GitHub - khoinp1012/kprotect

4 min read Original article ↗

🛡️ kprotect

kprotect Dashboard

Overview

kprotect is a kernel-level security engine designed to protect your sensitive data from supply-chain attacks (like malicious Python or Node.js libraries). It stands as an independent security layer for the most sensitive files.

  • eBPF-LSM Protection: Intercepts file access at the kernel level based on path patterns and wildcards (e.g., *.env, home/user/.ssh/*).
  • Chain of Trust: Instead of trusting just a binary, kprotect validates the process lineage.
    • VS CodeTerminalcat (If you authorized this chain)
    • VS CodeTerminalpython unsafe.pycat (This cannot read your file because the chain is invalid)
  • Testing Ready: Includes a robust system daemon, a power-user CLI, and a modern desktop GUI. All function implemented.

🚀 Key Engineering Highlights

  • Kernel-Level Enforcement: Uses BPF LSM hooks for zero-bypass security (unlike ptrace-based tools).
  • Process Lineage Tracking: Implements a sophisticated lineage engine to detect "Living off the Land" (LotL) attacks.
  • Modern Stack: Built with Aya (Rust-based eBPF) for memory safety and Tauri for a lightweight, secure management UI.
  • Low Overhead: Optimized eBPF maps for real-time monitoring with minimal CPU jitter.

🛠 Architecture & Design Decisions

  • Aya (Rust): Chosen to ensure memory safety in the userspace daemon while maintaining a shared codebase with the eBPF probes.
  • LSM Hooks: Targeted file_open, bprm_check_security, and task_alloc to cover the full lifecycle of a threat.

✨ Features

  • Kernel-Level Enforcement: Uses BPF LSM hooks (bprm_committed_creds, file_open) for near-zero overhead and bypass-resistant protection.
  • Encrypted Configuration: All policies, authorizations, and logs are encrypted at rest using AES-256-GCM, keyed by a hardware-bound or system-specific secret.
  • Rich Observability:
  • Multiple Interfaces:
    • kprotect-daemon: The core engine running as a systemd service.
    • kprotect-cli: Direct command-line management.
    • kprotect-gui: A modern, sleek desktop application built with Tauri and React. Authorized Patterns
  • Dynamic Enrichment: Captures process arguments for interpreters (Python, Node, Bash) to distinguish between python safe_script.py and python malicious_script.py.

🏗️ Architecture

graph TD
    subgraph Kernel Space
        LSM[BPF LSM Hooks]
        Maps[eBPF Maps: Signatures, Auth, Zones]
    end

    subgraph Userspace
        Daemon[kprotect-daemon]
        CLI[kprotect-cli]
        GUI[kprotect-gui]
    end

    LSM -->|Perf Events| Daemon
    Daemon -->|Update Maps| Maps
    CLI -->|Unix Socket| Daemon
    GUI -->|Unix Socket| Daemon
Loading

📂 Project Structure

kprotect consists of two main components that should be installed in order:

  1. kprotect Core: The background daemon and CLI tool (Kernel interaction).
  2. kprotect GUI: The desktop dashboard for manageability.

🛠️ Installation & Setup

1. Prerequisites

  • Linux Kernel 5.10+ with BPF LSM support.
  • Kernel Parameters: Ensure lsm=lockdown,yama,apparmor,bpf includes bpf. You can check this with cat /sys/kernel/security/lsm.

2. Core Engine Installation (Required)

Install the daemon first to enable kernel-level protection:

# Install the core debian package
sudo apt install ./target/kprotect_0.1.0-beta-1_amd64.deb

The installer will automatically set up the systemd service.

3. Desktop GUI Installation (Optional)

Install the GUI for a visual management experience:

# Install the GUI package
sudo apt install ./kprotect-ui/src-tauri/target/release/bundle/deb/kprotect-ui_0.1.0-beta_amd64.deb

⚠️ IMPORTANT: Post-Installation

Please RESTART your computer after the first installation.
kprotect needs to track process lineage from the moment the system boots. Processes started before the daemon was installed will be marked as "No Chain" and cannot be accurately authorized.

💻 Developer: Building from Source

If you are building the project yourself, use the included helper scripts:

# Build the Core (Daemon & CLI)
./scripts/build_deb.sh

# Build the Desktop GUI
./scripts/build_gui.sh

⌨️ Basic CLI Usage

While the GUI is recommended, you can manage everything via kprotect-cli:

# Check system and eBPF map capacity
sudo kprotect-cli status

# View live security events
sudo kprotect-cli events --stream

# Authorize a bash-to-cat chain
sudo kprotect-cli authorize add "/usr/bin/bash,/usr/bin/cat" --mode Suffix --description "Dev tools"

# Protect a sensitive file
sudo kprotect-cli zone add red "/home/user/.ssh/id_rsa"

📂 Project Organization

  • kprotect-ebpf: The "brain" in the kernel. High-performance C-like Rust code using aya.
  • kprotect-daemon: The central hub. Manages eBPF lifetime, encryption, and state.
  • kprotect-cli: Light-weight interaction tool.
  • kprotect-ui: Desktop UI built with Tauri + React + Vite + TailwindCSS.
  • kprotect-common: Shared data structures and protocol definitions.

💖 Support the Project

If you find kprotect useful and want to support its development, consider buying me a coffee! Your support helps me dedicate more time to improving kprotect, adding new features, and maintaining the project.

ko-fi

Every contribution, no matter how small, is deeply appreciated and motivates me to keep building better security tools for the Linux community. Thank you! 🙏

📝 License

This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). See the LICENSE file for details.

Developed by khoinp1012