How it works: It uses BPF LSM (Linux Security Modules) to intercept file access at the kernel level. Instead of just checking the PID or the binary name, it looks at the entire lineage (the "Chain of Trust"). For example, cat is only allowed to read my SSH keys if the parent process is my-terminal and the grandparent is vscodium.
Key Tech:
Backend: Rust + Aya (for the eBPF bits).
Frontend: Tauri + React for the dashboard.
Security: Logs and configs are AES-encrypted to prevent tampering.
It’s currently in beta (0.1.0). It requires a kernel (5.10+) with BPF LSM enabled. I'd love to hear feedback on the "Chain of Trust" logic—specifically if anyone sees edge cases in how I'm verifying the process ancestors. GitHub: https://github.com/khoinp1012/kprotect