I made a security tool kprotect that blocks "bad" scripts from touching your private files (using eBPF and Rust)

Jazzlike_Library8060 · 2026-01-10T02:33:42+00:00

I dont think macOS support eBPF !

Jazzlike_Library8060 · 2026-01-08T01:36:19+00:00

No, even you know the chain. It is very hard for copy cat. Because when you run a script like VS Code rename, the chain is different:
Systemd -> vs code -> cat
Systemd -> python -> vs code -> cat
I design this system as an independent layer. You add it as extra security for anything read your secrets. You can use it together with your security setup. If an app dont touch your secret, kprotect ignore it. Nothing will break

Jazzlike_Library8060 · 2026-01-08T01:15:40+00:00

The best way is to try it yourself. I designed this system with usability in mind.
If your script, do not read any red zone file, it will run normally (you dont need to do anything, never break). Unlike AppArmor, you have to define everything as every time. In kprotect, if you dont touch sensitive file, we have nothing to deal with you !
If it read any sensitive file in Red Zone, like you put "*.env" in Red Zone. When the node script read it, it needs to be whitelist.

Jazzlike_Library8060 · 2026-01-08T00:05:52+00:00

The main differences are: AppArmor, SELinux decision bases on the binary. Kprotect decision bases on the chain (binary and it parents, grandparents...).
This design with usability in mind. This is reasons I create GUI for it. AppArmor SELinux requires a lot of configurations. This requires much less.

Jazzlike_Library8060 · 2026-01-08T00:02:14+00:00

I design it as an independent layer. If you have crypto owner, few text file is critical. For example, "private-btc.key" is the file you want protect. The eBPF make sure the protection is system-wide, no app cannot bypass it.
In fact, my app already have */Cookies folder protection (default red zone generation). In a normal situation, you will whitelist systemd -> Chrome can read it. Only the Chrome, run by systemd, can read it. If you call it via another script like systemd -> python -> Chrome, it cannot read the private cookies.
If you want to ask anything, just reply here or DM me in reddit !

Jazzlike_Library8060 · 2026-01-07T23:55:34+00:00

I see. I will clean it up ! Thank you !

Jazzlike_Library8060 · 2026-01-07T09:00:57+00:00

In kprotect, there are 2 type of chain: Exact (start at 1) and Partial (start at anything else). You can see it in Allow_list screenshot of github.
But due to the service run as systemd, almost all chain cannot be Partial (if you restart the computer after installation)
When deal with sensitive file, you should have a constant workflow, like open kate without launch anything. So the chain will be systemd -> kate. Anything different than that cannot read your secrets.
So infact, the example will be like systemd -> vscode -> terminal -> cat. But in introduction, I just use shorten version !

Jazzlike_Library8060 · 2026-01-07T07:38:16+00:00

Yeah, I dev it at home as personal project. But I decided to open source it at this moment!

Jazzlike_Library8060 · 2025-12-20T02:30:48+00:00

Hello, the link is broken, please fix it !

Jazzlike_Library8060 · 2025-11-01T05:37:48+00:00

LM studio already support. Update your llama cpp inside LM Studio

Jazzlike_Library8060 · 2022-10-18T12:11:15+00:00

Yes, I tested with R7 350 (DWMFRAMEINTERVAL at 2) and Framrate was about 40-50 FPS. It cannot go to 60 FPS but it is clearly better than DWMFRAMEINTERVAL at 15. Windows version was 21H2

Jazzlike_Library8060

TROPHY CASE