From 567f5bf8a8d43e28563c0c88bc0fb22178a03d30 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Fri, 19 May 2017 11:53:57 +0200 Subject: [PATCH 167/325] sys/net: Disable MAC address caching by default MAC address caching was added upstream in r318160/0cfdb3c3056d9e and allows to retrieve the orginal MAC address with ifconfig, even if it has been previously overwritten. This currently can be done from jails and makes system fingerprinting easier which may be undesirable. Now it has to be explicitly enabled by setting: net.link.cache_mac_addresses=1 before the NIC is initialized. Note that jails can still access the (potentially randomized) MAC address the NICs are currently using. The "protection" offered by this commit is therefore quite limitted. Obtained from: ElectroBSD --- sys/net/if.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/net/if.c b/sys/net/if.c index f2ef88d3f28e..889fccc1a011 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -220,6 +220,13 @@ SYSCTL_UINT(_net, OID_AUTO, ifdescr_maxlen, CTLFLAG_RW, &ifdescr_maxlen, 0, "administrative maximum length for interface description"); +/* Try to cache the original MAC addresses */ +static int cache_mac_addresses = 0; +SYSCTL_INT(_net_link, OID_AUTO, cache_mac_addresses, CTLFLAG_RWTUN, + &cache_mac_addresses, 0, + "Try to cache original MAC addresses allowing " + "ifconfig to display them after being overwritten."); + static MALLOC_DEFINE(M_IFDESCR, "ifdescr", "ifnet descriptions"); /* global sx for non-critical path ifdescr */ @@ -917,7 +924,7 @@ if_attach_internal(struct ifnet *ifp, int vmove, struct if_clone *ifc) /* Reliably crash if used uninitialized. */ ifp->if_broadcastaddr = NULL; - if (ifp->if_type == IFT_ETHER) { + if (cache_mac_addresses != 0 && ifp->if_type == IFT_ETHER) { ifp->if_hw_addr = malloc(ifp->if_addrlen, M_IFADDR, M_WAITOK | M_ZERO); } -- 2.32.0