submitted 4 days ago by lemmyuser@programming.dev to c/linux@programming.dev

14 comments fedilink hide all child comments

I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials

you are viewing a single comment's thread
view the rest of the comments

[-] IanTwenty@piefed.social 2 points 2 days ago

I think the desktops need to better protect users' secrets by accepting rogue user processes are part of the threat model now. There are lots of mechanism to lock known future user processes into a protected area (containers, chroot, etc), but none to lock existing and future unknown user processes out of a protected area.

Your idea of a yubikey access protected file area makes a lot of sense and I don't think it exists yet. Then a user could throw their existing ssh keys in there and immediately get physical protection on them.

It would need to be carefully controlled. Something like gocryptfs on FUSE as you suggest but with a stronger threat model layered on top as theirs is short: https://nuetzlich.net/gocryptfs/threat_model/

this post was submitted on 25 Jun 2026

56 points (98.3% liked)

Linux

14131 readers

548 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev