diff --git a/net/core/dev.c b/net/core/dev.c
index fca407b..3eeb42b 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6669,6 +6669,26 @@ int dev_change_flags(struct net_device *dev, unsigned int flags)
 
 	changes = (old_flags ^ dev->flags) | (old_gflags ^ dev->gflags);
 	__dev_notify_flags(dev, old_flags, changes);
+
+#ifdef CONFIG_RANDOM_MAC_ADDRESS
+	if ((changes & IFF_UP) && !(old_flags & IFF_UP)) {
+		/* randomize MAC whenever interface is brought up */
+		struct sockaddr sa;
+		unsigned int mac4;
+		unsigned short mac2;
+
+		mac4 = prandom_u32();
+		mac2 = prandom_u32();
+		memcpy(sa.sa_data, &mac4, sizeof(mac4));
+		memcpy((char *)sa.sa_data + sizeof(mac4), &mac2, sizeof(mac2));
+		if (!is_valid_ether_addr(sa.sa_data))
+			sa.sa_data[5] = 1;
+		sa.sa_data[0] &= 0xFC;
+		sa.sa_family = dev->type;
+		dev_set_mac_address(dev, &sa);
+	}
+#endif
+
 	return ret;
 }
 EXPORT_SYMBOL(dev_change_flags);
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index b94b1d2..b020d15 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -463,7 +463,12 @@
 					 sizeof(struct ifreq)))
 				ret = -EFAULT;
 		}
+#ifdef CONFIG_RANDOM_MAC_ADDRESS
+		/* Don't reveal the permanent MAC address */
+		return -EINVAL;
+#else
 		return ret;
+#endif
 
 	/*
 	 *	These ioctl calls:
diff --git a/security/Kconfig b/security/Kconfig
index 93027fd..6b7b6fc 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -67,6 +67,14 @@ config SECURITY_NETWORK_XFRM
 	  IPSec.
 	  If you are unsure how to answer this question, answer N.
 
+config RANDOM_MAC_ADDRESS
+	bool "Use random MAC adresses"
+	default n
+	help
+	  Say Y here for randomize the MAC addresses of network interfaces.
+	  This option is recommended for people who want to increase their privacy.
+	  If you are unsure how to answer this question, answer N.
+
 config SECURITY_PATH
 	bool "Security hooks for pathname based access control"
 	depends on SECURITY