bytedance · Danny-Wei · Dec 3, 2024 · Dec 3, 2024 · Dec 3, 2024 · Dec 3, 2024
diff --git a/docs/guides/policies_and_rules/built_in_rules.md b/docs/guides/policies_and_rules/built_in_rules.md
@@ -40,6 +40,13 @@ Note:<br />- The built-in rules supported by different enforcers are still under
 |                 |              |Prohibit setting the execute/search bit of a file<br /><br />`disable-chmod-x-bit`|ALL|When attackers gain control over a container through vulnerabilities, they typically attempt to download additional attack code or tools into the container for further attacks, such as privilege escalation, lateral movement, cryptocurrency mining, and more. In this attack chain, attackers might use the chmod syscalls to modify file permissions for execution.|Prohibit setting the execute/search bit of a file with `chmod/fchmod/fchmodat/fchmodat2` syscalls|Seccomp
 |                 |              |Prohibit setting the SUID/SGID bit of a file<br /><br />`disable-chmod-s-bit`|ALL|In some scenarios, attackers may attempt to invoke chmod syscalls to perform privilege elevation attacks by setting the file's s-bit (set-user-ID, set-group-ID).|Prohibit setting the set-user-ID/set-group-ID bit of a file with `chmod/fchmod/fchmodat/fchmodat2` syscalls|Seccomp
 |                 |              |Prohibit the execution of su/sudo command<br /><br />`disable-su-sudo`|ALL|When processes within a container run as non-root users, attackers often need to escalate privileges to the root user for further attacks. The sudo/su commands are common local privilege escalation avenues.|Prohibit the execution of su/sudo command.<br /><br />Some base images may symlink su to /bin/busybox. In this scenario, it's also necessary to prohibit the execution of busybox command.|AppArmor<br />BPF
+|                 |Others        |Prohibit all network access<br /><br />`disable-network`|ALL|When you want to prevent a container from accessing the network, you can use this rule to disable it.|-|AppArmor<br />BPF
+|                 |              |Prohibit accessing the network via inet4 addresses<br /><br />`disable-inet`, `disable-ipv4`|ALL|When you want to prevent a container from accessing the network via IPv4 addresses, you can use this rule to disable it.|-|AppArmor<br />BPF
+|                 |              |Prohibit accessing the network via inet6 addresses<br /><br />`disable-inet6`, `disable-ipv6`|ALL|When you want to prevent a container from accessing the network via IPv6 addresses, you can use this rule to disable it.|-|AppArmor<br />BPF
+|                 |              |Prohibit accessing the network via UDS addresses<br /><br />`disable-unix-domain-socket`|ALL|When you want to prevent a container from accessing the network via Unix Domain Socket addresses, you can use this rule to disable it.|-|AppArmor<br />BPF
+|                 |              |Prohibit the use of the ICMP protocol<br /><br />`disable-icmp`|ALL|When you want to prevent a container from using ICMP protocol, you can use this rule to disable it.|-|AppArmor<br />BPF
