Blind Operator Mode

Written by Jason A. Donenfeld

For clueless operators who wish to become more clueless.

Do not use this code unless you fully understand what it is not designed to do; this is the first sentence of the README for a good reason. In fact, just don't use it. It's mostly snake-oil. There are a million ways to subvert this. It's a fun little toy, but it's not really much beyond a toy.

This here is a monkey-patcher that tinkers with the security hooks infrastructure, rootkit-style, in order to intercept netlink messages. It then zeros out the endpoints field and allowedips field of WireGuard peers.

It also prevents the creation of AF_RAW and AF_INET(6)/SOCK_RAW sockets, in order to "break" tcpdump. It doesn't attempt to "break" other ways of getting socket samples, such as Netfilter, however.

It prevents access to /dev/{mem,kmem,port} and /proc/kcore, and it disables future module (un)loading. This doesn't prevent people from scribbling around with other tricks, exploiting zero day vulnerabilities, looking inside from the hypervisor, simply forgetting to actually load this module, or many other potential leaks and subversion.

Ptrace, /proc/PID/mem, and coredumps are also disabled, to gain some rudimentary support for hindering data extraction from userspace programs.

Disabling of modules and of raw sockets is delayed until 60 seconds after this loads, in order to allow DHCP daemons to start and for other modules to be loaded.

This whole thing is incredibly stupid, but it is nonetheless an interesting exercise. If you have any sense at all, you won't go near this code and will discard this idea entirely. There are probably several ways to subvert it and a host of other subtle bugs. Some people might think that by hiding things from userspace, they actually hide things, but this could not be further from the truth.

However, if you simply want to be able to claim to people, "we don't have the ability to view internal or external IP addresses of any peers," and you really do lack the know-how to subvert this, then I suppose it might be somewhat useful. It's a strange property: this module only has utility in contexts where you don't know how to subvert it. This means that as you become smarter, this module will need to grow. This implies that either the guy writing it should be more knowledgeable than you are at the moment, or you yourself should be the author, exhausting all the current methods of subversion you can currently think of.

Probably, though, if you think you need this module, you should instead just design a system that has no remote access capabilities -- no sshd or getty.




On a DKMS-enabled machine, simply run make install. Things should magically work from then on.


This project is released under the GPLv2.


Probably there are a lot of them, by design. This module makes no attempt at plugging all holes and leaks, and the current methods used are prone to be buggy at best. Also, this won't work with paravirtualization, since it works primarily by twiddling with cr0; hence this code is also x86/amd64 only. On old kernels, this disables SELinux/AppArmor and does voodoo magic that might murder kittens to discover non-exported symbols. Such magic only works on 64-bit and its success may vary based on which compiler is in use. Since this disables raw sockets, if you want ping to work, you may need to allow ICMP sockets via sysctl -w net.ipv4.ping_group_range="0 0".