Skip to content

grantseltzer/Manhattan

Repository files navigation

Manhattan - Deprecated

The core packages of this tool have been moved over to opencontainers/runtime-tools which supports the latest version of the OCI runtime-spec. See documentation there.

A CLI tool/library for creating OCI seccomp json configurations.

Warning: At the moment, Manhattan does not support the new docker seccomp format

Go Report Card

Manhattan is a tool used to generate the seccomp json file used by OCI containers to control the system calls available to processes running within a container. The generated json files can be used by any OCI compliant runtime like runc and docker. You can pass them at the command line to docker like the following:

docker run -it --security-opt seccomp:Manhattan.json fedora bash

Usage:

Arguments consist of all lower case names of syscalls. Multiple ones can be passed by using a , separated list. Use any of the following flags to set actions for specified syscalls:

--kill or -k

--trap or -p

--errno or -e

--trace or -c

--allow or -a

You can also specify parameters for rules to apply to. The syntax is as follows:

manhattan --ACTION SYSCALL:INDEX:VALUE1:VALUE2:OP OP must be any of the following: NE, LT, LE, EQ, GE, GT, or ME.

--remove (-r) specifies syscalls that you would like to remove from the default configuration. Syscalls not specified will take on the default action.

--default (-d) specifies the default action for syscalls not explicitly specified.

--arch (-l)specifies supported architectures.

--name (-n) specifies the name of the output file. The default is the current timestamp in the current directory.

--name-force is the same as --name except it will overwrite an existing file if it's specified

Library

Simply run go get github.com/grantseltzer/manhattan/oci-seccomp-gen and import it in your go project.

Documentation for use as a library coming soon.

Example usages:

manhattan --kill accept --name ~/jsonfiles/SeccompConfig

manhattan --input foo.bar --name-force foo.bar --kill clone:0:1:2:NE,getcwd

manhattan --kill=accept , manhattan --kill:accept and manattan --kill accept are all equivalent

manhattan --errno write,read --allow fstat

manhattan --remove clone

manhattan --default kill --remove clone

manhattan --trace clone:1:2:3:GT

manhattan --kill clone:1:2:3:ME,getcwd:1:2:3:GE

manhattan --arch mips,mips64,amd64

About

A CLI tool for creating OCI compliant seccomp configurations

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published