+|                 |              |Prohibit the use of the TCP protocol<br /><br />`disable-tcp`|ALL|When you want to prevent a container from using TCP protocol, you can use this rule to disable it.|-|AppArmor<br />BPF
+|                 |              |Prohibit the use of the UDP protocol<br /><br />`disable-udp`|ALL|When you want to prevent a container from using UDP protocol, you can use this rule to disable it.|-|AppArmor<br />BPF
 |                 |Restrict Specific Executable|-|ALL|This rule extends the use cases of 'Mitigating Information Leakage' and 'Disabling Sensitive Operations', it allows user to apply restrictions only to specific executable programs within containers.<br /><br />Restricting specified executable programs serves two purposes:<br />1). Preventing sandbox policies from affecting the execution of application services within containers.<br />2).Restricting specified executable programs within containers increases the cost and difficulty for attackers<br /><br />For example, this feature can be used to restrict programs like busybox, bash, sh, curl within containers, preventing attackers from using them to execute sensitive operations. Meanwhile, the application services is unaffected by sandbox policies and can continue to access ServiceAccount tokens and perform other tasks normally.<br /><br />*Note: Due to the implementation principles of BPF LSM, this feature cannot be provided by the BPF enforcer.*|Enable sandbox restrictions for specified executable programs.|AppArmor
 |**Vulnerability Mitigation**|-|Mitigate cgroups & lxcfs escape<br /><br />`cgroups-lxcfs-escape-mitigation`|ALL|If users mount the host's cgroupfs into a container or use lxcfs to provide a resource view for the container, there may be a risk of container escape in both scenarios. Attackers could manipulate cgroupfs from within the container to achieve container escape.<br /><br />This rule can also be used to defend against [CVE-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) vulnerability exploitation.|AppArmor Enforcer prevents writing to：<br />/\*\*/release_agent, <br />/\*\*/devices/device.allow,<br />/\*\*/devices/\*\*/device.allow, <br />/\*\*/devices/cgroup.procs,<br />/\*\*/devices/\*\*/cgroup.procs,<br />/\*\*/devices/task,<br />/\*\*/devices/\*\*/task,<br /><br />BPF Enforcer prevents writing to：<br />/\*\*/release_agent<br />/\*\*/devices.allow<br />/\*\*/cgroup.procs<br />/\*\*/devices/tasks<br />|AppArmor<br />BPF
 |                            |-|Mitigate the ability to override runc to escape<br /><br />`runc-override-mitigation`|ALL|The rule is designed to mitigate vulnerabilities such as [CVE-2019-5736](https://github.com/advisories/GHSA-gxmr-w5mj-v8hh) that exploit container escape by tampering with the host machine's runc.|Disallow writing to `/**/runc` files|AppArmor<br />BPF

diff --git a/docs/guides/policies_and_rules/built_in_rules.zh_CN.md b/docs/guides/policies_and_rules/built_in_rules.zh_CN.md
@@ -40,6 +40,13 @@
