From patchwork Wed May 24 20:44:48 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: HacKurx <hackurx@gmail.com>
X-Patchwork-Id: 9747127
Return-Path: 
 <kernel-hardening-return-8027-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A745F60209 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 24 May 2017 21:53:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 96D97205AD
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 24 May 2017 21:53:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8941026E1A; Wed, 24 May 2017 21:53:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 7F27D205AD
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 24 May 2017 21:52:58 +0000 (UTC)
Received: (qmail 30439 invoked by uid 550); 24 May 2017 21:52:57 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Delivered-To: moderator for kernel-hardening@lists.openwall.com
Received: (qmail 12103 invoked from network); 24 May 2017 20:45:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=mime-version:from:date:message-id:subject:to;
	bh=KEeggzKL97XT8zTSBrm17ABuEk0J6LCCeEi6e28UH7w=;
	b=nMEZzSvlAkCBo5pxD2WKjW9miYM5gohZqjXh1ZmBkdMsHT9bbursNHjqDZCfrJBujn
	AHgLRFMPOa8AQZtIytHcTPgo2wx5Q5TzqcfRA+txX639P7uqfLDznjS+i41c0Wo3phGC
	vcM4NxwRt6Qbme5TjoEwghg84/R93FsaMhoFUpOI2JZA5az4BXdRgMcn10+sCsGx8oFY
	ounhzXjTwp4hOOOTzPpDzubAmVTUm1dgzTWpOUz9sXpluZVGEJcp5o+/bDawH5w/LLh5
	5nafA3u+Jtzf8BQvgnhB+yupwcyCq8ppu0VNUVEkw31XZ52y/9NSDxkQ8ZJUiw6p3FWy
	vw5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
	bh=KEeggzKL97XT8zTSBrm17ABuEk0J6LCCeEi6e28UH7w=;
	b=eMpvzOhwtBYSPX63HJxHmrxtpxjFuSmOB4Ei0htlGo3L3TjSZCZD+PtTsSfaHHcqLL
	p+E1pRnAZTKf6W7FyDEfE4YfBnCxl18wvVB+e0f8DLrdrks1V1dLGEB0sp1nUbnIV0Fx
	2icUJE0jFeTwSC7xOWBlYNjvmztVvMT2UWiFhlvLdN4SHSB45jvHlN65xjo1LATyML2m
	L+hl4I/o4LIDDxnWXEC+rEhrCKaz/H3s4EnagWY5YSpi3cT4LTe1qDc1VeLR/SPX22vh
	GxIk3F8ui81G99qszl5ATI9BAde8QsGVCVbSvFrLKSI/YMEoTrM9Rj0YTmEA1BPuQASt
	MD1g==
X-Gm-Message-State: AODbwcAq7M8JLvA2ZgZnC0FWa+x5MYX7/O2THG7Xk5GuzMdPSVUIDA34
	L9FSGqM9aSFuiCjxLr4WVAbt0rqP6cOH
X-Received: by 10.28.103.214 with SMTP id b205mr7612444wmc.124.1495658689040;
	Wed, 24 May 2017 13:44:49 -0700 (PDT)
MIME-Version: 1.0
From: HacKurx <hackurx@gmail.com>
Date: Wed, 24 May 2017 22:44:48 +0200
Message-ID: 
 <CAFwXZv_b3hdEA4xOFKqAVfc4UZEBX=dL9DOY_mDHExsW+Qg6tQ@mail.gmail.com>
To: kernel-hardening@lists.openwall.com, keescook@google.com
Subject: [kernel-hardening] Patch for random mac address
X-Virus-Scanned: ClamAV using ClamSMTP

Hi all,

Firstly, I am sad that no major company has taken the trouble to
finance PaX / Grsecurity so they can continue their development in a
way that is accessible to all. This is regrettable because their work
is your main source of inspiration ...

In what brings me here. Brad had released an interesting hack for privacy:
https://www.grsecurity.net/~spender/random_mac.diff

I updated this patch and added a menu option. Can you examine it for
include it upstream?
Because this would be useful for distributions like Tails, Subgraph
OS, Kali Linux and other ...

Thanks. Best regards,

HacKurx (Loic)

diff --git a/net/core/dev.c b/net/core/dev.c
index fca407b..3eeb42b 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6669,6 +6669,26 @@ int dev_change_flags(struct net_device *dev, unsigned int flags)
 
 	changes = (old_flags ^ dev->flags) | (old_gflags ^ dev->gflags);
 	__dev_notify_flags(dev, old_flags, changes);
+
+#ifdef CONFIG_RANDOM_MAC_ADDRESS
+	if ((changes & IFF_UP) && !(old_flags & IFF_UP)) {
+		/* randomize MAC whenever interface is brought up */
+		struct sockaddr sa;
+		unsigned int mac4;
+		unsigned short mac2;
+
+		mac4 = prandom_u32();
+		mac2 = prandom_u32();
+		memcpy(sa.sa_data, &mac4, sizeof(mac4));
+		memcpy((char *)sa.sa_data + sizeof(mac4), &mac2, sizeof(mac2));
+		if (!is_valid_ether_addr(sa.sa_data))
+			sa.sa_data[5] = 1;
+		sa.sa_data[0] &= 0xFC;
+		sa.sa_family = dev->type;
+		dev_set_mac_address(dev, &sa);
+	}
+#endif
+
 	return ret;
 }
 EXPORT_SYMBOL(dev_change_flags);
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index b94b1d2..b020d15 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -262,6 +262,10 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, unsigned int cmd)
 
 	case SIOCSIFHWADDR:
 		return dev_set_mac_address(dev, &ifr->ifr_hwaddr);
+#ifdef CONFIG_RANDOM_MAC_ADDRESS
+		/* ignore userland MAC changes */
+		return 0;
+#endif
 
 	case SIOCSIFHWBROADCAST:
 		if (ifr->ifr_hwaddr.sa_family != dev->type)
diff --git a/security/Kconfig b/security/Kconfig
index 93027fd..6b7b6fc 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -67,6 +67,14 @@ config SECURITY_NETWORK_XFRM
 	  IPSec.
 	  If you are unsure how to answer this question, answer N.
 
+config RANDOM_MAC_ADDRESS
+	bool "Use random MAC adresses"
+	default n
+	help
+	  Say Y here for randomize the MAC addresses of network interfaces.
+	  This option is recommended for people who want to increase their privacy.
+	  If you are unsure how to answer this question, answer N.
+
 config SECURITY_PATH
 	bool "Security hooks for pathname based access control"
 	depends on SECURITY