safeguard 用户指南

配置

safeguard 的配置文件是一个YAML格式的文件,包含了key: value 或者 key: [value list] 的键值对。

配置选项

ConfigTypeDescription
networkListRule for network restrictions.
filesListRule for file access restrictions.
processListRule for process restrictions.
mountListRule for mount restrictions.
dns_proxyListDNS Proxy configurations
logList containing the following sub-keys:
  • format: [json|text]
  • output: <path>
  • max_size:: Maximum size to rotate (MB). Default: 100MB
  • max_age: Period for which logs are kept. Default: 365
  • labels: Key / Value to be added to the log.
  • Log configuration.

    network

    ConfigTypeDescription
    enableEnum with the following possible values: true, falseWhether to enable restrictions or not. Default is true.
    modeEnum with the following possible values: monitor, blockIf monitor is specified, events are only logged. If block is specified, network access is blocked.
    targetEnum with the following possible values: host, containerSelecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers.
    cidrList containing the following sub-keys:
  • allow: [cidr list]
  • deny: [cidr list]
  • Allow or Deny CIDRs.
    domainList containing the following sub-keys:
  • allow: [domain list]
  • deny: [domain list]
  • Allow or Deny Domains.
    commandList containing the following sub-keys:
  • allow: [command list]
  • deny: [command list]
  • Allow or Deny commands.
    uidList containing the following sub-keys:
  • allow: [uid list]
  • deny: [uid list]
  • Allow or Deny uids.
    gidList containing the following sub-keys:
  • allow: [gid list]
  • deny: [gid list]
  • Allow or Deny gids.

    示例

    Allow all network connections

    Allows all network communications and monitors their connections.

    yaml
    network:
      mode: monitor
      target: host
      cidr:
        allow: ['0.0.0.0/0']

    Block specify Private Networks

    Block access to 192.168.1.1/24 and 10.0.1.1/24.

    yaml
    network:
      mode: block
      target: host
      cidr:
        allow: ['0.0.0.0/0']
        deny:
          - 192.168.1.1/24
          - 10.0.1.1/24

    Block Metadata service API

    Block access to the public cloud Metadata Service. This is a mitigation measure against SSRF, etc.

    yaml
    network:
      mode: block
      target: host
      cidr:
        allow: ['0.0.0.0/0']
        deny:
          - 169.254.169.254/32

    Block connections to the specified domain

    Block connections to example.com. safeguard periodically looks up IP addresses, so it keeps up with IP address changes.

    yaml
    network:
      mode: block
      target: host
      cidr:
        allow: ['0.0.0.0/0']
      domain:
        deny:
          - example.com

    Block network connections of containers

    Allow communication from the host, but block communication from the containers.

    yaml
    network:
      mode: block
      target: container
      cidr:
        allow: ['0.0.0.0/0']
      domain:
        deny:
        - example.com

    !!! example

    shell
    vagrant@ubuntu-impish:~$ curl -I https://example.com
    HTTP/2 200
    
    vagrant@ubuntu-impish:~$ sudo docker run --rm -it curlimages/curl https://example.com
    curl: (7) Couldn't connect to server

    Block all connections from curl

    yaml
    network:
      mode: monitor
      target: container
      cidr:
        allow: ['0.0.0.0/0']
      command:
        deny: ['curl']

    !!! example

    shell
    vagrant@ubuntu-impish:~$ curl -I https://example.com
    curl: (6) Could not resolve host: example.com
    
    vagrant@ubuntu-impish:~$ wget https://example.com -O /dev/null
    --2022-03-09 14:45:11--  http://example.com/
    Resolving example.com (example.com)... 93.184.216.34
    Connecting to example.com (example.com)|93.184.216.34|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1256 (1.2K) [text/html]
    Saving to: ‘/dev/null’
    
    /dev/null               100%[============================>]   1.23K  --.-KB/s    in 0s
    
    2022-03-09 14:45:12 (70.1 MB/s) - ‘/dev/null’ saved [1256/1256]

    Block all connections by users with UID 1000

    Setting that blocks all network access for UID 1000 user, but does not apply restrictions to UID 0 (root).

    yaml
    network:
      mode: monitor
      target: container
      cidr:
        allow: ['0.0.0.0/0']
      uid:
        allow: [0]
        deny: [1000]

    !!! example

    shell
    vagrant@ubuntu-impish:~$ id
    uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
    
    vagrant@ubuntu-impish:~$ curl -I https://example.com
    curl: (6) Could not resolve host: example.com
    
    vagrant@ubuntu-impish:~$ sudo curl -I https://example.com
    HTTP/2 200

    files

    Linux Kernel >= 5.13 is required to use this option.

    ConfigTypeDescription
    enableEnum with the following possible values: true, falseWhether to enable restrictions or not. Default is true.
    modeEnum with the following possible values: monitor, blockIf monitor is specified, events are only logged. If block is specified, network access is blocked.
    targetEnum with the following possible values: host, containerSelecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers.
    allowA list of allow file paths
    denyA list of allow file paths

    示例

    Allow access to all files

    yaml
    file:
      mode: monitor
      target: host
      allow:
        - /

    Block access to /etc/passwd

    yaml
    file:
      mode: block
      target: host
      allow:
        - /
      deny:
        - /etc/passwd

    Block all access to the /root/.ssh directory

    yaml
    file:
      mode: block
      target: host
      allow:
        - /
      deny:
        - /root/.ssh

    Block access to the /proc/sys directory in the container

    yaml
    file:
      mode: block
      target: container
      allow:
        - /
      deny:
        - /proc/sys

    !!! example

    shell
    root@ubuntu-impish:/# ls /proc/sys
    abi  debug  dev  fs  kernel  net  user  vm
    
    root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
    root@9cf961922b00:/# ls /proc/sys
    ls: cannot open directory '/proc/sys': Operation not permitted

    Block escapes from Privileged Container

    yaml
    file:
      mode: block
      target: container
      allow:
        - /
      deny:
        - /proc/sysrq-trigger
        - /sys/kernel
        - /proc/sys/kernel

    !!! example

    shell
    root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
    root@e3b2ffe5b284:/# echo c > /proc/sysrq-trigger
    bash: /proc/sysrq-trigger: Operation not permitted
    
    root@e3b2ffe5b284:/# echo '/path/to/evil' > /sys/kernel/uevent_helper
    bash: /sys/kernel/uevent_helper: Operation not permitted
    
    root@e3b2ffe5b284:/# echo '|/path/to/evil' > /proc/sys/kernel/core_pattern
    bash: /proc/sys/kernel/core_pattern: Operation not permitted

    process

    ConfigTypeDescription
    enableEnum with the following possible values: true, falseWhether to enable restrictions or not. Default is true.
    modeEnum with the following possible values: monitorIf monitor is specified, events are only logged.
    targetEnum with the following possible values: host, containerSelecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers.

    示例

    yaml
    mount:
      mode: monitor
      target: host

    mount

    ConfigTypeDescription
    enableEnum with the following possible values: true, falseWhether to enable restrictions or not. Default is true.
    modeEnum with the following possible values: monitor, blockIf monitor is specified, events are only logged. If block is specified, access is blocked.
    targetEnum with the following possible values: host, containerSelecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers.
    denyA list of allow mount paths

    示例

    Block mount /var/run/docker.sock to container

    yaml
    mount:
      mode: block
      target: host
      deny:
        - /var/run/docker.sock