From 77c8c9a51de6675e4dce2668e16533d54c0b67a2 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Fri, 19 May 2017 11:53:57 +0200 Subject: [PATCH 153/310] sys/net: Disable MAC address caching by default MAC address caching was added upstream in r318160/0cfdb3c3056d9e and allows to retrieve the orginal MAC address with ifconfig, even if it has been previously overwritten. This currently can be done from jails and makes system fingerprinting easier which may be undesirable. Now it has to be explicitly enabled by setting: net.link.cache_mac_addresses=1 before the NIC is initialized. Note that jails can still access the (potentially randomized) MAC address the NICs are currently using. The "protection" offered by this commit is therefore quite limitted. Obtained from: ElectroBSD --- sys/net/if.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/net/if.c b/sys/net/if.c index b8aadbf03041..1c83a30318fd 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -221,6 +221,13 @@ SYSCTL_UINT(_net, OID_AUTO, ifdescr_maxlen, CTLFLAG_RW, &ifdescr_maxlen, 0, "administrative maximum length for interface description"); +/* Try to cache the original MAC addresses */ +static int cache_mac_addresses = 0; +SYSCTL_INT(_net_link, OID_AUTO, cache_mac_addresses, CTLFLAG_RWTUN, + &cache_mac_addresses, 0, + "Try to cache original MAC addresses allowing " + "ifconfig to display them after being overwritten."); + static MALLOC_DEFINE(M_IFDESCR, "ifdescr", "ifnet descriptions"); /* global sx for non-critical path ifdescr */ @@ -945,7 +952,7 @@ if_attach_internal(struct ifnet *ifp, int vmove, struct if_clone *ifc) /* Reliably crash if used uninitialized. */ ifp->if_broadcastaddr = NULL; - if (ifp->if_type == IFT_ETHER) { + if (cache_mac_addresses != 0 && ifp->if_type == IFT_ETHER) { ifp->if_hw_addr = malloc(ifp->if_addrlen, M_IFADDR, M_WAITOK | M_ZERO); } -- 2.37.1