1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
## Blind Operator Mode
#### Written by Jason A. Donenfeld
##### _For clueless operators who wish to become more clueless._
Do not use this code unless you fully understand what it is not designed to do; this
is the first sentence of the README for a good reason. In fact, just don't use it.
It's mostly snake-oil. There are a million ways to subvert this. It's a fun little
toy, but it's not really much beyond a toy.
This here is a monkey-patcher that tinkers with the security hooks infrastructure,
rootkit-style, in order to intercept netlink messages. It then zeros out the
endpoints field and allowedips field of [WireGuard](https://www.wireguard.com/) peers.
It also prevents the creation of `AF_RAW` and `AF_INET(6)`/`SOCK_RAW` sockets,
in order to "break" tcpdump. It doesn't attempt to "break" other ways of
getting socket samples, such as Netfilter, however.
It prevents access to `/dev/{mem,kmem,port}` and `/proc/kcore`, and it disables
future module (un)loading. This doesn't prevent people from scribbling around with
other tricks, exploiting zero day vulnerabilities, looking inside from the hypervisor,
simply forgetting to actually load this module, or many other potential leaks and
subversion.
Ptrace, /proc/PID/mem, and coredumps are also disabled, to gain some rudimentary
support for hindering data extraction from userspace programs.
Disabling of modules and of raw sockets is delayed until 60 seconds after this
loads, in order to allow DHCP daemons to start and for other modules to be
loaded.
This whole thing is incredibly stupid, but it is nonetheless an interesting
exercise. If you have any sense at all, you won't go near this code and
will discard this idea entirely. There are probably several ways to subvert
it and a host of other subtle bugs. Some people might think that by hiding
things from userspace, they actually hide things, but this could not be
further from the truth.
However, if you simply want to be able to claim to people, "we don't have the
ability to view internal or external IP addresses of any peers," and you
really do lack the know-how to subvert this, then I suppose it might be
somewhat useful. It's a strange property: this module only has utility in
contexts where you don't know how to subvert it. This means that as you
become smarter, this module will need to grow. This implies that either the
guy writing it should be more knowledgeable than you are at the moment, or
you yourself should be the author, exhausting all the current methods of
subversion you can currently think of.
Probably, though, if you think you need this module, you should instead just
design a system that has no remote access capabilities -- no `sshd` or `getty`.
### Requirements
This uses the hooks provided by `CONFIG_SECURITY`, `CONFIG_SECURITY_NETWORK`,
and `CONFIG_KALLSYMS_ALL`.
### Installation
On a DKMS-enabled machine, simply run `make install`. Things should magically
work from then on.
### License
This project is released under the [GPLv2](COPYING).
### Bugs
Probably there are a lot of them, by design. This module makes no attempt at
plugging all holes and leaks, and the current methods used are prone to be
buggy at best. Also, this won't work with paravirtualization, since it works
primarily by twiddling with `cr0`; hence this code is also x86/amd64 only. On
old kernels, this disables SELinux/AppArmor and does voodoo magic that might
murder kittens to discover non-exported symbols. Such magic only works on 64-bit
and its success may vary based on which compiler is in use. Since this disables
raw sockets, if you want ping to work, you may need to allow ICMP sockets via
`sysctl -w net.ipv4.ping_group_range="0 0"`.
|
