DataBlock is a backend privacy enforcement library for applications and Linux operating-system integrations.
Its design goal is simple:
Nothing leaves your device without explicit, local, auditable policy.
This repository is now organized around a single root src/ tree so it can be:
- embedded directly into applications as a Rust library
- linked into custom operating systems and Linux distributions as a backend component
- exposed through a stable C ABI for system daemons, installers, and non-Rust consumers
- wrapped for Python and C++
DataBlock/
├── Cargo.toml
├── CMakeLists.txt
├── pyproject.toml
├── README.md
├── docs/
├── src/
│ ├── bindings/
│ ├── core/
│ ├── dashboard/
│ ├── platform/
│ ├── python/
│ ├── standalone/
│ ├── lib.rs
│ └── ffi.rs
├── examples/
├── tests/
└── .github/
- Policy engine with JSON and YAML import/export
- Allow, block, ask, and strict modes
- Domain, IP, CIDR, protocol, port, context, tag, and content matching
- Tamper-evident local audit logs
- Loopback-only dashboard server
- Real Linux backend support with procfs socket attribution, Unix-socket control, and nftables application
- Stable C ABI for embedders
- Optional Python bindings
- Autonomous runtime handle for host-process integration
- Endpoint intelligence with a swappable provider interface for heuristic or model-backed classification
DataBlock now includes a real Linux service path:
datablockddaemon insrc/bin/datablockd.rs- Linux backend in
src/platform/linux/mod.rs - Example policy in
examples/system-hooks/linux-policy.yaml - Example systemd unit in
examples/system-hooks/datablockd.service
Linux commands:
datablockd serve --policy /etc/datablock/policy.yaml --socket /run/datablock/datablock.sock
datablockd snapshot
datablockd sync-policy --policy /etc/datablock/policy.yaml --socket /run/datablock/datablock.sock
datablockd status --socket /run/datablock/datablock.sockSee docs/LINUX.md.
Implemented and maintained:
- Rust core library
- C ABI
- Python binding and pure-Python fallback
- C++ fallback
- Linux daemon and Linux policy enforcement path
Removed from the shipped surface because they were incomplete:
- placeholder Windows/macOS/Android adapters
- placeholder browser-extension examples
- partial WebAssembly interception surface
Projects can embed DataBlock as a normal backend library and start it inside the host process or daemon.
Core path:
- Build a
PolicyEngine - Build an
EndpointIntelligenceprovider - Wrap both in
RuntimeHandle - Feed normalized
FlowRecordevents intoinspect_flow - Read runtime snapshots and counters from
snapshot_eventsandstats - Reload policy in place with
replace_policy
That makes DataBlock behave like an embeddable backend service component rather than a UI feature.
Rust example:
use datablock::{
EndpointIntelligence, FlowRecord, Policy, PolicyEngine, Protocol, RuntimeConfig, RuntimeHandle,
};
let runtime = RuntimeHandle::with_config(
PolicyEngine::new(Policy::default()),
EndpointIntelligence::heuristic(),
RuntimeConfig {
runtime_name: "my-host-service".into(),
max_event_history: 2048,
default_context: Some("embedded-host".into()),
default_tags: vec!["desktop".into()],
},
);
let verdict = runtime.inspect_flow(&FlowRecord {
target: "https://api.example.com/v1/data".into(),
ip: None,
port: Some(443),
protocol: Protocol::Https,
process_name: Some("my-app".into()),
process_path: None,
context: None,
payload_preview: None,
tags: Vec::new(),
})?;
println!("{}", runtime.export_stats_json()?);C ABI additions for embedders:
datablock_engine_evaluate_flow_jsondatablock_engine_replace_policydatablock_engine_snapshot_events_jsondatablock_engine_stats_json
DataBlock can now describe what a destination likely is and why it may matter.
Current default:
HeuristicProviderfor local classification without network calls
Extensibility:
- Replace it with a custom implementation of
EndpointIntelligenceProvider - Integrators can plug in a local small model or a general LLM of their choice
- The policy engine remains independent from the model choice
DataBlock is designed to be consumed as infrastructure, not only as an app library.
Recommended integration model:
- Build
datablockas a static or shared library. - Embed it in a policy daemon or system service.
- Feed normalized flow metadata from the host platform into
PolicyEngine. - Use returned verdicts to drive nftables through the shipped Linux backend, or embed the core runtime into another enforcement layer.
Why this structure works well for distros:
- Rust core compiles as
rlib,staticlib, orcdylib - C ABI allows packaging for init systems, installers, and mixed-language daemons
- No dependency on a desktop UI
- Policy and audit code are separate from privileged enforcement, while the Linux daemon provides a concrete reference implementation
cargo build
cargo testmaturin developcmake -S . -B build
cmake --build build
ctest --test-dir build -C Debugpython -m pytest tests
.\build\Debug\cpp_demo.exeThese were useful architectural references:
- OpenSnitch: Linux outbound application firewall with daemon, eBPF support, rule files, and nftables integration.
- Portmaster: privacy-focused firewall suite with DNS interception, per-app policy, and OS integration on Linux and Windows.
- AdGuard Home: strong reference for backend-first filtering, local APIs, and cross-platform packaging.
- NetGuard: Android VPN-mode firewall model that is especially relevant for non-root mobile enforcement.
- mitmproxy: useful reference for opt-in interception and protocol inspection boundaries.
More detailed notes are in docs/RESEARCH.md.
Agentic workflow notes are in docs/AGENTIC_WORKFLOWS.md.
- No telemetry
- Local-only control plane by default
- Tamper-evident logging
- Explicit policy evaluation
- Backend-first API surface suitable for audited packaging
See docs/THREAT_MODEL.md, docs/SECURITY.md, and docs/LINUX.md.