The core packages of this tool have been moved over to opencontainers/runtime-tools which supports the latest version of the OCI runtime-spec. See documentation there.
A CLI tool/library for creating OCI seccomp json configurations.
Warning: At the moment, Manhattan does not support the new docker seccomp format
Manhattan is a tool used to generate the seccomp json file used by OCI containers to control the system calls available to processes running within a container. The generated json files can be used by any OCI compliant runtime like runc and docker. You can pass them at the command line to docker like the following:
docker run -it --security-opt seccomp:Manhattan.json fedora bash
Arguments consist of all lower case names of syscalls. Multiple ones can be passed by using a ,
separated list.
Use any of the following flags to set actions for specified syscalls:
or -k
or -p
or -e
or -c
or -a
You can also specify parameters for rules to apply to. The syntax is as follows:
OP must be any of the following:
, LT
, LE
, EQ
, GE
, GT
, or ME
) specifies syscalls that you would like to remove from the default configuration. Syscalls not specified will take on the default action.
) specifies the default action for syscalls not explicitly specified.
)specifies supported architectures.
) specifies the name of the output file. The default is the current timestamp in the current directory.
is the same as --name
except it will overwrite an existing file if it's specified
Simply run go get
and import it in your go project.
Documentation for use as a library coming soon.
manhattan --kill accept --name ~/jsonfiles/SeccompConfig
manhattan --input --name-force --kill clone:0:1:2:NE,getcwd
manhattan --kill=accept
, manhattan --kill:accept
and manattan --kill accept
are all equivalent
manhattan --errno write,read --allow fstat
manhattan --remove clone
manhattan --default kill --remove clone
manhattan --trace clone:1:2:3:GT
manhattan --kill clone:1:2:3:ME,getcwd:1:2:3:GE
manhattan --arch mips,mips64,amd64