 |                 |              |禁止设置文件的可执行属性<br /><br />`disable-chmod-x-bit`|ALL|此规则禁止容器进程通过 chmod 相关系统调用修改文件权限，创建可执行文件。<br /><br />当攻击者通过漏洞获取容器内的控制权后，通常会尝试下载其他攻击代码、工具到容器内实施进一步的攻击（权限提升、横向渗透、挖矿等）。在这个攻击链路中，攻击者通常会调用 chmod 相关系统调用(chmod/fchmod/fchmodat/fchmodat2)，设置文件的可执行权限。|禁止通过 chmod 相关系统调用，设置文件的 execute/search 权限。|Seccomp
 |                 |              |禁止设置文件的 SUID/SGID 属性<br /><br />`disable-chmod-s-bit`|ALL|此规则禁止容器进程通过 chmod 相关系统调用修改文件属性，设置文件的 s 标记位（set-user-ID, set-group-ID）。<br /><br />在某些场景下，攻击者可能会尝试调用 chmod 系列的系统调用（chmod/fchmod/fchmodat/fchmodat2），通过设置文件的 s 标记位（set-user-ID, set-group-ID）来实施权限提升攻击。|禁止通过 chmod 相关系统调用，设置文件的 set-user-ID/set-group-ID 属性。|Seccomp
 |                 |              |禁止执行 sudo、su 命令<br /><br />`disable-su-sudo`|ALL|此规则禁止容器进程执行 sudo/su 命令进行权限提升。<br /><br />当容器内的进程以非 root 用户运行时，攻击者需要先提权至 root 用户进行后续攻击。而 sudo/su 命令是本地提权的常见途径之一。|禁止 sudo、su 执行<br /><br />有些基础镜像会动态链接 su 到 /bin/busybox，此情况下还需配合“禁止执行 busybox 命令”策略使用|AppArmor<br />BPF
+|                 |其他           |禁止网络访问<br /><br />`disable-network`|ALL|此规则禁止容器进程访问网络。|-|AppArmor<br />BPF
+|                 |              |禁止使用 inet4 地址的网络访问<br /><br />`disable-inet`, `disable-ipv4`|ALL|此规则禁止容器进程通过 IPv4 地址访问网络。|-|AppArmor<br />BPF
+|                 |              |禁止使用 inet6 地址的网络访问<br /><br />`disable-inet6`, `disable-ipv6`|ALL|此规则禁止容器进程通过 IPv6 地址访问网络。|-|AppArmor<br />BPF
+|                 |              |禁止使用 UDS 地址的网络访问<br /><br />`disable-unix-domain-socket`|ALL|此规则禁止容器进程通过 UNIX domain socket 地址访问网络。|-|AppArmor<br />BPF
+|                 |              |禁止使用 ICMP 网络协议<br /><br />`disable-icmp`|ALL|此规则禁止容器进程使用 ICMP 网络协议。|-|AppArmor<br />BPF
+|                 |              |禁止使用 TCP 网络协议<br /><br />`disable-tcp`|ALL|此规则禁止容器进程使用 TCP 网络协议。|-|AppArmor<br />BPF
+|                 |              |禁止使用 UDP 网络协议<br /><br />`disable-udp`|ALL|此规则禁止容器进程使用 UDP 网络协议。|-|AppArmor<br />BPF
 |                 |限制特定可执行文件|-|ALL|此规则对 “容器信息泄漏缓解” 和 “容器敏感命令限制” 两类策略的使用场景进行了扩充，使用户可以只对容器内的特定可执行文件及其子进程进行限制。<br /><br />对指定的可执行文件进行限制，实现两个目的：<br />1). 避免沙箱策略影响容器内应用服务的正常执行<br />2). 对容器内指定可执行文件进行限制，增加攻击者成本和难度。<br /><br />例如，可以利用此功能对容器中的 busybox、bash、sh、curl 进行限制，阻止攻击者利用它们来执行敏感操作。与此同时，应用服务的运行则不受沙箱策略的限制，可以正常执行读取 ServiceAccount token 等敏感操作。<br /><br />注：受限于 BPF LSM 的实现原理，BPF enforcer 无法提供此功能|为特定可执行文件开启沙箱限制|AppArmor
 |**Vulnerability Mitigation**|-|缓解 cgroups & lxcfs 逃逸<br /><br />`cgroups-lxcfs-escape-mitigation`|ALL|若用户将宿主机的 cgroupfs 挂载进容器，或使用 lxcfs 为容器提供资源视图。在这两种场景下可能存在容器逃逸风险，攻击者可以在容器内改写 cgroupfs 实施容器逃逸。<br /><br />此规则也可用于防御 [CVE-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) 漏洞利用。|AppArmor Enforcer 阻止在容器内修改：<br />/\*\*/release_agent, <br />/\*\*/devices/device.allow,<br />/\*\*/devices/\*\*/device.allow, <br />/\*\*/devices/cgroup.procs,<br />/\*\*/devices/\*\*/cgroup.procs,<br />/\*\*/devices/task,<br />/\*\*/devices/\*\*/task,<br /><br />BPF Enforcer 阻止在容器内修改：<br />/\*\*/release_agent<br />/\*\*/devices.allow<br />/\*\*/cgroup.procs<br />/\*\*/devices/tasks<br />|AppArmor<br />BPF
 |                            |-|缓解通过改写 runc 实现的容器逃逸<br /><br />`runc-override-mitigation`|ALL|本策略用于缓解通过改写宿主机 runc 从而实现容器逃逸的漏洞，例如 [CVE-2019-5736](https://github.com/advisories/GHSA-gxmr-w5mj-v8hh)。|禁止改写 /**/runc 文件|AppArmor<br />BPF