGE_EBT_T_NAT=m

CONFIG_BRIDGE_EBT_802_3=m

CONFIG_BRIDGE_EBT_AMONG=m

CONFIG_BRIDGE_EBT_ARP=m

CONFIG_BRIDGE_EBT_IP=m

# CONFIG_BRIDGE_EBT_IP6 is not set

CONFIG_BRIDGE_EBT_LIMIT=m

CONFIG_BRIDGE_EBT_MARK=m

CONFIG_BRIDGE_EBT_PKTTYPE=m

CONFIG_BRIDGE_EBT_STP=m

CONFIG_BRIDGE_EBT_VLAN=m

CONFIG_BRIDGE_EBT_ARPREPLY=m

CONFIG_BRIDGE_EBT_DNAT=m

CONFIG_BRIDGE_EBT_MARK_T=m

CONFIG_BRIDGE_EBT_REDIRECT=m

CONFIG_BRIDGE_EBT_SNAT=m

CONFIG_BRIDGE_EBT_LOG=m

CONFIG_BRIDGE_EBT_ULOG=m

# CONFIG_BRIDGE_EBT_NFLOG is not set

CONFIG_BRIDGE=m

CONFIG_BRIDGE_IGMP_SNOOPING=y

# CONFIG_BRIDGE_VLAN_FILTERING is not set

# CONFIG_SSB_B43_PCI_BRIDGE is not set

```

```
 # brctl addbr br0

add bridge failed: Package not installed

```

But I already installed 'bridge-utils'

Loading the module manually gives : 

```
# modprobe bridge

modprobe: ERROR: could not insert 'bridge': Cannot allocate memory
```

And according to some internet readings (https://www.mythtv.org/wiki/Common_Problem:_vmalloc_too_small), I check dmesg and effectively I have the vmap error mentionned : 

```
[   45.204350] audit: type=1400 audit(1416008344.019:99): avc:  denied  { write } for  pid=2719 comm="login" name="utmp" dev="tmpfs" ino=8124 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file

[   51.561963] vmap allocation for size 233472 failed: use vmalloc=<size> to increase size.

[   65.827505] audit: type=1400 audit(1416008364.639:100): avc:  denied  { read } for  pid=2724 comm="dmesg" name="kmsg" dev="devtmpfs" ino=1033 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file

[   65.827542] audit: type=1400 audit(1416008364.639:101): avc:  denied  { open } for  pid=2724 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=1033 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file

```

I adjusted the vmalloc parameter of the kernel in /etc/default/grub, regenerated grub config and rebooted.

```
 # cat /proc/cmdline

BOOT_IMAGE=/kernel-genkernel-x86-3.15.5-hardened-r2 root=UUID=e479b312-c7da-42a2-8787-031442bfd95e ro vmalloc=512M
```

I tried several sizes for vmalloc parameter (default was 122880kB) but nothing seems to work.

```
# grep Vmalloc /proc/meminfo 

VmallocTotal:     524288 kB

VmallocUsed:        9488 kB

VmallocChunk:     505680 kB

```

Module seems to be here.

```
 # ls -l /lib/modules/3.15.5-hardened-r2/kernel/net/bridge/bridge.ko

-rw-r--r--. 1 root root 112983 Aug 12 17:26 /lib/modules/3.15.5-hardened-r2/kernel/net/bridge/bridge.ko
```

```
# uname -a

Linux new-host-2.home 3.15.5-hardened-r2 #1 SMP Tue Aug 12 16:29:59 Local time zone must be set--see zic  i686 Intel(R) Atom(TM) CPU D525 @ 1.80GHz GenuineIntel GNU/Linux

```

Any idea how I could dig further ?

----------

## jpc22

can you post your /etc/portage/make.conf        there is a certain use flag that can cause vmalloc errors. (will do some research to find back what it was- gave me and someone else problems)

If you are familiar with the kernel compiling procedure, i would try compiling those drivers directly in the kernel instead of modules. 

This should eliminate the problem of loading the modules since it seems like you will be using those ports constantly. (modules are more for stuff you use once in a while but those ports are always plugged in)

From a security point of view having moduls allows you to shutdown those interface when they are not used to prevent them being used as an attack vector (probably why he had them set up that way)

By the way welcome to the joys of gentoo. Hardened can be quite a beast to tame be the community will be glad to help you.

----------

## copapa

Here is the content of the file :

```
# These settings were set by the catalyst build script that automatically

# built this stage.

# Please consult /usr/share/portage/config/make.conf.example for a more

# detailed example.

CFLAGS="-O2 -march=i686 -pipe"

CXXFLAGS="${CFLAGS}"

# WARNING: Changing your CHOST is not something that should be done lightly.

# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing.

CHOST="i686-pc-linux-gnu"

# These are the USE flags that were used in addition to what is provided by the

# profile used for building.

USE="bindist"

PORTDIR="/usr/portage"

DISTDIR="${PORTDIR}/distfiles"

PKGDIR="${PORTDIR}/packages"

MAKEOPTS="-j2"

POLICY_TYPES="strict"

#ACCEPT_KEYWORDS ">readline-6.3_r1 ~x86"

#ACCEPT_KEYWORDS ">bash-4.2_p53 ~x86"

```

I am currently rewriting the doc and trying to automate the installation to understand what he did so I will consider building the bridge support directly in the kernel.

----------

