posture: add network hardware addresses to posture identity

If an optional `hwaddrs` URL parameter is present, add network interface
hardware addresses to the posture identity response.

Just like with serial numbers, this requires client opt-in via MDM or
`tailscale set --posture-checking=true`
(https://tailscale.com/kb/1326/device-identity)

Updates tailscale/corp#21371

Signed-off-by: Anton Tolchanov <anton@tailscale.com>

ipn/ipnlocal/c2n.go

@@ -318,7 +318,7 @@ func handleC2NPostureIdentityGet(b *LocalBackend, w http.ResponseWriter, r *http
 
 	res := tailcfg.C2NPostureIdentityResponse{}
 
-	// Only collect serial numbers if enabled on the client,
+	// Only collect posture identity if enabled on the client,
 	// this will first check syspolicy, MDM settings like Registry
 	// on Windows or defaults on macOS. If they are not set, it falls
 	// back to the cli-flag, `--posture-checking`.
@@ -337,8 +337,17 @@ func handleC2NPostureIdentityGet(b *LocalBackend, w http.ResponseWriter, r *http
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
-
 		res.SerialNumbers = sns
+
+		// TODO(tailscale/corp#21371, 2024-07-10): once this has landed in a stable release
+		// and looks good in client metrics, remove this parameter and always report MAC
+		// addresses.
+		if r.FormValue("hwaddrs") == "true" {
+			res.IfaceHardwareAddrs, err = posture.GetHardwareAddrs()
+			if err != nil {
+				b.logf("c2n: GetHardwareAddrs returned error: %v", err)
+			}
+		}
 	} else {
 		res.PostureDisabled = true
 	}