name: xdefender-byondai
description: XDefender is a next-generation Linux security platform providing deterministic runtime protection using a Smart Integrity Baseline. It blocks unauthorized code execution, in-memory threats, API abuse, OWASP Top 10 vulnerabilities, CI/CD pipeline risks, and advanced AI-driven attack techniques before execution. The platform includes Data Loss Prevention (DLP), Supply Chain Security, Infrastructure-as-Code (IaC) security, access control enforcement, and real-time monitoring. Designed for cloud and VM environments, XDefender operates as a system-level security agent with minimal performance impact.
snapcraft: PRIVATE — snapcraft.yaml available to reviewers upon request.
upstream: PRIVATE
upstream-relation: Author and maintainer (Bitosec Ltd.)
supported-category: security / system agent / runtime protection
reasoning: XDefender operates as a system-level security and runtime enforcement agent. It requires deep host integration to monitor, inspect, and block execution of arbitrary processes in real time.
The snap must:
- Access and inspect host configuration files outside the snap sandbox (e.g., /etc, application configs, system policies).
- Monitor system processes and execution flow across the entire host.
- Enforce runtime blocking decisions that require visibility into arbitrary binaries and memory activity.
- Access system logs and security-relevant files for DLP and threat detection.
- Apply security policies across workloads dynamically, including CI/CD artifacts and runtime environments.
We evaluated strict confinement and the currently available interfaces. The existing interfaces (such as system-observe, process-control, personal-files, etc.) are not sufficient to provide the required unrestricted host-level visibility and enforcement capabilities.
The core functionality of XDefender depends on unrestricted host access similar to traditional security daemons distributed as deb/rpm packages. Strict confinement prevents essential runtime monitoring and enforcement capabilities required for deterministic protection.
For these reasons, classic confinement is necessary for correct and secure operation.
I understand that strict confinement is generally preferred over classic.
I’ve tried the existing interfaces to make the snap work under strict confinement, but they do not provide sufficient permissions for system-wide runtime protection and enforcement.
Additional information: Bitosec Ltd. is an official Canonical ISV partner and holds a valid partner certificate. Details available upon request.