Blind Operator Mode
Written by Jason A. Donenfeld
For clueless operators who wish to become more clueless.
Do not use this code unless you fully understand what it is not designed to do; this is the first sentence of the README for a good reason. In fact, just don't use it. It's mostly snake-oil. There are a million ways to subvert this. It's a fun little toy, but it's not really much beyond a toy.
This here is a monkey-patcher that tinkers with the security hooks infrastructure, rootkit-style, in order to intercept netlink messages. It then zeros out the endpoints field and allowedips field of WireGuard peers.
It also prevents the creation of AF_RAW
and AF_INET(6)
/SOCK_RAW
sockets,
in order to "break" tcpdump. It doesn't attempt to "break" other ways of
getting socket samples, such as Netfilter, however.
It prevents access to /dev/{mem,kmem,port}
and /proc/kcore
, and it disables
future module (un)loading. This doesn't prevent people from scribbling around with
other tricks, exploiting zero day vulnerabilities, looking inside from the hypervisor,
simply forgetting to actually load this module, or many other potential leaks and
subversion.
Ptrace, /proc/PID/mem, and coredumps are also disabled, to gain some rudimentary support for hindering data extraction from userspace programs.
Disabling of modules and of raw sockets is delayed until 60 seconds after this loads, in order to allow DHCP daemons to start and for other modules to be loaded.
This whole thing is incredibly stupid, but it is nonetheless an interesting exercise. If you have any sense at all, you won't go near this code and will discard this idea entirely. There are probably several ways to subvert it and a host of other subtle bugs. Some people might think that by hiding things from userspace, they actually hide things, but this could not be further from the truth.
However, if you simply want to be able to claim to people, "we don't have the ability to view internal or external IP addresses of any peers," and you really do lack the know-how to subvert this, then I suppose it might be somewhat useful. It's a strange property: this module only has utility in contexts where you don't know how to subvert it. This means that as you become smarter, this module will need to grow. This implies that either the guy writing it should be more knowledgeable than you are at the moment, or you yourself should be the author, exhausting all the current methods of subversion you can currently think of.
Probably, though, if you think you need this module, you should instead just
design a system that has no remote access capabilities -- no sshd
or getty
.
Requirements
This uses the hooks provided by CONFIG_SECURITY
, CONFIG_SECURITY_NETWORK
,
and CONFIG_KALLSYMS_ALL
.
Installation
On a DKMS-enabled machine, simply run make install
. Things should magically
work from then on.
License
This project is released under the GPLv2.
Bugs
Probably there are a lot of them, by design. This module makes no attempt at
plugging all holes and leaks, and the current methods used are prone to be
buggy at best. Also, this won't work with paravirtualization, since it works
primarily by twiddling with cr0
; hence this code is also x86/amd64 only. On
old kernels, this disables SELinux/AppArmor and does voodoo magic that might
murder kittens to discover non-exported symbols. Such magic only works on 64-bit
and its success may vary based on which compiler is in use. Since this disables
raw sockets, if you want ping to work, you may need to allow ICMP sockets via
sysctl -w net.ipv4.ping_group_range="0 0"
.