Manhattan - Deprecated

The core packages of this tool have been moved over to opencontainers/runtime-tools which supports the latest version of the OCI runtime-spec. See documentation there.

A CLI tool/library for creating OCI seccomp json configurations.

Warning: At the moment, Manhattan does not support the new docker seccomp format

Why?

Manhattan is a tool used to generate the seccomp json file used by OCI containers to control the system calls available to processes running within a container. The generated json files can be used by any OCI compliant runtime like runc and docker. You can pass them at the command line to docker like the following:

docker run -it --security-opt seccomp:Manhattan.json fedora bash

Usage:

Arguments consist of all lower case names of syscalls. Multiple ones can be passed by using a , separated list. Use any of the following flags to set actions for specified syscalls:

--kill or -k

--trap or -p

--errno or -e

--trace or -c

--allow or -a

You can also specify parameters for rules to apply to. The syntax is as follows:

manhattan --ACTION SYSCALL:INDEX:VALUE1:VALUE2:OP OP must be any of the following: NE, LT, LE, EQ, GE, GT, or ME.

--remove (-r) specifies syscalls that you would like to remove from the default configuration. Syscalls not specified will take on the default action.

--default (-d) specifies the default action for syscalls not explicitly specified.

--arch (-l)specifies supported architectures.

--name (-n) specifies the name of the output file. The default is the current timestamp in the current directory.

--name-force is the same as --name except it will overwrite an existing file if it's specified

Library

Simply run go get github.com/grantseltzer/manhattan/oci-seccomp-gen and import it in your go project.

Documentation for use as a library coming soon.

Example usages:

manhattan --kill accept --name ~/jsonfiles/SeccompConfig

manhattan --input foo.bar --name-force foo.bar --kill clone:0:1:2:NE,getcwd

manhattan --kill=accept , manhattan --kill:accept and manattan --kill accept are all equivalent

manhattan --errno write,read --allow fstat

manhattan --remove clone

manhattan --default kill --remove clone

manhattan --trace clone:1:2:3:GT

manhattan --kill clone:1:2:3:ME,getcwd:1:2:3:GE

manhattan --arch mips,mips64,amd64

Name		Name	Last commit message	Last commit date
Latest commit History 136 Commits
Godeps		Godeps
oci-seccomp-gen		oci-seccomp-gen
resources		resources
.gitignore		.gitignore
.travis.yml		.travis.yml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
bash_autocomplete		bash_autocomplete
consts.go		consts.go
main.go		main.go
manhattan.1		manhattan.1
manhattan.json		manhattan.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Manhattan - Deprecated

The core packages of this tool have been moved over to opencontainers/runtime-tools which supports the latest version of the OCI runtime-spec. See documentation there.

Why?

Usage:

Library

Example usages:

About

Uh oh!

Releases

Packages

Uh oh!

Contributors 2

Uh oh!

Languages

License

grantseltzer/Manhattan

Folders and files

Latest commit

History

Repository files navigation

Manhattan - Deprecated

The core packages of this tool have been moved over to opencontainers/runtime-tools which supports the latest version of the OCI runtime-spec. See documentation there.

Why?

Usage:

Library

Example usages:

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors 2

Uh oh!

Languages

Packages