Overview
kprotect is a kernel-level security engine designed to protect your sensitive data from supply-chain attacks (like malicious Python or Node.js libraries). It stands as an independent security layer for the most sensitive files.
- eBPF-LSM Enforcement: Intercepts file access at the kernel level based on path patterns and wildcards (e.g.,
*.env,home/user/.ssh/*). - Lineage Verification: Validates the process chain rather than just a single binary.
- ✅
VS Code→Terminal→cat(Authorized chain) - ❌
VS Code→Terminal→python script.py→cat(Unauthorized chain blocked)
- ✅
- Comprehensive Interface: Includes a system daemon, a CLI tool, and a desktop GUI.
Core Technologies
kprotect is built around modern systems programming concepts:
- Memory Safety: The backend daemon is written in Rust, with kernel hooks utilizing eBPF-LSM.
- Low Overhead: Utilizing BPF LSM hooks prevents the latency associated with traditional userspace context switching. Micro-benchmarks show minimal impact: +12.8 µs per process spawn and +0.53 µs per file open.
- Process Hashing: Implements FNV-1a for fast, deterministic hashing of process lineage chains in kernel space.
- Encrypted Storage: State and logs are encrypted using AES-256-GCM, with keys derived via HKDF-SHA256 bound to the local machine (
/etc/machine-id). - Script Awareness: Features an enrichment engine that parses arguments for interpreters (
python exploit.pyvspython tool.py). - Lineage-Based Sudo (Quick Sudo): A custom PAM module provides passwordless elevation restricted by specific process chains.
Execution Lineage concept
Rather than validating individual files, kprotect validates the execution pathway:
- Lineage Tracking: Every process has a unique signature derived from its parent's signature and its own executable path.
- Kernel-Space Hashing: Signatures are computed using FNV-1a hashing in kernel space, creating a chain from the init process down to the leaf.
- Red Zones: Sensitive locations (e.g.,
~/.ssh/id_rsa,.envfiles, browser cookies) are designated as protected paths. - Least Privilege: Access to Red Zones by root processes is blocked unless their specific execution lineage has been explicitly authorized.
✨ Features
- Kernel-Level Enforcement: Uses BPF LSM hooks (
bprm_committed_creds,file_open) for near-zero overhead and bypass-resistant protection. - Encrypted Configuration: All policies, authorizations, and logs are encrypted at rest using AES-256-GCM, keyed by a hardware-bound or system-specific secret.
- Rich Observability:
- Multiple Interfaces:
- kprotect-daemon: The core engine running as a systemd service.
- kprotect-cli: Direct command-line management.
- kprotect-gui: A modern, sleek desktop application built with Tauri and React.
- Dynamic Enrichment: Captures process arguments for interpreters (Python, Node, Bash) to distinguish between
python safe_script.pyandpython malicious_script.py. - Quick Sudo (Lineage-Auth): Configure complex lineage chains (e.g.
VS Code → Terminal → deploy.sh) to automatically bypasssudopassword prompts securely without using broadNOPASSWDrules in/etc/sudoers.
🏗️ Architecture
graph TD
subgraph Kernel Space
LSM[BPF LSM Hooks]
Maps[eBPF Maps: Signatures, Auth, Zones]
end
subgraph Userspace
Daemon[kprotect-daemon]
CLI[kprotect-cli]
GUI[kprotect-gui]
end
LSM -->|Perf Events| Daemon
Daemon -->|Update Maps| Maps
CLI -->|Unix Socket| Daemon
GUI -->|Unix Socket| Daemon
📂 Project Structure
kprotect consists of two main components that should be installed in order:
- kprotect Core: The background daemon and CLI tool (Kernel interaction).
- kprotect GUI: The desktop dashboard for manageability.
🛠️ Installation & Setup
1. Prerequisites
- Linux Kernel 5.10+ with BPF LSM support.
- Kernel Parameters: Ensure
lsm=lockdown,yama,apparmor,bpfincludesbpf. You can check this withcat /sys/kernel/security/lsm.
2. Core Engine Installation (Required)
Install the daemon first to enable kernel-level protection:
# Install the core debian package
sudo apt install ./target/kprotect_0.2.0-beta-1_amd64.debThe installer will automatically set up the systemd service.
3. Desktop GUI Installation (Optional)
Install the GUI for a visual management experience:
# Install the GUI package
sudo apt install ./kprotect-ui/src-tauri/target/release/bundle/deb/kprotect-ui_0.2.0-beta_amd64.deb⚠️ IMPORTANT: Post-Installation
Please RESTART your computer after the first installation.
kprotect needs to track process lineage from the moment the system boots. Processes started before the daemon was installed will be marked as "No Chain" and cannot be accurately authorized.
💻 Developer: Building from Source
If you are building the project yourself, use the included helper scripts:
# Build the Core (Daemon & CLI) ./scripts/build_deb.sh # Build the Desktop GUI ./scripts/build_gui.sh
⌨️ Basic CLI Usage
While the GUI is recommended, you can manage everything via kprotect-cli:
# Check system and eBPF map capacity sudo kprotect-cli status # View live security events sudo kprotect-cli events --stream # Authorize a bash-to-cat chain sudo kprotect-cli authorize add "/usr/bin/bash,/usr/bin/cat" --mode Suffix --description "Dev tools" # Protect a sensitive file sudo kprotect-cli zone add red "/home/user/.ssh/id_rsa"
📂 Project Organization
kprotect-ebpf: The "brain" in the kernel. High-performance C-like Rust code usingaya.kprotect-daemon: The central hub. Manages eBPF lifetime, encryption, and state.kprotect-cli: Light-weight interaction tool.kprotect-ui: Desktop UI built withTauri+React+Vite+TailwindCSS.kprotect-common: Shared data structures and protocol definitions.
💖 Support the Project
If you find kprotect useful and want to support its development, consider buying me a coffee! Your support helps me dedicate more time to improving kprotect, adding new features, and maintaining the project.
Every contribution, no matter how small, is deeply appreciated and motivates me to keep building better security tools for the Linux community. Thank you! 🙏
📝 License
This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). See the LICENSE file for details.
Developed by khoinp1012