README
¶
Manhattan - Deprecated
The core packages of this tool have been moved over to opencontainers/runtime-tools which supports the latest version of the OCI runtime-spec. See documentation there.
A CLI tool/library for creating OCI seccomp json configurations.
Warning: At the moment, Manhattan does not support the new docker seccomp format
Why?
Manhattan is a tool used to generate the seccomp json file used by OCI containers to control the system calls available to processes running within a container. The generated json files can be used by any OCI compliant runtime like runc and docker. You can pass them at the command line to docker like the following:
docker run -it --security-opt seccomp:Manhattan.json fedora bash
Usage:
Arguments consist of all lower case names of syscalls. Multiple ones can be passed by using a , separated list.
Use any of the following flags to set actions for specified syscalls:
--kill or -k
--trap or -p
--errno or -e
--trace or -c
--allow or -a
You can also specify parameters for rules to apply to. The syntax is as follows:
manhattan --ACTION SYSCALL:INDEX:VALUE1:VALUE2:OP OP must be any of the following:
NE, LT, LE, EQ, GE, GT, or ME.
--remove (-r) specifies syscalls that you would like to remove from the default configuration. Syscalls not specified will take on the default action.
--default (-d) specifies the default action for syscalls not explicitly specified.
--arch (-l)specifies supported architectures.
--name (-n) specifies the name of the output file. The default is the current timestamp in the current directory.
--name-force is the same as --name except it will overwrite an existing file if it's specified
Library
Simply run go get github.com/grantseltzer/manhattan/oci-seccomp-gen and import it in your go project.
Documentation for use as a library coming soon.
Example usages:
manhattan --kill accept --name ~/jsonfiles/SeccompConfig
manhattan --input foo.bar --name-force foo.bar --kill clone:0:1:2:NE,getcwd
manhattan --kill=accept , manhattan --kill:accept and manattan --kill accept are all equivalent
manhattan --errno write,read --allow fstat
manhattan --remove clone
manhattan --default kill --remove clone
manhattan --trace clone:1:2:3:GT
manhattan --kill clone:1:2:3:ME,getcwd:1:2:3:GE
manhattan --arch mips,mips64,amd64
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Godeps
|
|
|
_workspace/src/github.com/Sirupsen/logrus
Package logrus is a structured logger for Go, completely API compatible with the standard library logger.
|
Package logrus is a structured logger for Go, completely API compatible with the standard library logger. |
|
_workspace/src/github.com/urfave/cli
Package cli provides a minimal framework for creating and organizing command line Go applications.
|
Package cli provides a minimal framework for creating and organizing command line Go applications. |