User Guide
Configuration
The safeguard configuration file is a YAML file that contains key:value or key:[value list] pairs.
Configuration Items
| Configuration Item | Type | Description |
|---|---|---|
network | List | Rule for network restrictions. |
files | List | Rule for file access restrictions. |
process | List | Rule for process restrictions. |
mount | List | Rule for mount restrictions. |
dns_proxy | List | DNS proxy configurations. |
log | List containing the following sub-keys: format: [json|text]output: <path>max_size: Maximum size to rotate (MB). Default: 100MBmax_age: Period for which logs are kept. Default: 365labels: Key/Value to be added to the log. | Log configuration. |
Network
| Configuration Item | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. Default is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, network access is blocked. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction only to containers. |
cidr | List containing the following sub-keys:allow: [cidr list]deny: [cidr list] | Allow or deny CIDRs. |
domain | List containing the following sub-keys:allow: [domain list]deny: [domain list] | Allow or deny domains. |
command | List containing the following sub-keys:allow: [command list]deny: [command list] | Allow or deny commands. |
uid | List containing the following sub-keys:allow: [uid list]deny: [uid list] | Allow or deny UIDs. |
gid | List containing the following sub-keys:allow: [gid list]deny: [gid list] | Allow or deny GIDs. |
Examples
Allowing All Network Connections
Allow all network communications and monitor their connections.
yaml
network:
mode: monitor
target: host
cidr:
allow: ['0.0.0.0/0']Blocking Specified Private Networks
Block access to 192.168.1.1/24 and 10.0.1.1/24.
yaml
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 192.168.1.1/24
- 10.0.1.1/24Blocking Metadata Service API
Block access to the public cloud Metadata Service. This is a mitigation measure against SSRF, etc.
yaml
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 169.254.169.254/32Blocking Connections to a Specified Domain
Block connections to example.com. safeguard periodically looks up IP addresses to keep up with IP address changes.
yaml
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.comBlocking Network Connections of Containers
Allow communication from hosts, but block communication from containers.
yaml
network:
mode: block
target: container
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.com!!! example
shell
vagrant@ubuntu-impish:~$ curl -I https://example.com
HTTP/2 200
vagrant@ubuntu-impish:~$ sudo docker run --rm -it curlimages/curl https://example.com
curl: (7) Couldn't connect to serverBlocking All Connections from cURL
yaml
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
command:
deny: ['curl']!!! example
shell
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ wget https://example.com -O /dev/null
--2022-03-09 14:45:11-- http://example.com/
Resolving example.com (example.com)... 93.184.216.34
Connecting to example.com (example.com)|93.184.216.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256 (1.2K) [text/html]
Saving to: '/dev/null'
/dev/null 100%[============================>] 1.23K --.-KB/s in 0s
2022-03-09 14:45:12 (70.1 MB/s) - '/dev/null' saved [1256/1256]Blocking All Connections from the User Whose UID Is 1000
Block network access of the user whose UID is 1000, but allow network access of the user whose UID is 0.
yaml
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
uid:
allow: [0]
deny: [1000]!!! example
shell
vagrant@ubuntu-impish:~$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ sudo curl -I https://example.com
HTTP/2 200Files
Linux kernel 5.13 is required to use these options.
| Config | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. The default value is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, network access is blocked. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction to containers. |
allow | List of allowed file paths | |
deny | List of denied file paths |
Examples
Allowing Access to All Files
yaml
file:
mode: monitor
target: host
allow:
- /Blocking Access to /etc/passwd
yaml
file:
mode: block
target: host
allow:
- /
deny:
- /etc/passwdBlocking All Accesses to /root/.ssh
yaml
file:
mode: block
target: host
allow:
- /
deny:
- /root/.sshBlocking Access to /proc/sys in Containers
yaml
file:
mode: block
target: container
allow:
- /
deny:
- /proc/sys!!! example
shell
root@ubuntu-impish:/# ls /proc/sys
abi debug dev fs kernel net user vm
root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@9cf961922b00:/# ls /proc/sys
ls: cannot open directory '/proc/sys': Operation not permittedBlocking Escapes from Privileged Containers
yaml
file:
mode: block
target: container
allow:
- /
deny:
- /proc/sysrq-trigger
- /sys/kernel
- /proc/sys/kernel!!! example
shell
root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@e3b2ffe5b284:/# echo c > /proc/sysrq-trigger
bash: /proc/sysrq-trigger: Operation not permitted
root@e3b2ffe5b284:/# echo '/path/to/evil' > /sys/kernel/uevent_helper
bash: /sys/kernel/uevent_helper: Operation not permitted
root@e3b2ffe5b284:/# echo '|/path/to/evil' > /proc/sys/kernel/core_pattern
bash: /proc/sys/kernel/core_pattern: Operation not permittedProcesses
| Configuration Item | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. The default value is true. |
mode | Enum with the following possible value: monitor | If monitor is specified, events are only logged. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction to containers. |
Examples
yaml
mount:
mode: monitor
target: hostMount
| Configuration Item | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. The default value is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, accesses are blocked. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction to containers. |
deny | List of allowed mount paths |
Examples
Blocking the Mount of /var/run/docker.sock to Containers
yaml
mount:
mode: block
target: host
deny:
- /var/run/docker.sockLicensed under the MulanPSL2
Copyright © 2026 openEuler. All rights reserved.J. ICP B. No. 2020036654-1
J.G.W.A.B. No. 11030102011597
J.G.W.A.B. No. 11030102011597Licensed underthe MulanPSL2
Copyright © 2026 openEuler. All rights reserved.
Bug