It's great to see your project casper-fs.I found a problem,in file hooked.h,The check_fs_blocklist function deals with relative paths,if i excute rm -f ../myfolder/backup_httpd.log,check_fs_blocklist function will not protect file backup_httpd.log,because the files to be protected in list are backup_httpd.log.so i suggest kernel_filename can be a real path or you can compare file inodes.
i think you can integrate it with snapshotting so if any disguised dd or rm -rf command gets executed the hidden module would protect my btrfs snapshots? right?
this would be really usefull as a malware protection measure where casper hides your snapshots and prevents them from being overwritten or deleted.and if you encounter that your pc doesnt boot you can just chroot into it pass the password to the hidden module and restore your system?