Access control for users and groups on Linux clients

As of version 25.2, the DriveLock Agent on Linux systems supports configuring access rights (ACLs) to allow specific users or groups to access drives — including Active Directory users in environments with supported AD integration.

Configuration options

In the DriveLock Operations Center (DOC), this is configured via the “Block with exceptions” option in the Permissions section under Basic properties of a drive rule.

In the DMC, the corresponding option is "Deny, but allow access for defined users and groups" in the "Permissions" tab. In the "Logged on users" tab, the rules can also be filtered for specific users or groups.

Agent behavior

Depending on how the rule is configured, the DriveLock Agent exhibits two types of behavior:

Case 1: No ACLs or file filters configured

• The device is either fully blocked or fully allowed - consistent with previous behavior.
• Blocked devices are not visible in the system (not mounted).

Case 2: ACLs or file filters configured

• The device is mounted and is visible in the system.
• File access is checked individually and either blocked or permitted accordingly.

Limitations

• No "read-only" mode: Users either have full read/write access or no access at all.
• Blocked access means the user cannot open/read, copy from, or copy to the device.
• However, users can still rename or delete files/folders on the device.
• Execution permissions for binary files can be blocked.

Technical requirements

This feature is implemented using fanotify. The following conditions must be met:

• The fanotify API must be enabled in the Linux kernel.
• The Linux kernel version must be higher than 5.0.
• The device file system must support fanotify events.
• Do not run other fanotify-based security solutions in parallel, as this may cause unpredictable behavior.